Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pandora App Sends Private Data To Advertisers

CmdrTaco posted more than 3 years ago | from the of-course-it-does dept.

Privacy 198

Trailrunner7 writes "An analysis of the popular free mobile application from online music service Pandora.com that is the subject of a grand jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers. The analysis was conducted by application security firm Veracode and found that Pandora's free mobile application for Android phones tracked and submitted a range of data, including the user's gender, geographic location and the unique ID of their phone, according to an entry on Veracode's blog."

cancel ×

198 comments

Sorry! There are no comments related to the filter you selected.

As I said last time (5, Informative)

Anonymous Coward | more than 3 years ago | (#35743498)

As I said last time [slashdot.org] , "I stopped using their app when it wanted access to the system logs. This includes all notifications of pretty much everything going on on your phone. It might help them debug the app, it might help them with advertisers. Who knows. I just knew their app wasn't worth it."

This is potentially a much more massive problem than we have been told.

Re:As I said last time (0, Offtopic)

Anonymous Coward | more than 3 years ago | (#35743992)

thank god you said that, and then repeated it again today.
 
what would we do without you!?

Re:As I said last time (2)

Creepy (93888) | more than 3 years ago | (#35744232)

I stopped at the user agreement, which had something like "address book access"... - why the @*%& does a music app need access to my address book? And the conclusion I came to was "so it can steal all of the email addys in there and sell them to spammers." This is hardly the first app I've nixed for wanting way more access than I was willing to give it.

Re:As I said last time (5, Insightful)

Gutboy (587531) | more than 3 years ago | (#35744296)

Google needs to allow you to authorize specific permissions for apps, not their current 'all or nothing' system. This way you could say "Yes, you can have my position because I believe a GPS mapping system needs that, but no you can't have my address book, since a GPS system doesn't need that". Sure it would screw advertisers over, but I don't care about them. Not everything in the world needs to have advertising on it.

Re:As I said last time (2)

DrXtreme (1210624) | more than 3 years ago | (#35744630)

This (and battery being dead in ~4hrs) is why my new Droid is going Bye Bye today and my iPhone is going back online...I should have known better than to even try that mess...It has great potential but I felt like I was using an even more evil version of win-blows....

Re:As I said last time (3, Insightful)

Belial6 (794905) | more than 3 years ago | (#35744786)

Every time this comes up, the Android folks say that they uninstalled Pandora when they tried to get assess to our personal data. No one talks about the data stealing on iPhones. Is that because we know they are not doing it on iPhone, or because the iPhone doesn't warn the user that the app is stealing their data.

Re:As I said last time (1)

Dishevel (1105119) | more than 3 years ago | (#35744778)

No.
You need to decide if you want the app with the permissions it asks for or not.
If you get a free app the app maker is free to attempt to make money. You are free to decide if you want that deal or not.
What you are not free to do is to say "But I really really want it! Give it to me my way!"

Man up. Take control of your own wants and needs and stop passing off your responsibilities onto others.

There are a shit ton of apps out there that I want. Some of them ask for things I do not want to give. Some ask for more money than I think it is worth.
That is where I have to make decisions. I do not get to log onto newegg and tell them they need to implement a system during checkout that lets me have the stuff but just decide to pay less because I do not want to pay that much for the item.

That would be stupid beyond belief.

What you are suggesting is the same exact thing. It is also just as stupid.

Re:As I said last time (1)

Anonymous Coward | more than 3 years ago | (#35744542)

They need address book access for a feature that allows you to share a station; the access is so the app can get your contacts' email when *you* initiate a request to email something. Pandora doesn't go through your contacts and does not harvest data from there.

Re:As I said last time (0)

Anonymous Coward | more than 3 years ago | (#35744302)

A friend recommended this. I tried it on my desktop. It insisted it needed to store cookies to flash. I tuned and ran like Sir Arthur from The Rabbit of Caerbannog.

Re:As I said last time (1)

gothzilla (676407) | more than 3 years ago | (#35744712)

I went to check this out and found that their privacy policy said all this could be controlled through my privacy settings. It took a bit to find them, but when I did find the link (http://www.pandora.com/privacysettings) It said:

Server Error

We're sorry, there has been an unexpected error with our server.

Please try again, or visit the Pandora Home Page

Shut up and take my infos! (1, Troll)

dleemaas (2035220) | more than 3 years ago | (#35743536)

Pandora can have the SSNs of everyone I know if they'll just keep providing their free musical goodness.

Wait a minute... (5, Insightful)

Nidi62 (1525137) | more than 3 years ago | (#35743554)

So, you mean all those ads at the bottom of the Pandora app that were specific to my home town wasn't just a random coincidence? How is it taking these things "silently" when it tells you exactly what you are giving it access too? Obviously, knowing where you live has no bearing on the type of music it's going to play. What else did people think this was going to be used for?

Re:Wait a minute... (1)

Anonymous Coward | more than 3 years ago | (#35743626)

Silent == Did not read. Welcome to the Internet. Don't mind the kids; they're all addicted.

That's Odd (1)

pavon (30274) | more than 3 years ago | (#35744162)

The only ads I ever got on Pandora before paying were those "cheap vacations for students" ads over and over and over again. Nothing localized/individualized at all.

Re:That's Odd (1)

Creepy (93888) | more than 3 years ago | (#35744522)

On android I believe it asked for GPS access, which is another reason I didn't install it (and I only made it through the top maybe 10 entries of access rights it wanted before I said no-way, no-how is this going on my phone). Since mobile phones aren't tied to location like land lines, it is more reliable to use GPS location than area code. Anyhow, if you didn't have a GPS or if your GPS was turned off it may have defaulted back to generic ads.

Re:That's Odd (2)

tophermeyer (1573841) | more than 3 years ago | (#35744646)

Anyhow, if you didn't have a GPS or if your GPS was turned off it may have defaulted back to generic ads.

Yes.

When I have GPS off I get generic ads. When I have it on I get location specific ads. This is really amusing for me because the only time I let GPS run is when I'm driving and need Navigation, so while the ads might be localized they are most definitely not relevant.

Just waiting for (0)

Anonymous Coward | more than 3 years ago | (#35743580)

Serial rapist/killer used silent Android monitoring system to track and catch victims in locations when they where alone, outdoors and had nowhere to go.

Re:Just waiting for (1)

delinear (991444) | more than 3 years ago | (#35743784)

Because that's much more plausable than just following someone, or waiting in a secldued area for someone to wander by.

what do you expect for free? (4, Insightful)

alen (225700) | more than 3 years ago | (#35743596)

seriously, what do you expect from a free app that streams licensed music that they had to pay for? a bunch of ads no one clicks on?

this is how google makes money, metrics. everyone is doing it as well.

Re:what do you expect for free? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#35743722)

In other news, it's only bad (or "evil") when Google does it.

Re:what do you expect for free? (1)

Machtyn (759119) | more than 3 years ago | (#35743864)

Even though those ads might be targeted towards my general location, it is still a bunch of ads I don't click on. Seriously, the phone turns off its display, I listen to the music, I don't watch the phone. I don't even mind the advertising that comes on between music, because it's not that often and I realize they have to pay for their service somehow.

It is getting a little annoying though. I thought I would be safe from those highly annoying Kia radio spots while listening to streaming music. I found out I was sadly mistaken the other day. (/me avoids ranting on Kia - never owned one, never will.)

Re:what do you expect for free? (1)

Snaller (147050) | more than 3 years ago | (#35744222)

That there are a lot of amoral criminals doesn't mean it isn't wrong.

Re:what do you expect for free? (2)

BradleyUffner (103496) | more than 3 years ago | (#35744372)

seriously, what do you expect from a free app that streams licensed music that they had to pay for? a bunch of ads no one clicks on?

this is how google makes money, metrics. everyone is doing it as well.

I expect it to act the same as the Free PC version on the Web. Advertising is fine. you DO NOT need access to my system logs, contact list, GPS position. Your website got along just fine without that data, so can your android app. I also expect that since I paid for a Pandora subscription on the PC that I should have access to an android version without advertising.

What about iOS version? (1, Troll)

chiph (523845) | more than 3 years ago | (#35743604)

Wondering if I should uninstall their app from my iPhone.

Re:What about iOS version? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35743718)

You should also uninstall the internet, because almost all ads use targeting. This story is pointless.

Re:What about iOS version? (1)

houstonbofh (602064) | more than 3 years ago | (#35744010)

You should also uninstall the internet, because almost all ads use targeting. This story is pointless.

Yes, but Google does not know my gender, or everyplace I go all day. Smart phones are nice, but things like this could actually kill the market. For the most part, they are still an emotional impulse buy. If that emotion becomes fear and disgust for too many people...

Re:What about iOS version? (4, Informative)

DanTheManMS (1039636) | more than 3 years ago | (#35744308)

The iOS version of Pandora uses an ad framework called "Medialets" or at least it did as of an update in January 2010. Medialets is known to track exactly this kind of data (phone ID, physical location, etc). When I made a comment on their blog at the time, their response was essentially "Everyone else is doing it so it's okay."

Personally I'm jailbroken and installed the PrivaCy addon, so I *think* I'm being at least somewhat less tracked. Who knows for sure, though?

Re:What about iOS version? (0)

Anonymous Coward | more than 3 years ago | (#35744416)

PrivaCy, huh? Sounds like something I should have been using already.

And doesn't Pandora ask for permission with a little notification anyway? One that actually tells you exactly what it wants? All the other apps I've ever used that wanted private data from my iPhone did.

He's listening to Steve Miller (1)

chemicaldave (1776600) | more than 3 years ago | (#35743612)

Now he's listening to Nirvana...now he's listenning to David Bowie...now he's listening to Twisted Sist- oh wait he skipped that one.

Re:He's listening to Steve Miller (1)

tophermeyer (1573841) | more than 3 years ago | (#35744680)

I think I finally beat the Pandora algorithms when I started getting Elton John and Kid Rock on the same station.

Live in Application (4, Insightful)

ObsessiveMathsFreak (773371) | more than 3 years ago | (#35743614)

The big problem here is that whenever you install any application, you're technically giving the designers virtually free reign to do whatever they like with your system/PC/phone/whatever.

Once permitted in, most commercial applications barge into your PC, rewrite whatever files they please, alter configuration settings, gobble up memory, install themselves as startup applications and often install an entire suite of unwanted applications and advertisements you didn't even ask for. Then they plonk themselves down in your living room, feet on the sofa, and begin to shout at you, along with all the dozens of other loudmouth applications you've invited in.

Re:Live in Application (2)

Haedrian (1676506) | more than 3 years ago | (#35743806)

Android has a list of 'permissions' which you must give an application access to before it can use them. Unfortuantly its an 'all or nothing', sort of thing, so you either accept them all and install it, or deny them all and don't install it.

It does not give the designers 'free reign' to whatever they want. So if you accepted that an app gets access to logs, to your location, to your phone ID, then its your fault and you only have yourself to blame. Granted, its a legit app, if it was a virus that's different.

Re:Live in Application (1)

Sloppy (14984) | more than 3 years ago | (#35744524)

It sounds like what Android needs, is an Android emulator. Let apps access everything they want to, but how reliable is the information that it'll get them?

If Pandora really wants to know that I happen to spend 183 days a year at the south pole and then sudden travel north at 18000MPH on the first day of autumn, and that my best friend's email address is abuse@spamhouse.org, I say let them know these things.

Re:Live in Application (2)

houstonbofh (602064) | more than 3 years ago | (#35744022)

And people ask why I still have a dumb phone...

Re:Live in Application (0)

Anonymous Coward | more than 3 years ago | (#35744160)

Because you're dumb?

Re:Live in Application (0)

Anonymous Coward | more than 3 years ago | (#35744076)

Google's business model leads to making computing as annoying as television.

You don't have a Mac (0)

Anonymous Coward | more than 3 years ago | (#35744198)

You obviously don't have a Mac

Re:Live in Application (1)

tukang (1209392) | more than 3 years ago | (#35744364)

Exactly, security is one of the key reasons why web applications have become so popular on the desktop and I think we'll see a similar movement away from live in apps to web apps on smartphones. I never understood why people would install a live in app for Amazon or the NYTimes on their phone when they could just visit the website versions (which work much better by the way). Imagine installing binaries on your desktop for every e-commerce or news site you used - you're bound to get screwed.

Re:Live in Application (1)

npsimons (32752) | more than 3 years ago | (#35744568)

Once permitted in, most commercial applications barge into your PC, rewrite whatever files they please, alter configuration settings, gobble up memory, install themselves as startup applications and often install an entire suite of unwanted applications and advertisements you didn't even ask for. Then they plonk themselves down in your living room, feet on the sofa, and begin to shout at you, along with all the dozens of other loudmouth applications you've invited in.

Two things:

  1. This is *precisely* why open source is needed, and yes, you can make money selling open source software. Then if your customers decide they don't like the way your app works, they can cut out the shit part and fork it. Just more motivation not to do any of the above.
  2. People might question the wisdom of ubiquitous VMs (say, even on smartphones), but even just chrooting or jailing apps could help curtail some of these problems. I was incredulous when I saw an article about VMs on smartphones, but it makes sense in this context.

Of course, the real question is, why trust an entity (the people making the software) who obviously wants to do you harm? Stop using software and products designed to work against your own best interests!

Without Android Permission? (0)

Anonymous Coward | more than 3 years ago | (#35743642)

Does anyone know how they collect geographic information when the application requires neither coarse location nor fine location?

The lack of those Android permissions either makes this a bigger story than simply Pandora sending information, or it makes me skeptical of the researchers' claims.

Re:Without Android Permission? (2)

WhirlwindMonk (1975382) | more than 3 years ago | (#35743808)

I imagine it determines your location when over wifi and assumes that's where you are until it detects a new wifi connection. I'm guessing this since while on the road in Ohio and Pennsylvania, it gave me ads relating to stuff in southeastern Michigan, the last area I'd connected to wifi in.

Re:Without Android Permission? (2)

xaxa (988988) | more than 3 years ago | (#35743842)

Does anyone know how they collect geographic information when the application requires neither coarse location nor fine location?

The lack of those Android permissions either makes this a bigger story than simply Pandora sending information, or it makes me skeptical of the researchers' claims.

Maybe (and this is only a guess) they turn on WiFi and look at nearby SSIDs, the same way Google does.

The app has permission to alter network state and look at WiFi settings: https://market.android.com/details?id=com.pandora.android [android.com]

Re:Without Android Permission? (1)

Pollardito (781263) | more than 3 years ago | (#35744288)

I've seen more and more apps adding "Change Wi-Fi State" permissions, and i wondered why that was. I assume they do it because otherwise you can install the app, but then turn off GPS and/or coarse GPS system-wide and they get nothing. This way they can get it regardless.

I actually uninstalled Pandora when I saw that it had access to my contacts and calendar. I think that would have stuck out to me when I installed it, but I think it came pre-installed on my phone. A month later they updated it, and I saw that crazy list of permissions and uninstalled it

Re:Without Android Permission? (2)

Stenchwarrior (1335051) | more than 3 years ago | (#35743884)

I would imagine all the app needs to do is see what IP you're connected to the internet from, whether you're on WiFi or on the mobile network. Just about all subnets are traceable to a city.

SELinux type security for Android (5, Informative)

Bocaj (84920) | more than 3 years ago | (#35743672)

Google needs to change the security model to allow finer grained access and more information to users about how much information that access allows. I should be able to install an application that wants access to my contacts but choose to deny that access with a warning that it may affect the functionality of the app. There should be more detail information on just what information an application can get hold of with that access. I think using the SELinux model of security in the kernel would be a good idea. If I don't grant an application process rights to certain files, it can't get access no matter what.

Re:SELinux type security for Android (1)

L4t3r4lu5 (1216702) | more than 3 years ago | (#35743872)

This is too complex. Here is an alternative solution:Don't install apps which require permissions you don't agree with.

If I see an app which is nothing to do with my phone book, or messaging, or system settings, and it requests those permissions, the app is not installed.

Re:SELinux type security for Android (0)

Anonymous Coward | more than 3 years ago | (#35744230)

Your approach requires that people think. People are mostly incapable of even the simplest degree of thought when it comes to such things. I don't know why - they just can't do it.

Re:SELinux type security for Android (1)

Pollardito (781263) | more than 3 years ago | (#35744352)

They seem to all add this stuff in lockstep though, so there doesn't seem to be a way to vote with your feet on some things short of the nuclear option. If the advertising networks demand it, you're not really going to get some app deciding to buck the trend to get more downloads if it means they lose all their ads. There are so many monopolies, duopolies, and cartels (RIAA/MPAA) upstream of the consumer these days that competitive pressures aren't doing what they should.

Re:SELinux type security for Android (1)

Sloppy (14984) | more than 3 years ago | (#35744592)

The way to win is to give them all the permissions that they demand, but have the things they access which you don't want them to, be unreal. Don't say no to them; jam them.

Re:SELinux type security for Android (1)

L4t3r4lu5 (1216702) | more than 3 years ago | (#35744818)

There's a reason for me not having Angry Birds on my Android phone. Not the same reason being discussed here, but it does involve advertising. I did enjoy the game, but I can do without very easily.

It's down to the user taking a stand, but they're all too self absorbed in eating that damn marsh mallow that the rest of us get it shoved down our necks, and no option to wait for two later on.

Re:SELinux type security for Android (1)

Digicrat (973598) | more than 3 years ago | (#35743978)

That was my thought the first time I downloaded an app from the android marketplace to. It lists all of the permissions an application is requesting, but your only option is allow-all or don't install. I should be able to install a given app but tell it, no I don't want it to use the internet (if it's ad-supported, the app can then choose not to work), or deny the ability for an app to get anything but the coarsest location data (a weather applet doesn't need to know that I'm at the intersection of Fake St. and 5th when its database is based on city/town).

In many cases you can find alternatives, but they often don't work as well. Some applications provide preferences to toggle what data they actually look at, but others either don't, or would be safer if one could verify that it can't.

Re:SELinux type security for Android (1)

standbypowerguy (698339) | more than 3 years ago | (#35744064)

SELinnux? You're kidding, right? I'm a longtime Fedora user, and it's shipped with SELinux since FC2, I think. Although the policies and tools have improved drastically, some things like Apache, Samba and 3rd party RPMs still require manual intervention, sometimes to the point that it's simply easier to simply disable. It's hardly ready for Joe Sixpack's Adroid phone.

Not just android (5, Interesting)

ender- (42944) | more than 3 years ago | (#35743676)

The actual Vericode post [veracode.com] says it's both the iPhone and Android versions. I'm not sure why the article linked in the summary [and thus the summary] only mentions the Android version.

I wonder then, does the web browser interface do something similar, minus the GPS info of course? What about the Pandora One desktop app?

Geolocation APIs (and opinion) (2)

Jahava (946858) | more than 3 years ago | (#35743904)

The actual Vericode post [veracode.com] says it's both the iPhone and Android versions. I'm not sure why the article linked in the summary [and thus the summary] only mentions the Android version.

I wonder then, does the web browser interface do something similar, minus the GPS info of course? What about the Pandora One desktop app?

There are specs for getting geolocation information [w3.org] via JavaScript, so possibly. However, your browseri s supposed to ask your permission prior. This also doesn't preclude other Pandora components, such as Flash, which may have their own API [adobe.com] .

That said, am I the only one who just doesn't care? This company is providing bandwidth and fronting music industry negotiations in order to deliver a useful and valuable service to me for free. As per the implicit (and explicit) contract with almost every modern free service, it's a willing exchange of information, and I'm perfectly willing to trade my phone ID and location for this service (for now).

It would be nice, though, if there was an Android requirement that each application disclosed exactly what data it was collecting, and for what purpose, in order to be included in the Marketplace.

Re:Geolocation APIs (and opinion) (1)

k_187 (61692) | more than 3 years ago | (#35744594)

That said, am I the only one who just doesn't care? This company is providing bandwidth and fronting music industry negotiations in order to deliver a useful and valuable service to me for free. As per the implicit (and explicit) contract with almost every modern free service, it's a willing exchange of information, and I'm perfectly willing to trade my phone ID and location for this service (for now).

It would be nice, though, if there was an Android requirement that each application disclosed exactly what data it was collecting, and for what purpose, in order to be included in the Marketplace.

Personally, I don't think its the end of the world. its a free app and you should expect to be giving away at least some of your information in exchange. However, they should be up front about what they're taking, which if I've read the article correctly, they aren't.

Re:Not just android (2)

LoganDzwon (1170459) | more than 3 years ago | (#35744102)

I was about to reply that I found it "very suspicious that the article omits ios... " then I reliezed your article doesn't either. It just includes a quote from another article; http://online.wsj.com/article/SB10001424052748703806304576242923804770968.html [wsj.com] which explains why there were looking, not what they looked at. The iOS version simply was not examined for this test. Most likly because an iOS app is not privileged to the pivata data in question. That whole walled garden thing.

Re:Not just android (1)

Anonymous Coward | more than 3 years ago | (#35744180)

Actually the Vericode post just examined the Android version. They quote the Wall Street Journal Article that says it is for both the Android and iPhone versions: http://online.wsj.com/article/SB10001424052748703806304576242923804770968.html

What's needed (0)

Anonymous Coward | more than 3 years ago | (#35743688)

Is an app that sits between your personal and phone info and all your other apps and controls what data gets presented to each app

Everybody's doing it (2)

countertrolling (1585477) | more than 3 years ago | (#35743692)

Pandora got caught. Getting caught is the anomaly. And people will never learn that there is no privacy on a networked computer

Re:Everybody's doing it (2)

sandytaru (1158959) | more than 3 years ago | (#35743740)

Just because everyone is doing it doesn't make it right - or legal.

Re:Everybody's doing it (1)

clang_jangle (975789) | more than 3 years ago | (#35743880)

...people will never learn that there is no privacy on a networked computer running proprietary software or on proprietary networks.

FTFY. Those of us who use FOSS are the only people who have a shot at actual privacy. Note, I say "we have a shot". You can still make thousands of tiny mistakes that will screw it up. The cell providers are another story, there's no privacy for anyone on the proprietary networks available.

Re:Everybody's doing it (1)

houstonbofh (602064) | more than 3 years ago | (#35744060)

...people will never learn that there is no privacy on a networked computer running proprietary software or on proprietary networks.

FTFY. Those of us who use FOSS are the only people who have a shot at actual privacy. Note, I say "we have a shot". You can still make thousands of tiny mistakes that will screw it up. The cell providers are another story, there's no privacy for anyone on the proprietary networks available.

I was gonna say... There is privacy on mine. But it takes a lot of work.

Re:Everybody's doing it (1)

circletimessquare (444983) | more than 3 years ago | (#35744604)

there's no privacy with an open window either. that still doesn't mean i'm not going after the guy standing outside writing things down in a notebook. just because you can't lock things down technologically doesn't mean you have no basis for going after bad behavior. bad behavior is bad behavior is bad behavior. "because i can" is not a justification or excuse in any morality i know of, nor is it a reason to tell someone who has been violated that it is their fault

if i put a $20 bill on my front porch, yes, i'm stupid, and yes, i'm going to lose $20. but the guy who trespasses onto MY porch and takes $20 which is clearly not his and clearly not offered to him is still a thief who should be prosecuted for theft, to exactly the same degree as if he reached into my pocket or reached into my upstairs safe or hacked my bank account. same crime. do you understand why its the same crime? the idiocy of computer users does not excuse the evil of transgression

what bothers me is not specifically your post, but the kind of logic i see in your post, all the time, not even just in terms of computer security: "you didn't protect yourself, so you deserve what happened to you." this is the same failed way of thinking about right and wrong as "did you see the dress she wore? she was asking to get raped."

you, and many others, fail at basic morality. i don't know exactly what the problem is, but i would guess it is simply that you indeed are looking to excuse your bad behavior in one way or another: "they were weak, so they deserved it" is a pretty common failed way of thinking about the world. i see a criminal conviction some time in your future if you don't wake up and understand that the person who does something wrong, is wrong, period, no matter how stupid, drunk, gullible, clueless the victim

Re:Everybody's doing it (0)

Anonymous Coward | more than 3 years ago | (#35744758)

Pandora didn't get "caught" at all; their privacy policy makes it clear what they do, and the apps ask for access. Further, the app doesn't "collect" personal data from the phone; contacts, calendar and other access is used to support user-initiated features, like emailing a station, or inserting an event in the calendar (again, only ever done at the user's request.)

The only "personal" data sent to advertisers comes from the Pandora registration process *not* from the phone:
"Pandora gathers the age and gender information when a user registers for the service." (Which you may not like, but it's in their privacy policy.)

The only data gleaned from the phone that Pandora might be sending to advertisers is location. So *maybe* they know where a certain phone has been - which is information already in the service provider's database.

You get what you pay for (1)

bitroli (2022550) | more than 3 years ago | (#35743732)

When you install that application on android (or any application for that matter), you have to grant it (and by that I mean, acknowledge) permissions asked by the application.

It's the lusers fault for giving "Tom Talking Cat" privileges to fully control their phone, GPS, read contacts, browse the internet freely.

No idea if that app actually asks for all that crap, but there are plenty that do when they're nothing more than a stupid text editor.

Re:You get what you pay for (1)

chemicaldave (1776600) | more than 3 years ago | (#35743768)

Those permissions requests are worthless. They only tell you what the phone needs access to, not why. I'm sure there are legitimate reasons for some of them, but who knows? There's no accountability.

Re:You get what you pay for (1)

mastershake82 (948396) | more than 3 years ago | (#35743898)

Well, if you are installing an Angry Birds clone, and it tells you it needs access to your dialer to make phone calls and your messaging to send text messages then maybe... just maybe... you shouldn't install it.

The Android notification of what parts of your phone the app will use are perfect. It allows an app to request whatever it needs on a very low level, and for you to know that it is requesting it. There is DEFINITELY a gray area when you are installing something that will actually use a sensitive part of your phone such as the dialer / GPS / messaging... but at some point, you have to do your research and make sure you trust the developer and that the software is actually from the developer on the app store, not somebody who modified their app and re-uploaded it.

You say it doesn't tell you why it needs it... but you should know why from the type of application it is. And if the why of the application type doesn't match the data and access requested, don't install it. I'm sure Android could add a 'why' area for each permission for the dev to put in a reason, which actually might be nice, but it won't be any more secure, as the people who are releasing malicious apps are the same social engineers who have perfected duplicating emails from your bank almost perfectly.

The only more secure way they could do it would be, "We see you've selected Angry Birds, please review the entirety of the source code presented below and all of it's resources to ensure that it won't do anything malicious to your phone."

Re:You get what you pay for (1)

chemicaldave (1776600) | more than 3 years ago | (#35744718)

You say it doesn't tell you why it needs it... but you should know why from the type of application it is. And if the why of the application type doesn't match the data and access requested, don't install it. I'm sure Android could add a 'why' area for each permission for the dev to put in a reason, which actually might be nice, but it won't be any more secure, as the people who are releasing malicious apps are the same social engineers who have perfected duplicating emails from your bank almost perfectly.

We're not talking about malicious apps. This is Pandora. And you're right, once you start installing apps off the market you're on your own. But 95% of users aren't doing that. They expect transparency in the applications from the market. Right now as I attempt to install Pandora it makes no mention of access to the personal information mentioned in TFA. One thing it requests is access to "Phone calls: read phone state and identity." What does that mean? Does it mean I can accept a phone call from the app gracefully? Does it mean Pandora can collect that information and keep track of who is calling me? The request is ambiguous. Same thing for "Your personal information: add or modify calendar events and send email to guests, read contact data." Again, ambiguous. Maybe it uses the contact data to show who is calling if you receive a call during playback?

The only more secure way they could do it would be, "We see you've selected Angry Birds, please review the entirety of the source code presented below and all of it's resources to ensure that it won't do anything malicious to your phone."

How about making the developers take some responsibility and say what they're doing instead of releasing them of all responsibility and making the user go through source. Even if that was the only way, what's to stop the developers from obfuscating the code?

The "it's free so shut up" mentality has to stop. If your product/service really is so good then let the users decide if they want to release their information or buy a subscription. Going behind the users' backs is deceptive, and an insult to the intelligence of their customers.

Looking forward for Pandora IPO (4, Interesting)

ub3r n3u7r4l1st (1388939) | more than 3 years ago | (#35743792)

Despite the suit, recent SEC filing [sec.gov] suggest eveything pointing up:

        * Revenue skyrocketed from $55,189,000 in FY2010 to $137,764,000 in FY2011.
        * Advertising revenue rose from $50,147,000 in FY2010 to $119,333,000 in FY2011.
        * Subscription and "other" revenue increased from $5,042,000 in FY2010 to $18,431,000 in FY2011.
        * Despite rising content acquisition costs (up from $32,946,000 to $69,357,000 between FY2010 and 2011), Pandora's loss narrowed from $15,549,000 in FY2010 to $321,000 in FY2011.

Despite strong competition such as Sirius XM radio and even Apple to that regard, I wouldn't worry much.

Pandora's Box (0)

Anonymous Coward | more than 3 years ago | (#35743834)

Doesn't the name imply that there is trouble inside? Where is the false information in that. I guess you could say Veracode opened Pandora's box.

Obvious what they are doing (2)

Hoi Polloi (522990) | more than 3 years ago | (#35743860)

Gender, location, phone? It is clear what the people at Pandora are doing, trying to get dates.

Re:Obvious what they are doing (3, Funny)

berashith (222128) | more than 3 years ago | (#35744268)

yup , the stalkers employed by pandora can send Barry White tunes to any stranger that they need to get in the mood.

Foul playback (2)

DigiShaman (671371) | more than 3 years ago | (#35743870)

Honestly, I wouldn't mind them doing this if they had been clear and upfront with their intentions. Something along the lines of...

"We will provide you a free service in exchange for client usage statistics. This information will be shared with 3rd party marketing firms"

It's not so much what they do with this information in so much that I no longer feel safe reading this first time on Slashdot. How can I trust them now? I can never trust a sneaky bastard. Because of their lack of disclosure, Pandora just got uninstalled from my Droid.

Re:Foul playback (0)

RobotRunAmok (595286) | more than 3 years ago | (#35743938)

"DigiShaman," eh? Maybe you need to upgrade your runes...

OBVIOUSLY Pandora is collecting information about you and selling it to advertisers. They provide a free internet service, and have insanely high licensing costs; how did you think they were being funded, the Committee for Public Broadcasting?

Now, check your digi-Ouija board and tell us why Google provides people with free e-mail service and gigs upon gigs of free storage...

Re:Foul playback (1)

DigiShaman (671371) | more than 3 years ago | (#35744350)

I get the gist of how Google runs their business. But I wasn't really sure about Pandora. Ya, I suspected they sold playback statistics to 3rd party firms. But I did not suspect to what depths they went, or even if this was their actual business plan. For all I knew, Pandora was acting as a loss-leader. That is, they would pay for the cost up-front to get large user install base, then capitalize on it later through a premium subscription plan.

Re:Foul playback (1)

andrewd18 (989408) | more than 3 years ago | (#35744030)

If you're willing to assume that all companies are going to keep your data safe, you're awfully naive. Whether or not they should is one thing... whether or not they will is another.

Besides, it's not like you couldn't have seen this coming. When you install the app to your Android phone, you get the following screen:

This application has access to the following:
* Network communication (create Bluetooth connections, full Internet access, view network state, view Wi-Fi state)
* Your personal information (add or modify calendar events and send email to guests, read contact data)
* Phone calls (read phone state and identity)
* System tools (Bluetooth administration, change network connectivity, change Wi-Fi state, modify global system settings, prevent phone from sleeping, automatically start at boot)

If that doesn't scream "We are going to take data about you and sell it", I don't know what does.

Re:Foul playback (0)

Anonymous Coward | more than 3 years ago | (#35744090)

It's simple: if you are not paying for a product, YOU are the product. You should uninstall the internet.

Re:Foul playback (0)

Anonymous Coward | more than 3 years ago | (#35744204)

Honestly, I wouldn't mind them doing this if they had been clear and upfront with their intentions. Something along the lines of...

"We will provide you a free service in exchange for client usage statistics. This information will be shared with 3rd party marketing firms"

It's not so much what they do with this information in so much that I no longer feel safe reading this first time on Slashdot. How can I trust them now? I can never trust a sneaky bastard. Because of their lack of disclosure, Pandora just got uninstalled from my Droid.

It seems pretty clear and straightforward to me; not that I read this before I clicked through the agreements, but still, it's out there for consideration if you're really of the opinion that anyone providing an ad supported service isn't in bed with the advertisers. I don't see this as sneaky, I see it as leveraging the most viable business model for a service that has to work with content licensers.

http://www.pandora.com/privacy

Re:Foul playback (2)

O('_')O_Bush (1162487) | more than 3 years ago | (#35744270)

If it bothers you that much, fork out the 36$/year for Pandora One and avoid advertising altogether. I mean, 36$/year is pretty cheap for unlimited music streaming to our phone in comparison to buying the songs individually.

It's not like Pandora forced you into taking their free, ad-based service, since they offer a paid, ad-free version. Targeted ads are the new definition of ad-based nowadays anyways. Just look at Facebook.

Re:Foul playback (1)

DanTheManMS (1039636) | more than 3 years ago | (#35744382)

If it bothers you that much, fork out the 36$/year for Pandora One and avoid advertising altogether. It has nothing to do with the ads being played on the stream itself. Nobody's complaining about those. It's about Pandora collecting and selling your private information to other 3rd parties without clearly stating as such.

Unless you're suggesting that by forking over $36 a year, they WON'T actively track your data, which we can reasonably assume is false. Sure you don't get ads, but they're still violating your privacy.

Re:Foul playback (2)

DigiShaman (671371) | more than 3 years ago | (#35744386)

And I should trust them now? How do I know they're not double dipping into my wallet AND selling my usage stats to a 3rd party?

Trust. A concept that's very hard to earn, and easy to lose. They've lost mine.

Re:Foul playback (1)

O('_')O_Bush (1162487) | more than 3 years ago | (#35744674)

"We use the information that we collect and you provide about yourself to personalize your PANDORA® internet radio experience through ads and social networking features."

Right there in the Privacy Policy that you didn't read. http://www.pandora.com/privacy

They never lied to your or tried to hide anything. They tell you they collect information from you to customize ads and give that information to a third party. What more do you want to know?

Pandora? pfft (0)

Anonymous Coward | more than 3 years ago | (#35744038)

Use Slacker. It's just better.

Re:Pandora? pfft (1)

nschubach (922175) | more than 3 years ago | (#35744240)

Slacker Radio

System Tools
Change Network connectivity, change Wi-Fi state, read system log files, prevent phone from sleeping.

Network communications
Full Internet Access

Phone calls
Read phone state and identity

Storage
Modify/delete SD card contents

Why does a radio app need to be able to turn on/off my wifi? Why does it need to read my system logs? Why does it need to be able to add or delete things from my SD card? (It's streaming music...)

Re:Pandora? pfft (1)

bhcompy (1877290) | more than 3 years ago | (#35744496)

Slacker doesn't just stream, it stores data. You can sync your Slacker to save hours of steams to your device for later playing. This is also why it can change your wifi state. Granted, the Slacker Player itself is the best way to go

Re:Pandora? pfft (1)

berashith (222128) | more than 3 years ago | (#35744356)

which has this permissions screen ....
System Tools
Change network connectivity, change Wi-Fi state , read system log files, prevent phone from sleeping
Network Communication
Full Internet access
Phone Calls
Read phone state and identity
Storage
Modify/delete SD card contents

So, not a whole lot of difference. The arguments on which radio app to use needs to be on the merits of the app/song selection, not on the treatment of your privacy.

This is unacceptable! (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35744044)

Only the mobile phone carriers should be allowed to collect large, but unknown, piles of personal information silently and without oversight! It is an outrage that others would dare to step onto the rightful domain of these oh-so-helpful surveillance buddies.

On a more serious note: What I would really like to see in Android(and other mobile operating systems; but a 3rd party build of Android is pretty much the only one where this would ever see the light of day on any hardware that isn't a laptop-size dev board...) is a supplement to the existing system of granular access-request application permissions:

Spoofing.

At present, you can see what permissions an application demands(perhaps not at quite the level of granularity that would be ideal; but the concept is good, and refinements aren't fundamentally challenging); but you have no way of pushing back against an application that seems a bit uppity, other than refusing it. What would be ideal would be a way of setting up multiple instances of the various Android content providers [android.com] . One set of instances would be the 'real' one, populated with actual system data(address book, location, etc, etc.) Other instances would be various flavors of 'fake', either generated by applying an overlay filter to the real ones(ie. I might want to give an application that uses location data access to 'location data, but truncated to ~city level accuracy', which would be a content provider generated by a simple mathematical operation against the genuine content provider for location data), or auto-generated to look plausible; but be completely unrelated to the truth(ie. an 'address book' consisting of a simple dump of 47 name/number pairs from a phone book). This would allow you to push back against applications that demand more than they need to know; by allowing you to fulfil their architectural 'requirements'; but choose for yourself which are actually necessary for what you want to do(if you want a navigation app to work, you do need to give it your real location. If you just want dining recommendations, you may only feel the need to give it city-level accuracy, and feel no need whatsoever to give over your real address book for 'social dining integration'...)

Such a system would have additional benefits: it would make tasks like separating work/personal(or personal/er... 'extracurricular' if that is your style) architecturally clean and much lighter-weight than virtualization. You could have multiple true address books, say, one accurately reporting your personal contacts, and one accurately reporting your work contacts, and you could point twitfrienddroidfeed at the first and seriouscorporatemail at the second.

If the service is provided free (1)

wiredog (43288) | more than 3 years ago | (#35744052)

the you, the user of that service, are the product.

How is this Illegal? (1)

softWare3ngineer (2007302) | more than 3 years ago | (#35744078)

Please excuse my ignorance. but how is this illegal? companies do this all the time over the web. tracking where you log in from, how long you are one each page, and what sites you visit every time most people use the Internet. I think this practice is defiantly immoral, but give how constrictive contracts are I don't see how this is against the law. if you could point me towards some case law or a brief it would be much appreciated.

Re:How is this Illegal? (1)

BradleyUffner (103496) | more than 3 years ago | (#35744440)

Please excuse my ignorance. but how is this illegal? companies do this all the time over the web. tracking where you log in from, how long you are one each page, and what sites you visit every time most people use the Internet. I think this practice is defiantly immoral, but give how constrictive contracts are I don't see how this is against the law. if you could point me towards some case law or a brief it would be much appreciated.

That's one thing... Freely accessing your address book, including full name, phone numbers, and address of everyone it, and complete access to your system logs and dialing history is something else all together.

I don't think it's automatically criminal though... Android DOES tell you that the phone can access this data at installation time, and you can choose not to install it. Bit it is walking an awfully fine line.

Gender? (0)

Anonymous Coward | more than 3 years ago | (#35744134)

Why does your phone know your gender in the first place?

Re:Gender? (1)

AHuxley (892839) | more than 3 years ago | (#35744280)

All the better to target ads at you my dear!

Re:Gender? (1)

O('_')O_Bush (1162487) | more than 3 years ago | (#35744696)

It doesn't necessarily. Your Pandora account does though since you filled that out when making it.

No Yes (0)

Darth Snowshoe (1434515) | more than 3 years ago | (#35744138)

Let me just say, their Yes channel is awesomely crappy and incomplete. Did those guys never hear of RELAYER? Hello? Classic, amirite?

Pandora? (0)

Anonymous Coward | more than 3 years ago | (#35744326)

hi guys i'm pandora (1)

Layth (1090489) | more than 3 years ago | (#35744340)

a/s/l????

Re:hi guys i'm pandora (0)

Anonymous Coward | more than 3 years ago | (#35744408)

show us a pic of your box and prove it

How about people with paid subscriptions? (0)

Anonymous Coward | more than 3 years ago | (#35744366)

I pay for Pandora... so I get no ads.
Not that I care if they are sending tokens of data to advertisers, I don't imagine there is some guy with a sinister black moustache wringing his hands at the other end. I'm sure it gets stuffed into a database and generalized. Just like those discount cards for grocery stores etc.

This is paranoid sensationalism. I hope anyone who complains doesn't have a facebook account.

Keeping It (1)

Necron69 (35644) | more than 3 years ago | (#35744376)

I've read the articles and seen what they are sending, and I don't care. With Pandora, I get all my music for free, and I'm willing to trade some info for that.

I remain curious as to how Android knows my gender, however. Sure, you could guess from my name, but I'm pretty sure there isn't a checkbox for "sex" anywhere in my phone config. Regardless, it wasn't a secret anyway. :)

Necron69

I personally... (1)

zimboptoo (1095523) | more than 3 years ago | (#35744458)

Haven't updated the app since it started asking for "Personal Information" permissions several months ago.

I'm rather curious as to how the app is supposed to be determining my gender/sex in the first place. Algorithmically based on the songs I listen to? If so, all those Glee songs I upvoted are probably throwing it off.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>