Oh, By the way: The Palm Pre phones home with your location [Updated]


This is going to end well, and no one will be upset about this. Also, everything I said in that last sentence is probably wrong.

When Debian developer Joey Hess started tinkering with webOS, he noticed that it was sending something to Palm once a day. Surely, Palm wasn’t sending anything too potentially incriminating without making it blatantly obvious to the user, right? Wrong.

Joey tore apart the data the Pre was transmitting, and there it was, smack dab at the top of the page:

{ “errorCode”: 0, “timestamp”: 1249855555954.000000, “latitude”: 36.594108, “longitude”: -82.183260, “horizAccuracy”: 2523, “heading”: 0, “velocity”: 0, “altitude”: 0, “vertAccuracy”: 0 }

That was Joey’s position at the time the data was sent, accurate to the same degree that the Google Maps application was.

Also included was a list of every application Joey used, along with how long they were used for (as measured by “launch” and “close” parameters), along with crashlogs. Last but very much not least, it also sent a manifest file of all applications installed on the phone – including third-party applications not authorized by Palm. All of this data is sent to ps.palmws.com.

For some crazy reason, people don’t really like having this sort of information sent back to the mothership without their explicit consent. Palm knows this, of course, and has their bases covered in their privacy policy:

Location Based Services. When you use location based services, we will collect, transmit, maintain, process, and use your location and usage data (including both real time geographic information and information that can be used to approximate location) in order to provide location based and related services, and to enhance your device experience.

The latter part of that sentence, “in order to provide location based and related services”, makes perfect sense – you open Google Maps, and it needs to find your location. Sure. Then they tack “enhance your device experience” onto the end, essentially giving them full reign to send your data wherever the hell they want as long as it potentially makes the experience better.

Of course, Palm’s privacy policy could say that they have the right to punch you in the face and light your shoes on fire, and no one would notice. Even the most anal of gadget users don’t tear through EULAs and privacy policies before booting up their device. When it comes to location tracking and device activity, you must alert the user and specifically request permission. If you don’t, you are spying, plain and simple. Regardless of what Palm is doing with this data, the user needs to be completely aware that it is being sent.

Furthermore, why would Palm need this data? It’s not for marketing reasons; you know where I bought my phone. It’s not for technical reasons on the carrier’s end, such as network load balancing – the towers are already fully aware of who’s in each cell.

Palm, your privacy policy opens by stating “Our goal is to help you make informed decisions about the personal information you share with us.” If thats the case, you’re doing a pretty terrible job.

You can see a full list of what is being transmitted here.


Palm has since issued a statement on the matter:

Palm takes privacy very seriously, and offers users ways to turn data collecting services on and off. Our privacy policy is like many policies in the industry and includes very detailed language about potential scenarios in which we might use a customer’s information, all toward a goal of offering a great user experience. For instance, when location based services are used, we collect their information to give them relevant local results in Google Maps. We appreciate the trust that users give us with their information, and have no intention to violate that trust.

We’re not sure what method of toggling data collection they’re talking about, unless we’re missing something tucked deep away. In the end, however, they still fall back on their privacy policy.

[Via IntoMobile]