Nuance responds to privacy concerns over its Swype keyboard having too much location data

Nuance is responding to privacy concerns today after customers complained that its Swype keyboard application was accessing their whereabouts excessively.

A screenshot capturing how often Swype was receiving location information.

One user said Swype was receiving location information from the phone nearly 4,000 times a day.

In one case, a customer said his or her information was accessed nearly 4,000 times a day. While the post on the company’s forum is old, it was thrust into the spotlight this morning after it was posted on Y Combinator’s Hacker News site.

The user, who posted under the name “Humboldt” wrote: “In this post-Snowden era, I think users should be paranoid. I’ll keep an open mind, but I’ll need a lot of convincing to write this off as an ‘oversight’ and “abandoned unnecessary piece of code.”

A forum administrator said in December that it “definitely sounds like a bug,” and that it will be logged so they can look into it.

However, the answer is much more simple than this, according to Aaron Sheedy, Swype’s VP of mobile product, who was willing to address customer concerns over the phone with GeekWire today. (A formal statement from the company is expected shortly, and I’ll update the post when it is available.)

UPDATE: Nuance’s formal statement is: “At Nuance, we take privacy very seriously. The location requests you may see occurring when using the Swype app are actually notifications of  changes to location from the Android Operating System. We do not actively ping for location information.  Swype may show more notifications than some other applications because as a keyboard it is almost always running, even when not visible.  Only a small number of these instances are used. The location information that we do use is very important because it allows us to improve our language models and user experience. Swype has a feature that sends to devices regionally specific dictionary extensions, and the data will help develop new regional databases we build in the future. We do not track or store location when the keyboard is not actively being used.”

Sheedy claims it is not Swype that is requesting a person’s location — Swype does not turn on the phone’s GPS and pull the information. Rather, it is Google’s Android operating system that is collecting the data and providing it to applications that have permission to know a person’s whereabouts. Whenever a person’s location changes, Swype receives an update. Furthermore, he said Swype leaves nearly all the customer’s location information on their device or throws it out.

In the case of Humboldt, it’s unclear why Swype is receiving so many updates for one person, but one plausible explanation is that he is moving around a lot and is using the keyboard frequently.

“The trick is, is that we are a background service, so we get a lot of those location updates,” he said.

swype-3Swype requests the information because it wants to understand how words are used regionally as part of its Living Language feature, which takes into account geography, slang and other factors, such as the spelling for a restaurant or street name. At some point, Swype may be able to even to pick up on the difference in language based on a person being at home or at work.

Sheedy said if a customer no longer wants their location known, there’s two ways to opt-out. He said within the Swype application, users will have to turn off three services: Living Language, back-up and sync, and data sharing (turning off just one of the three won’t work, as some of the posters have pointed out).

The other option is for Android users to change their location-sharing settings at the operating system level.

“The users control that data in Android, and Google’s own settings — they’ve given permission,” he said. “As a user, you should set your location settings to provide the level of data appropriate with how you use your phone.”