The Orange View (on hiatus) Because Apple is great but it isn't perfect

22Apr/11Off

Toads of Apple fans miss the dangers of iPhone tracking file

Some Apple fan bloggers have fallen all over themselves making excuses after Alasdair Allan and Pete Warden publicized the existence of a secret location-tracking file on all iPhones.

The unsecured and unencrypted file keeps the location records endlessly and with time and date attached. Anyone with access to the phone or the computer where the phone is synced can grab a full record of the owner's movements, whether for law enforcement purposes, a divorce case, snooping or whatever. And Apple has said nothing about why the file exists or how it uses the data.

The excuses are pretty lame.

1. The existence of the file had been reported before. Not sure why this matters or helps Apple's case. But Allan and Warden note:

The main reason we went public with this was exactly because it already seemed to be an open secret among people who make their living doing forensic phone analysis, but not among the general public — even pretty geeky people like Alasdair and me. We were freaked out by the implications of this data and how unprotected it was, but most of the forensics community seemed to miss quite how creepy ordinary people would find it.

-O'Reilly Alex Lev blog, April 21, 2011

2. Apple is not collecting the data. One of the funniest posts offering this excuse was by Alex Levinson who seems to have written some Orwellian software called Lantern to grab the data and track users movements. That the phone is storing and collecting this endless history record without users' permission in an unsecure way ought to be enough of a concern. And Apple hasn't said why the file exists or what it's doing with the data.

(UPDATE: Some folks say location data is sent to Apple, as disclosed in its privacy policy, but this is different than a lengthy history file living on the phone itself.)

3. (One of my faves) Google does it, too. Like that would make it okay for Apple to do it. But sadly, for Apple fans at least, the location listing file on Android phones just keeps locations from the past few hours and throws away old data when it's replaced with fresher data. That's what you'd expect -- caching location information so apps can get it without having to ping GPS every five minutes. Even John Gruber seemed to get that Android "is doing it right."

4. The locations aren't very accurate. This is another silly one. Sure, it might be worse if the file tracked your exact location down to 5 feet but that doesn't mean it's okay to track you within a mile. The locations are in many cases much more specific (individual wifi routers not just cell phone towers). Also, there's a lot of confusion around the precision issue because the crude mapping app that Allan and Warden cooked up shows locations much less precisely that what's included in the actual iPhone file.

What are your thoughts?

Posted by Aaron Pressman

Filed under: post Comments Off
Comments (7) Trackbacks (0)
  1. The only way to get the data is to get the phone or a back up in iTunes. Out of all the far more sensitive personal and private data on your phone, this is what people are getting upset about?

    Joe

  2. > Out of all the far more sensitive personal and private data on your phone, this is what people are getting upset about?

    YES, because every other piece of sensitive data on my phone is stored there WITH MY CONSENT. I *CHOOSE* what is sensitive and what is not, and duly add or remove stuff as I see fit.

    Do you really want to get prosecuted by US authorities because, after seizing your phone at the airport, it was discovered that you travelled to a nation the government doesn’t like you visiting?

    How about getting arrested because, after searching your home in an unrelated matter, the police discover that you were in the general area of some other unsolved crime?

    ANY information about you, given the right amount of incompetence, ignorance, or malice, can be used against you. Apparent patterns can and usually do emerge where there are in fact none, leading people to the wrong conclusion. That’s why we have protection from unreasonable search, and the right to remain silent enshrined within the law.

  3. “YES, because every other piece of sensitive data on my phone is stored there WITH MY CONSENT. I *CHOOSE* what is sensitive and what is not, and duly add or remove stuff as I see fit.”
    You better read the fine print more carefully. You gave consent, if you own an iPhone or Android phone. And if people are correct about what the law, it doesn’t matter if you gave consent. I hope they are wrong.

    “it was discovered that you travelled to a nation the government doesn’t like you visiting?”

    They’ll know that already with my PASSPORT (speaking of consent). They won’t know that with my phone because it is generally too expensive to turn on abroad.

    “given the right amount of incompetence, ignorance, or malice, can be used against you.”

    It doesn’t matter how idiot proof you make something, someone will make a better idiot.

    Joe

  4. Joe, I’ve had discussions with Apple fanatics that claim this is no big deal. Okay, lets assume it’s not a big deal. Surely Apple will do nothing about this file then, since it’s no big deal, right?

  5. “Surely Apple will do nothing about this file then, since it’s no big deal, right?”

    Perception is reality. It doesn’t matter if it is or isn’t REALLY a big deal, it is a matter of how perception does or doesn’t change. Just like antenna-gate wasn’t REALLY a big deal, doesn’t mean Apple didn’t have to, eventually, address it. People did and continue to use their iPhones just fine, than you very much.

    Should it be encrypted? Probably. Should it dump the info eventually, ala Android? Probably, again.

    In reality, if a person finds themselves in a position that this data is accessible and incriminating, they have bigger issues than what could be discovered or inferred with this location data.

    Personally, I find cookies dropped on my computer from websites and their ability to track my IP without even a warning they may do so far worse an offense. People can tell a whole lot more about me through my web browsing than my travels.

    Joe

  6. I agree with most of what you say. I think why this rattled a lot of cages was that location data is not something people typically are aware of. We’ve had more than 10 years worth of awareness that your web habits can be tracked. Location-based services are still in an infancy.

    I agree that it’s impact may fizzle like antenna-gate and other transgressions by Apple in the past, but it shouldn’t. Companies like Google has to be extra careful because of all the privacy scrutiny they get. Apple should be no different, but we all know they get a pass in the press and because of their superior aesthetics. While this was probably a bug I think it points to a very lackadaisical posture towards security in Appleland.

    Apple had a pretty big design flaw with the antenna. Antenna designs are very tricky, they took a gamble and it didn’t work. Even though it never really hurt sales, I agree Apple learned their lesson. However, as the market gets more saturated, the missteps may eventually start to cost them.

  7. “We’ve had more than 10 years worth of awareness that your web habits can be tracked. Location-based services are still in an infancy.”

    All those writers who were telling me for the last 15 years that “cookies are just the way the web works”, it will be interesting to see if they say the same thing about location data.

    Personally I think both Apple and Google have done a good job of warning people about tracking their location for location based apps. Unfortunately no one really knew what that meant. If you want to use Google Maps, Yelp, Urban Spoon, Flixster, or any of those “check-in” apps, etc., what did you think was going to happen? In that regard, I give the location data more of a pass than web tracking.

    Really, the info people post on their Facebook and Twitter accounts is far more dangerous and likely to be used nefariously. Apple and Google aren’t the only ones we can accuse of being lackadaisical, although I would really say most everyone is being more naive than lackadaisical, because, as you say, of the infancy of it all.

    Just like, after all those years of easy self-service gas stations, all it took was that first guy to drive off without paying for gas to make it unnecessarily difficult for the rest of us.

    Joe


Trackbacks are disabled.