Apple Lays Out Location Collection Policies

Responding to questions from U.S. lawmakers about what kind of location data it collects, Apple said it gathers location information from some users every 12 hours.

In a 13-page reply to questions posed by Representative Ed Markey from Massachusetts and Congressman Joe Barton from Texas, Apple said it collects GPS data daily from iPhones running OS 3.2 or iOS 4. The phones collect the GPS data and encrypt it before sending it back to Apple every 12 hours via Wi-Fi. Attached to the GPS data is a random identification number generated by the phone every 24 hours. The information is not associated with a particular customer, Apple said.

Apple uses the data to analyze traffic patterns and density, it said. Apple collects such data from customers who have approved the use of location-based capabilities on the phone and who actually use an application that requires GPS.

Apple similarly collects information about nearby cell towers and Wi-Fi networks. In older versions of the iPhone, Apple relies on databases maintained by Google and Skyhook Wireless to provide location-based services, it said. But starting with OS 3.2, Apple began using its own database.

The congressmen sent the questions to Apple after the L.A. Times noticed new language in Apple’s general privacy policy about location information. However, it turned out that the language had already been included in terms-of-use documents for specific Apple products.

Markey seemed more pleased with Apple’s response than Barton. “Consumer consent is the key to assessing the adequacy of privacy protections, and Apple’s responses provide examples of how consumers can grant or withhold consent in their usage of Apple products,” he said in a statement.

Barton wasn’t so positive. “While I applaud Apple for responding to our questions, I remain concerned about privacy policies that run on for pages and pages,” he said in a statement.

If users have enabled location-based capabilities and use an application that requires location information, their phones “intermittently and anonymously” collect cell tower and Wi-Fi network information, sending it back to Apple coupled with GPS coordinates, Apple said. That data is batched, encrypted and sent to Apple over Wi-Fi every 12 hours.

Apple also collects diagnostic information from randomly selected iPhones. It asks for consent first. If a user approves, Apple may collect information like the location of the phone at the beginning and the end of a call, to see if dropped calls happen often in a particular spot, for example, it said.

Most of the information in Apple’s response to the senators is “context,” rather than direct response to their questions. Asked whether it shares data collected from iPhones or iPads with AT&T or other telecom carriers, Apple simply said “no.”

It didn’t give a firm answer to a question about how many consumers it collects information from. In response to that question, Apple refers the senators to the answer to another question, where it stated generally that it collects information from people who have enabled location-based capabilities, from people who approve the sending of diagnostic information and from those who agree to receive iAds.

The senators also asked if Apple believes its policies are consistent with the intent of Section 222 of the Telecommunications Act, which requires operators to get authorization before accessing users’ wireless location information.

Apple replied that while it believes its policies are consistent with Section 222, it isn’t a telecommunications operator so it is not subject to the rules.

Not only does Section 222 specifically apply to operators, in terms of location information it only applies to the location of someone making a call from a mobile or VoIP service, said Kevin Bankston, senior staff attorney at the Electronic Frontier Foundation.

It’s not clear why the lawmakers asked Apple about Section 222. Bankston is not aware of any potential controversy over specifically what kinds of companies the rules apply to.