Update 3: Swype has contacted us to clarify the following: 

Swype does not, and will not ever make money off of the data it collects from you.  They do not sell ads.  They do not sell information. The comment made on the CM review forum was a generalization about the larger Android app developer community, and in no way was intended to imply that Swype uses your data for ad revenue.

Update 2: Here's what Swype Community Representative Brian Resnik has to say about all this:

Swype Community Rep here (the guy who made the comments on Google Code).

Honestly, piracy is not our concern. We know there are pirates out there. Hell, if you look hard enough you can go find a pirate copy of Swype right now. We send DMCA notices when we see these sites, because if we don’t we lose our patents, and it kinda hurts to have your hard work get stolen. But all in all, the piracy thing isn’t our beef.

Our concern was over the reliability of our statistics. It’s important for us to have a reliable baseline when we look at things like: how many users have downloaded the most recent version; how many users got a previous version but not the latest; how many users have had to reinstall multiple times; how many users have switched devices in the past 6 months; how many users have devices of each screen size.

The key point there is that we need to have a reasonable assessment for how many users there actually are. Not just how many registered accounts there are (since people frequently register multiple times when they have trouble with a download); not just how many total installations there have been (the same user reinstalling after a device reformat shouldn’t count as a new user). For that, we need a unique hardware identifier.

As I was quoted as saying, HIDING that information is more or less okay: we just don’t get the info, it’s like you never installed it. SPOOFING the information, however, is really really harmful to our data collection. Even if only 5% of our users (and let me tell you this: CM users and ROMs based of CM source make up a SIGNIFICANT percentage of our beta users) were spoofing their ESN, it would completely trash our data analysis. Bad data devalues all the other data in the set.

THAT is why we brought this up in the first place.

I also want to point out that we went out of our way to contact the CM devs prior to any of the public discussions on this matter. I personally spoke with ciwrl this morning, who relayed our conversation to the rest of TeamDouche, and talked with him about our concerns, and ways in which we could all be happy. We want nothing more than to make sure that everyone involved gets the best experience possible.

Update: Let me be crystal clear: the proposed permission spoofing change in CM7 was 100% rejected, and will never be merged into the CyanogenMod source. Here's Steve Kondik's comment:


Yes, you read that correctly. The developers of the extremely popular, semi-exclusive third-party keyboard app Swype have been carefully watching the situation that has unfolded regarding a recent (proposed and rejected) CyanogenMod change adding the ability to "spoof" phone information that certain apps collect as part of their permission sets. This can include (among other things) device information, identification parameters, and user/app usage statistics.

With some less than squeaky-clean applications running around on the Market that may abuse those permissions, the concern is an understandable one. But is the solution (providing fake, aka "spoofed," data) proposed in a recently rejected CyanogenMod 7 change reasonable? According to Swype, the answer is a resounding "No." On the Google Code page for CyanogenMod, a Swype rep, in response to the permission spoofing change, had this to say (edited for length, emphasis ours):

... [T]here is a fine line between WITHHOLDING information and providing FALSE information. Now you're moving in the other direction: you're going from protecting yourself from a perceived threat to actually actively damaging the statistics collection and security of the application developer...

...Many companies, ours included, rely on the statistics they gather. There are a number of things these stats can provide, from analytics that are used to improve user experience, to ad revenue, to metrics that are necessary for maintaining server stability...

...[I]f spoofing becomes popular, and our statistics become useless, and our licensing becomes unreliable, the beta program could easily disappear. Without a way to justify to our OEM partners the fact that we give Swype away for free when they're paying for it, we'd have to shut it down...

If you want the tl;dr version, here it is, basically: the Swype beta for Android may end indefinitely if permission spoofing starts to corrupt Swype's data and collection and thus, its analysis efforts.

The entire reason for Swype's beta being free (though invite-only), according to them, is to provide the company with usage and user statistics in order to improve the app - increasing its appeal to phone manufacturers like Samsung, who are forced to pay licensing fees for the software when it ships on their handsets.

Denying access to that data, Swype says, isn't a great thing, but they don't see that becoming a widespread issue. But once users start actively falsifying their usage and identification information, an ethical line, Swype claims, has been crossed. How has the CyanogenMod team responded to the proposed permission spoofing change? The de facto leader of TeamDouche, Steve Kondik, posted this on the change's comments:

I would prefer that you didn't submit this

I am not sure that this is the direction I want to see CM go.

This will piss off developers, carriers, and probably Google.

Other members of the CM team have responded similarly - giving the change negative treatment in comments. It seems unlikely, at this point, that it will ever be committed CyanogenMod's source code (at least not in its present form).

Some users have complained that applications like Swype collect data that is of no reasonable use to them, such as IMEI numbers (sort of like your car's VIN#) - when other suitable unique identifiers exist. The problem is, there doesn't seem to be any argument as to how collecting that number could be readily or easily abused.

Others have gone into the realm of what could be, that Swype could one day decide to start collecting SIM serials and phone numbers through its application permissions (let me be clear, it does not), the latter of which could be personally identifying.

Proponents of spoofing have argued that there is "no good reason" for application developers to be collecting much of the data they do. Developers have generally said that regardless of the usefulness of the information (which may be used for improving an app, providing necessary data to maintain ad revenue, or general analytics), spoofing would invariably hurt Android and promote feelings of animosity between the ROM community and application developers.

And were the manufacturers and carriers to get wind of spoofing practices (if they were implemented in custom ROMs), it's likely new Android phones would start getting locked down tighter than Fort Knox. That's something I think we can all agree would be very, very bad.

The real question is: are the privacy concerns at play outweighed by the potential damage spoofing could cause to the Android community at large? I would say, confidently and without hesitation: Yes.