I agree that Nxtbook should clarify the information which Harold requested in [arrl-odv:21157].  If Nxtbook verifies that there is no personally identifiable information tracked and that the information is standard web analytics such as pages visited, then I am comfortable with going forward with the iOS Digital QST app.  This feature is in great demand among members.  The app will allow iPad/iPhone users to save the QST to their devices so that it can be read when not connected to the Internet.  Reading the digital QST on a tablet such as the iPad is much more popular than reading it on a computer screen!

I agree that the tracking feature and the ability to disable it needs to be clearly explained to users.  Members are entitled to know what, if any, information is obtained, and to be reassured that no personally identifiable information is tracked.  Members should also be given specific instructions on how to disable tracking in the iOS Settings by going to Settings/ QST/ and setting “Disable Tracking” to ON. (or whatever wording staff thinks is the the most clear instructions).

The original contract with Nxtbook included the specific Nxtbook charges for the iPad/iPhone app (Exhibit A).  As I recall it was $1500 one-time setup, and $100 per issue.  Harold can give you the specific details.   This contract was approved by the A&F committee under the authority delegated by the Board.  The minutes of the April 14, 2012 A&F meeting included an update at minute 15, in the COO’s Operating Report, that applications for the iPhone and iPad were expected by the October issue.  The digital QST app has been beta tested and works great.  When the privacy concerns are resolved, I think we should promptly release it.  I see no need for further Board action.

Cliff K0CA

2 NOV 2012 - 1747 CDT

To all ARRL Officers, Directors, and Vice Directors:

Even though I am a heavy user of Information Technology, I have never been
a user of Apple devices of any type.  Therefore, it has taken more time than
I planned to research the potential security issues with the Apple iOS
digital QST application.

This message consists of two parts; a brief discussion of the issues,
followed with a series of questions that should be answered before any
decision is made to publicly release and support the use of our Apple
iOS digital QST application.

Potential Security Issues With Apple iOS Digital QST Application

1. According to Harold Kramer, the Apple iOS QST App does send tracking
   information to somebody.  It is assumed that this information is
   de-identified, only includes the current geographic location of the
   user, and is sent to Apple.Com, or an Apple contractor.  Without a
   verified, detailed description (from Apple?) of all of this data,
   there is no way of making a proper judgement of the user's data
   security when using this application.

2. I understand the default setting of this "data tracking feature" is ON.
   It can be turned OFF, but the labeling and wording used to control this
   "feature" is not clearly understood.  At the least, I suggest the
   default setting for this tracking process should be OFF with a warning
   displayed when the user chooses to activate it.

3. When the user stops using this QST App, it is still active and could
   continue to send data as long as the user's device is turned on.  I
   think most iOS users do not know this is going on.

4. There is at least one Apple iOS hacking program available at
    http://www.iphonetracker101.com/iphone-tracking-app that can be
   used to view and record keystrokes and phone audio.  I suspect there
   are also one or more Apple iOS hacking programs that enable the
   insertion of program (trojans) that will command the targeted Apple
   iOS device send specified data to anonymous third party(s) without
   the knowledge of the device user.

Questions That Should Be Answered Before Releasing the Apple iOS Digital
QST Application

1. Harold Kramer told me that Chris Imlay has vetted this contract, but
   I still don't know who is the contractor.  Who is the contractor?
   What are we paying for this application?

2. What data is being collected?  I can understand pages-read data that
   would be of used by ARRL staff to improve magazine content.  The same
   goes for clicks on active links to track advertising response.

   But if things like the reader's current location, the reader's use of
   other applications, any financial or personal transactions by the reader,
   the reader's keystrokes, etc. are being sent out... the ARRL should not
   be receiving this information.  We already have the user's ARRL membership
   and ham radio license data.  What more do we need?

3. Is this application is sending data to third parties - without the user's
   knowledge or agreement?  Depending on the data being sent, the ARRL
   could be held liable for damages.

4. Is there a clearly worded, easily accessed, option allowing the user to
   permanently stop this data collecting?

I have probably missed some points and I welcome comments and suggestions
on these issues.  Here is one final question for my fellow directors.

5. Do you think the ARRL Board of Directors should formally approve this
   IT project?  In view of our past IT problems, I believe we should vote
   on releasing and supporting this Apple iOS digital QST application.

73 - Dick Isely, W9GIG