Slashdot

Let's see if you can find the trick in Palm's privacy policy:

The operating word is Some examples: legally, they don't say that the list is exhaustive and that they don't collect information any other way. So the long list of nice looking collection is just a decoy!

--
FairSoftware.net [fairsoftware.net] -- iPhone dev jobs for geeks by geeks

Ok, add them to the list.
Actually it's getting hard to keep track. Should we start a wiki?

I read the privacy policy [palm.com] and it doesn't really seem like it's built to cover this kind of snooping.

And then there's this:

So is there a website or a setting on the Pre to disable this thing. TFA seems to say there isn't.

I mean, there's utility in understanding how people are using your device. But not letting your users know you're uploading daily usage stats and not giving them a way to turn it off?

Truly Uncool.

OK, I can see sending what applications are installed and what crashes have occurred given the user's explicit permission - I allow my Ubuntu boxes to participate in the "popularity contest" wherein what apps I install are (anonymously) logged, and I will frequently send crash reports to help get the cause of the crash fixed.

In both of those cases *I* decide if it happens, and I was informed of the data being uploaded.

But automatically reporting my GPS locations - HELL NO!!!

Yes, the Pre is a phone - as such it MUST, BY LAW be able to report its location to 911 (here in the US, natch). My phone (which is NOT a Pre) has been configured to turn GPS off for anything OTHER than E911. If I found out that it was NOT abiding by that selection - that it was sending position data to anyone other than E911 - then not only would I be terminating my cell contract, I would be filing suit against the makers of the phone AND the cell carrier.

Again, I can see why Palm would want apps installed and crash data - but WHAT DAMN BUSINESS is it of theirs to know position?!?!

Woops, looks like /. is hammering the server. Here's a copy of the text (as of now):

I've been taking a closer look at the WebOS side of my Palm Pre tonight, and I noticed that it periodically uploads information to Palm, Inc.

The first thing sent is intended to be my GPS location. It's the same location I get if I open the map app on the Pre. Not very accurate in this case, but I've seen it be accurate enough to find my house before.

{ "errorCode": 0, "timestamp": 1249855555954.000000, "latitude": 36.594108, "longitude": -82.183260, "horizAccuracy": 2523, "heading": 0, "velocity": 0, "altitude": 0, "vertAccuracy": 0 }

Here they can tell every WebOS app I use, and for how long.

{ "appid": "com.palm.app.phone", "event": "close", "timestamp": 1250006362 }
{ "appid": "com.palm.app.messaging", "event": "launch", "timestamp": 1250006422 }
{ "appid": "com.palm.app.messaging", "event": "close", "timestamp": 1250006446 }

It sends the above info on a daily basis.

2009-08-10t09:15:10z upload /var/context/pending/1249895710-contextfile.gz.contextlog ok rdx-30681971
2009-08-11t09:15:10z upload /var/context/pending/1249982110-contextfile.gz.contextlog ok rdx-31306808

There is also some info that is recorded when a WebOS app crashes. Now, I've seen WebOS crash hard a time or two, but it turns out apps are crashing fairly frequently behind the scenes, and each such crash is logged and a system state snapshot taken. At least some of these are uploaded, though if things are crashing a whole lot it will be throttled.

2009-08-09T17:01:22Z upload /var/log/rdxd/pending/rdxd_log_59.tgz OK RDX-30246857
2009-08-09T17:05:36Z upload /var/log/rdxd/pending/rdxd_log_26.tgz OK RDX-30249465
2009-08-09T17:09:11Z upload /var/log/rdxd/pending/rdxd_log_56.tgz OK RDX-30252374
2009-08-09T17:11:46Z upload /var/log/rdxd/pending/rdxd_log_70.tgz OK RDX-30253958
2009-08-09T17:16:29Z upload /var/log/rdxd/pending/rdxd_log_67.tgz ERR_UPLOAD_THROTTLED_DAILY
2009-08-09T17:17:28Z upload /var/log/rdxd/pending/rdxd_log_51.tgz ERR_UPLOAD_THROTTLED_DAILY
2009-08-09T17:20:40Z upload /var/log/rdxd/pending/rdxd_log_21.tgz ERR_UPLOAD_THROTTLED_DAILY

Each tarball contains a kernel dmesg, syslog, a manifest.txt listing all installed ipkg packages (including third-party apps), a backtrace of the crash, a df (from which they can tell I'm using Debian on the phone), and ps -f output listing all processes owned by root (but not by joey).

The uploading is handled by uploadd, which reads /etc/uploadd.conf:

[SERVER=rdx]
RepositoryURL=https:///palmcsext/prefRequest?prefkey=APPLICATIONS,RDX_SRV
UploadURL=https:///palmcsext/RDFileReceiver

[SERVER=context]
RepositoryURL=https:///palmcsext/prefRequest?prefkey=APPLICATIONS,RDX_SRV
UploadURL=https:////palmcsext/RDFileReceiver

The "HOST" this is sent to via https is ps.palmws.com.

My approach to disable this, which may not stick across WebOS upgrades, was to comment out the 'exec' line in /etc/event.d/uploadd and reboot. However, then I noticed a contextupload process running. This is started by dbus, so the best way to disable it seems to be: rm /usr/bin/contextupload

BTW, since Palm has lawyers, they have a privacy policy, which covers their ass fairly well regarding all this, without going into details or making clear that the above data is being uploaded.

http://www.precentral.net/fyi-pre-reports-your-location-palm [precentral.net]

When PreCentral's people asked Palm about this, their official statement to them in part was:

        Our goal has been to follow industry best practices on data collection, use, and encryption. Like most EULAs and privacy policies, though, the terms tend to get pretty detailed about potential scenarios. And because the terms are meant to notify users about all possible variations, we wanted to err on the side of over notifying rather than under notifying users through the terms of use. So there's really nothing here "beyond the norm" for a EULA or privacy policy.

        The provision you've quoted explains why Palm might collect user information. For example, we collect and transmit users' email addresses, email content, contact lists, etc. to provide WebOS services such as back-up and restore for the purpose of backing up that data and helping users restore the data if needed (in that case, it would not be limited to just the email address collected at registration). If users someday make purchases on their device through the Apps Catalog, then we would also collect payment information to process the transaction.

        At all times, we'd be strictly bound by our privacy policy. Our privacy policy, like virtually all others in the industry, contemplate our using data to provide services users have requested, improve our products and services (hence the reference to Palm's own "sales and marketing" in the privacy policy), troubleshoot, etc. We also refer to affiliates because Palm is a global company, and we may need to transmit data from our European subsidiary to the parent company. We're obviously not a conglomerate with many different subs and affiliates, but the terms specifically mention subs and affiliates so that we can comply with European data protection laws that require us to spell out that data collected by a European sub can be transmitted to another part of the company.