We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.

Vlingo Makes Official Statement: Success At Customers' Expense

Vlingo Makes Official Statement: Success At Customers' Expense

Since AndroidPIT members Jörg and Andreas first broke the story that the popular Vlingo voice control software was collecting user data far beyond what was specified in their user agreement, the AndroidPIT forums have been in up in arms and it's easy to see why. With smartphones becoming a more integral part of our lives, it's only natural that users would be concerned that a popular voice control app that comes preinstalled on many Samsung devices would be uploading location, phone ID and carrier information unencrypted before users even had a chance to agree to their Vlingo's privacy agreement.

Last night, Vlingo took the time to sit down with AnroidPIT editors and users to discuss our concerns. While Vlingo representatives did their best to address the problems Andres and Jörg uncovered and seemed to be making a good-faith attempt to correct these “bugs”, one couldn't be blamed for thinking that app producers all too often play fast and loose with user privacy.

Bugs In The System
In case you missed it, AndroidPIT users Andreas and Jörg recently took a look a build of the popular Vlingo software on a Samsung Galaxy Note and discovered that the voice control software was collecting user information far beyond the scope of Vlingo privacy agreement and, according to some privacy groups we contacted, this represented a clear violation of European privacy law. To put it bluntly, taking your information and uploading it UNENCRYTED to your own servers + without asking permission to do so = stealing. The accusations leveled against Vlingo included: That Vlingo was collecting user location, phone ID (IMEI) and carrier information before users agreed to the user agreement. That Vlingo was also collecting information from user's contacts and media collections without informing users. That collected information was been uploaded to unencrypted, insecure servers which could easily jeopardize user privacy. That user information was been collected even when the app was inactive.

Addressing the concerns, John Nguyen, co-founder and Head of Products at Vlingo, admitted that the accusations were true. The voice control app was, in fact, collecting data far beyond what Vlingo had intended and that the data was partially collected without user consent. As personal information is rapidly becoming the only currency worth anything in the online community, this is of course cause for concern, and was enough for me personally to uninstall their app the second I heard the news.  But Mr. Nguyen stressed  that Vlingo isn't some shady company, hording your data for nefarious purposes; it appears that the violations were caused by a combinations of software bugs and an outdated privacy policy. (Wait...if you know the policy was outdated, why didn't you amend it before deciding to steal user information)?

According to Vlingo, whos software teams spent the last several days attempting to reproduce the behavior AndroidPIT users reported, a synchronization issue was to blame for the overly aggressive data collecting we noticed on the Galaxy Note. When users start-up the Vlingo app, background process automatically fire up that start collecting user data to make Vlingo's voice control software faster and more efficient. But apparently, these processes were poorly designed and continued collecting data even when the app should have been inactive. WOW. Mr. Nguyen stated that Vlingo was previously unaware of this bug and would be taking steps to correct the issue by way of a software update in the coming weeks.

Addressing the accusation that user data was traveling though insecure channels to reach the Vlingo servers, Mr. Nguyen emphasized that Vlingo was moving their data collection system away from an insecure HTTP system to an encrypted system that should help protect user information from prying eyes. I don't know about you guys, but after something like this, it's pretty hard for me to ever imagine installing this app again.

Playing Fast And Loose With User Information
I personally came away from the conversation with Vlingo with the impression that the company was making their best effort to address the privacy concerns raised by AndroidPIT members. At the same time, I found many of their "reasons“ to sound more like excuses, and poor ones at that. However, due to the complex nature of issuing updates for mobile software, they were unable to give us a concrete time line for when they would be able to say that users right to privacy was truly being respected. After similar scandals involving Dolphin Browser HD and HTC, it seems like tech companies the world over are willing to sacrifice user privacy in their mad-dash to get the newest, coolest technology to market. Lucky for Vlingo that it's a free app, or else they could be issuing A LOT of refunds right now.

Of course it would be easy enough to brush off our concerns because, at the end of the day, does it really matter if some company knows what Mp3s you like to listen to on your way to work or what friends you like to call from you Android phone? If companies embrace Google's policy of “not being evil” probably not– but playing fast and loose with user information seems to be the new norm in the mobile community and the culture of “features over privacy” should be of grave concern to modern “web natives” who increasingly rely on the internet to take care of their most basic functions.

Since the Web 2.0 business model took off in the early 2000's our identities have become the new digital oil, so to speak. Targeted advertising is what makes the internet go round and since information about your identity, tastes and habits is what large tech companies by and sell, it's only natural that you would expect to have some say in what online companies are allowed to find out. But all too often many tech companies are willing to forgot necessary due diligence when it comes to protecting their customers right to privacy to beat the competition to market.

Of course, I applaud Vlingo's quick action to address privacy concerns but the privacy “bugs” that the AndroidPIT community discovered seem to be a clear case of the oversight that all too often plagues new digital services. It's come time for consumers to make a stand and demand that companies pay less attention to the bottom line and to take the necessary steps to protect customer's rights to privacy. Honest mistake or not, there is NO excuse for it.

Recommended articles


Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • My beloved Samsung Note has for 1 week been going wild draining my battery and constant drive mode and push to talk poping up, it has taken over my phone and not allowing me to charge, also cutting my calls off. Cant delete it apparently unless phone is rooted. Really annoyed and dont want to sell it but seems I'll have to and get a windows nokia

  • Chris Jan 28, 2012 Link to comment

    The general sense I've gotten as an Android developer is definitely an afterthought for most companies. The company I currently work for is very mindful of their privacy policy since we get a lot of information directly from our users, but the last company I worked for didn't really seem to pay much attention to how/what information was collected, at least as far as management was concerned. Our server developer and QA pushed encryption, and I did a hash of any ID we used to identify devices so we couldn't do a reverse lookup (i.e. the info couldn't be sold because we couldn't provide the device ID to any 3rd parties), but these were more done on our own initiative rather than something that management insisted on. I don't remember any privacy policy ever being included, just a terms & conditions document for a contest we ran.

    My personal feeling is that there's nothing wrong with collecting basic analytics to improve an app for everyone (ex. if nobody clicks on a button either it's hard to find or nobody needs that feature, and it should be adjusted or removed). In addition, some information like device model and what a user was recently doing may be very useful for debugging a crash report. Where it gets sketchy is when device IDs, phone numbers, or other information that can be used to identify individuals (ex. contact info) are sent. One important point I'm not sure everyone realizes is that developers on both Android and iPhone have access to the unique device ID, and that it can be used to tie information to a specific user even if the user's name isn't known. In other words, if a user enters certain information in an app that's stored along with the device ID, and that info and device ID are sold, advertisers can use that info to target you specifically from any other app that sends just a device ID to them.

    The problem is that there are some valid uses of device IDs, like saving certain preferences without users needing to register, restricting devices if you detect an attack on your servers, and collecting more than a single session worth of analytics data (ex. has this person EVER viewed a certain page). The device ID is useful because it provides a way to retain information even if the app is deleted and reinstalled. I believe Apple has started pushing developers to use a version of the device ID which is unique to a given application, but changes between different apps (they may even require it at this point), because usually you don't need multiple apps to have access to the same data on servers. The big problem for Android is that there is no such thing. In fact, to even get access to the device ID, you essentially have to request access to a whole slue of phone information (including the phone number), and if developers really want to be complete and uniquely identify tablets that don't have a cell connection they also need to get access to the bluetooth MAC address. I did my part by hashing the values, but the problem with that is that some IDs can generate the same hash, so really the only perfect solution is to use the real device ID. I believe it would go a long way toward weeding out those who seek to sell user information and those who are just trying to keep some sort of device session information if Android would provide a way for apps to get a unique ID which is tied to the app itself like Apple provides, either with no permission require or a new permission specific to that feature (or maybe tied to the internet permission, since that's where it's used in any valid cases I can think of).

    If you want to take up a good cause toward better user privacy on Android, I think that's a good place to start.