Last week I gave a presentation at PII 2010 in Seattle where I tried to summarize what I had learned from my recent work on WiFi location services and identity. During the question period an audience member asked me to return to the slide where I recounted how I had first encountered Apple’s new location tracking policy:
My questioner was clearly a bit irritated with me, Didn’t I realize that the “unique device identifier” was just a GUID – a purely random number? It wasn’t a MAC address. It was not personally identifying.
The question really perplexed me, since I had just shown a slide demonstrating how if you go to this well-known web site (for example) and enter a location you find out who lives there (I used myself as an example, and by the way, “whitepages” releases this information even though I have had an unlisted number…).
I pointed out the obvious: if Apple releases your location and a GUID to a third party on multiple occasions, one location will soon stand out as being your residence… Then presto, if the third pary looks up the address in a “Reverse Address” search engine, the “random” GUID identifies you personally forever more. The notion that location information tied to random identifiers is not personally identifiable information is total hogwash.
My questioner then asked, “Is your problem that Apple’s privacy policy is so clear? Do you prefer companies who don’t publish a privacy policy at all, but rather just take your information without telling you?” A chorus of groans seemed to answer his question to everyone’s satisfaction. But I personally found the question thought provoking. I assume corporations publish privacy policies – even those as duplicitous as Apple’s – because they have to. I need to learn more about why.
[Meanwhile, if you’re wondering how I could possibly post my own residential address on my blog, it turns out I’ve moved and it is no longer my address. Beyond that, the initial “A” in the listing above has nothing to do with my real name – it’s just a mechanism I use to track who has given out my personal information.]
