I'm pretty sure most of you are already aware that you can be tracked through your PDA (for those who don't, start by disabling GPS functionality or – horrors! – turn the device off). But what other methods are companies using to track you; and while we're at it, how many of them are doing so? The answer might surprise you. The Wall Street Journal did some testing on iPhone and Android devices (Blackberrys weren't included). According to the WSJ, roughly half of the apps sent differing degrees of personal information to 'someone' without the user's consent.
First of all, this is supposed to be a violation of most privacy policies, but in many cases, the policy either doesn't exist or isn't enforced if it does exist. Second, although many of the culprits insist that they only compile general information, that explanation doesn't hold water. PDAs have unique identifiers (aka UDID, PIN, etc.) that cannot be masked. The article likens them to a "supercookie", but they remind me of the days of static IP numbers (for you non-techies, I usually describe an IP number as being similar to a telephone number in which the sequence can be used to pinpoint someone's specific location in the way one would use an area code and a prefix).
Why is this such a big deal? Because I can mask my IP number by placing it behind a firewall (for you non-techies, a firewall is…oh, just look it up…) but I can't do so with the identifier. Once someone has that identifier, it wouldn't take them too long to scour the Internet to retrieve your personal information and build a profile of your specific habits.
Do you see the implications? This goes far beyond advertisers. This is bad enough on a personal-exposure level, but then add the corporate dynamic. Suppose Bob Smith, CEO of a publicly-traded concern, has been identified by a 3rd-party and is being tracked. And suppose Mr. Smith is shown to be visiting the location of a competitor on three occasions. What's Bob doing?
- Interviewing for a new job?
- Discussing a merger, buyout or acquisition?
- Divulging corporate secrets?
You get the idea. Paranoid? You bet! A true disaster-recovery and/or security specialist deals in the realm of the possible, not just the probable. Possibility is the primary risk; probability is the degree of risk (does that make sense?).
To put it another way, probability assists a client in making an informed decision about which risks they wish to defend against (or which risks may be accounted for in the budget) after all possible risks have been identified and scaled.
How many corporations, do you think, account for these risks? Start by asking how many of them have developed a policy that prevents the keeper of a corporate PDA from installing apps without some sort of controls in place.