FYI: The Pre Reports Your Location to Palm | webOS Nation

FYI: The Pre Reports Your Location to Palm

by Dieter Bohn Thu, 13 Aug 2009 12:17 pm EDT

Joey Hess has taken a closer look at the code inside webOS that reports information back to Palm and found some details on what the Pre is sending back to headquarters.  Specifically, it appears that the Pre uploads (at least) the following information to Palm on a daily basis:

  • Location
  • Which apps you've used and for how long
  • App crash logs
  • Installed apps

It's obviously the "location" part here that's troubling.  As Hess points out, Palm's Terms and Conditions and Privacy Policy are sufficiently broad to give them permission to collect this information.  In fact, our own Derek Kessler wrote up a post some time ago (which we were holding because, well, we're not lawyers) which explained that when you agree to Palm's terms, you grant them the right to collect this information.

It's complicated and we don't want to stir up unwarranted panic here. So follow us after the break to find out just what Palm's policy on all this is -- including what rights they have (and don't have) to share this information.

We're indebted to our friend Matthew Miller over at ZDNet for finding the  Terms and Conditions, which should also be read in conjunction with Palm's Privacy Policy. Here's the relevant paragraph from the Terms and Conditions:

You agree that Palm and its subsidiaries, affiliates, partners, suppliers, and agents (collectively, Affiliates) may collect, store, access, disclose, transmit, process, and otherwise use your Registration Data, account or Device information, content, and technical data for Palm and its Affiliates to provide you with the Services, address your requests, provide technical support, process any transactions for your account, and otherwise in accordance with Palm's privacy policy. Palm may also provide or enable certain Services through your Device that rely upon location information. In order to provide such Services, Palm and its Affiliates may collect, store, access, disclose, transmit, process, and otherwise use your location data (including real time geographic information) in accordance with Palm's privacy policy. You also agree that Palm has the right, without liability to you, to disclose any information, including but not limited to your Registration Data and other information, to law enforcement authorities or government officials, to the extent Palm believes is reasonably necessary or appropriate.

As we said, this sharing issue is complicated, as Palm needs to be able to  gather information just to make Synergy work, and they need share information with entities that to us look just like Palm but in corporate terms may not be (i.e. Palm Europe). Back when Derek was working on the original story, we requested comment from Palm and spoke with Palm representatives -- who definitely eased what felt like rising panic on the issue. Palm contends that their Terms and Privacy Policy are in line with industry standards, here's their official statement:

Our goal has been to follow industry best practices on data collection, use, and encryption.  Like most EULAs and privacy policies, though, the terms tend to get pretty detailed about potential scenarios. And because the terms are meant to notify users about all possible variations, we wanted to err on the side of over notifying rather than under notifying users through the terms of use.  So there’s really nothing here “beyond the norm” for a EULA or privacy policy.

The provision you’ve quoted explains why Palm might collect user information. For example, we collect and transmit users’ email addresses, email content, contact lists, etc. to provide WebOS services such as back-up and restore for the purpose of backing up that data and helping users restore the data if needed (in that case, it would not be limited to just the email address collected at registration). If users someday make purchases on their device through the Apps Catalog, then we would also collect payment information to process the transaction.

At all times, we’d be strictly bound by our privacy policy.  Our privacy policy, like virtually all others in the industry, contemplate our using data to provide services users have requested, improve our products and services (hence the reference to Palm’s own “sales and marketing” in the privacy policy), troubleshoot, etc.  We also refer to affiliates because Palm is a global company, and we may need to transmit data from our European subsidiary to the parent company.  We’re obviously not a conglomerate with many different subs and affiliates, but the terms specifically mention subs and affiliates so that we can comply with European data protection laws that require us to spell out that data collected by a European sub can be transmitted to another part of the company.

So the story on the Terms is that they must be read in conjunction with Palm's Privacy Policy, which states that they may share information as follows:

  • To Palm affiliates and subsidiaries to support business operations and sales, marketing, and customer support processes;
  • To third party service providers and suppliers acting on our behalf to provide products or services to you; and
  • To other third parties for purposes you have allowed.

...In other words, although the language seems a little flexible (and again we are not lawyers!), Palm's policy states that they'll only share information with third parties who are "acting on [their] behalf."  Presumably that means that the information is only being shared with entities that you would consider to be "Palm" anyway. Sharing with other third parties requires your consent ("purposes you have allowed"). Information sharing crisis averted.

Still and all, if you don't like the idea of a computer at Palm HQ knowing where you are, you might consider turning location services off.  If you want to prevent your Pre from uploading information to Palm at all (which may break some of the Pre's functionality, FYI), Hess explains how here - Linux access required.

via Slashdot and webOS France- thanks to Tousensemble for the tip, to Palm for the context, and to Derek for working on our original, unpublished post.

Update: We have a 2nd statement from Palm on the issue to further calm the waters:

"Palm takes privacy very seriously, and offers users ways to turn data collecting services on and off. Our privacy policy is like many policies in the industry and includes very detailed language about potential scenarios in which we might use a customer's information, all toward a goal of offering a great user experience. For instance, when location based services are used, we collect their information to give them relevant local results in Google Maps. We appreciate the trust that users give us with their information, and have no intention to violate that trust."