Apple praised for plan to undermine extensive system that secretly tracks customers

As the political push to curb digital spying remains mired in debate, those who produce the technological wonders of our age are fixing on a more direct response: If you can’t legislate privacy, build it in.

It is against this backdrop that many in the technological community are applauding the decision by Apple to tweak how the iPhone searches for WiFi connections. Through a relatively simple software update, the company plans to undermine a widely deployed system that stores such as Nordstrom have used to track the movements of customers to analyze shopping habits.

Tracking shoppers is not the same as tracking terrorism suspects, but software developers increasingly appreciate that all digital surveillance relies on access to data created whenever humans and computers interact. That has prompted a widespread rethinking of how computer systems are designed, with the goal of making data much harder for outsiders to vacuum up, be they intelligence services or the local mall.

In the aftermath of Edward Snowden’s revelations about government surveillance, efforts began to extend encryption, repair long-standing security flaws in software and limit the amount of information that apps and Web sites “leak” — meaning inadvertently expose to unauthorized collection. Other developers began looking to build entirely new communications systems that are decentralized, making them inherently resistant to mass surveillance.

“The solutions here are going to be technical,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union. “The biggest and most enduring impact of Snowden is going to be the way the engineering community adjusts.”

Apple, which declined to comment on its new WiFi system, plans to have iPhones and iPads send out random identification codes when they look for WiFi signals, according to information sent to app developers.

Once this change takes effect, probably in September, it will defeat systems that rely on a single, distinctive WiFi code to track shoppers by their iPhones, monitoring where they move in a store and when they return. The goal typically is to deliver coupons and collect data on shopping behavior. Other smartphones, including those using the popular Android operating system, will still be trackable through their WiFi signals.

Nordstrom once used such a system but stopped after public outcry. Euclid, one of several analytics companies that provides such services, does not name its customers but claims they include major retailers selling clothing, auto parts and housewares.

Sen. Al Franken (D-Minn.), who has proposed legislation banning such tracking except when customers explicitly choose to participate, said in a statement, “Companies are tracking your movements when you go shopping without your knowledge — and often when you don’t even enter a store. Apple’s decision to protect their users against this form of tracking is a smart and powerful move for privacy.”

Apple does have its own system for delivering location-based advertising to customers, called iBeacon, but it requires that users opt in by opening a store’s app on their smartphones. Services based on WiFi codes, by contrast, can operate without consent or the knowledge of customers, even when they are not using their phones. There are other technologies capable of tracking customers as well, though perhaps none is as simple and inexpensive for stores to use, experts say.

Privacy groups long have pushed for changes to WiFi technology to make location tracking more difficult. They also have pushed for end-to-end encryption of e-mail, social media postings and video chat, and for tech companies and judges to treat surveillance requests from investigators more skeptically.

These wishes and others have been fulfilled in the post-Snowden era of enhanced privacy concern, even as the political debate over curbing National Security Agency spying has bogged down in Washington.

Many privacy advocates have come to believe that even if the United States enacts new legal curbs, it would not be enough to restore user privacy in an era when the Chinese, Russian and Israeli intelligence services — not to mention countless criminal hackers — have powerful spying tools.

Such thinking has fueled a push by the volunteers who run Jabber, a popular instant-messaging technology, to institute new rules — long debated but never implemented — requiring that all users connect over encrypted links. That change took effect last month, after what amounted to a manifesto signed by more than 70 developers and operators of Jabber servers.

“We had been talking about this for years, but we needed a kick in the pants,” said Peter Saint-Andre, who operates Jabber.org, a popular server.

A similar effort is underway to improve a popular form of encryption, TLS/SSL, that dates to the 1990s and has known weaknesses. A working group of cryptologists is searching for a way to harden the technology while adding new features, such as the ability to hide what Web site users are visiting.

“People are taking seriously the need for encryption, even of data that seem innocuous, because of the ways it can be used,” said Watson Ladd, a graduate student at the University of California at Berkeley who joined the group working to improve SSL after the Snowden revelations.

In many cases, action has come from companies, such as Google, Facebook, Yahoo, Microsoft and Apple, that more often had been targets of criticism by privacy advocates because of how they collect and handle personal information.

Yet those companies, all of whom have struggled to protect their reputations amid backlash over the Snowden revelations, have the capabilities and increasingly the motive to make changes to protect consumers from government spying. They all announced major new encryption initiatives last year in the hope of reassuring users that their data was secure.

Privacy advocates have noted, however, that although these companies are making it harder for hackers and intelligence services to gain access to user information, they all still collect massive amounts themselves.

“Apple hasn’t been limiting the information that Apple can see and that Apple can gather,” said Seth Schoen, a senior staff technologist for the Electronic Frontier Foundation, a civil liberties group in San Francisco. “They’ve been limiting what third parties can see.”

Hayley Tsukayama contributed to this report.

Follow The Post’s tech blog, The Switch, where technology and policy connect.

Craig Timberg is a national technology reporter for The Post.
Comments
Show Comments
Most Read Business