Wednesday April 20, 2011 7:36 pm
You gave Apple permission to track your whereabouts via your iPhone
Did you know that Apple is tracking your every move with your iPhone and iPad? A blog post published today on O'Reilly Radar claims that devices running iOS 4 are gathering location and storing it in an unencrypted manner.
"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released," wrote Pete Warden, founder of the Data Science Toolkit, and Alasdair Allan, a senior research fellow at the University of Exeter.
The data is being stored to a file known as "consolidated.db," which includes latitude-longitude coordinates and a timestamp.
Of course, this shouldn't surprise anyone who read the entire 45-page EULA, as it clearly states the following clause when going into detail on the type of “non-personal information” that Apple can “collect, use, transfer, and disclose … for any purpose.”
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
"The coordinates aren't always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there's typically around a year's worth of information at this point," Warden and Allan wrote.
The duo speculated that the data collection is erratic. Update times vary and might be triggered by traveling between cells or activity on the phone itself.
But while this data is being stored on your phones and iOS devices, Warden and Allan acknowledge that there is no "evidence to suggest this data is leaving your custody"—aka, being sent to Apple. There is also "no immediate harm that would seem to come from the availability of this data."
"But why this data is stored and how Apple intends to use it—or not—are important questions that need to be explored," they wrote. "The cell phone companies have always had this data, but it takes a court order to access it. Now this information is sitting in plain view, unprotected from the world. Beyond this, there is even more data that we have yet to look at in depth."
As one commenter on the blog post pointed out, this data collection was first discussed last year. Digital forensic specialist Christopher Vance wrote on his blog that the location data is used as part of iAds, in addition to apps that require location-based data.
"Every time iAds or an app that uses Location Services pings the GPS service, a new record is created in either the CellLocation or WiFiLocation table respective of what type of network was being used. There's also a Timestamp column in each table for each record," Vance wrote in September. "In a recent test, I found over 8000 records of stored GPS data. By default, Location Services for all apps is enabled. Also, being enrolled in the iAds program is enabled by default. In fact, the only way to cancel your enrollment from the iAds program is to go to Apple's website."
Apple did not immediately respond to a request for comment, but another commenter pointed to a July 2010 letter that Apple penned to House lawmakers about its location-based services.
Apple insisted that its location-based services exist only to enhance the user experience and that the company does not activate these services until it has received express consent from users. It collects data "anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services," Bruce Sewell, general counsel and senior vice president of legal and government affairs at Apple, wrote in a letter to Reps. Edward Markey and Joe Barton.
"Apple is committed to giving our customers clear notice and control over their information, and we believe our products do this in a simple and elegant way," he said.
In the letter, Apple said four Apple devices collected geographic location data: the iPhone 3G, the iPhone 3GS, the iPhone 4, and the iPad Wi-Fi + 3G. To a lesser extent, older iPhone models, the iPad Wi-Fi, the iPod touch, Mac computers with Snow Leopard, and Safari 5 also collect similar information.
Apple started collecting location-based data and Wi-Fi information in January 2008.
"Apple has always provided its customers with the ability to control the location-based service capabilities of their devices," Sewell said. "In fact, Apple now provides customers even greater control over such capabilities for devices running the current version of Apple's mobile operating system, iOS 4."
With iOS 4, customers can pick and choose the apps with which they do not want to share location information, even if the global, location-based capabilities on their device are turned on, Apple said. An arrow icon, meanwhile, alerts iOS 4 users if an app is using or has recently used location-based information.
Warden and Allan seemed to take issue with the fact that the data collected was easily accessible. They built an app that helps you look at your own data, and suggested that concerned users encrypt their backups via iTunes. To do so, click on your device within iTunes and then check "Encrypt iPhone Backup" under the "Options" area.
A more detailed look at Warden and Allan's investigation is in the video below.
The news is also interesting in light of a case out of Michigan where police officers have been accused of secretly extracting data from peoples' cell phones during routine stops. The American Civil Liberties Union of Michigan has urged the Michigan State Police (MSP) to release information about the alleged practice.
- Related Tags: