The iPhone tracking fiasco and what you can do about it
By now you've no doubt heard about a certain iOS database file called consolidated.db. It made quite a splash yesterday when a pair of researchers, Alasdair Allan and Pete Warden, from O'Reilly Media announced the "iPhone tracking software" the duo had "discovered hidden on the phones." Here's the problem: they didn't discover it, at least not originally. The file, known to hold large amounts of geolocation data collected from WiFi access points and cell-towers, has been probed by forensic experts ever since the retail launch of the iPhone 4 back in June of 2010. Hell, Sean Morrissey and Alex Levinson published a physical book on the topic back in December 2010, entire excerpts of which can easily be found on Google. So either the team from O'Reilly is being disingenuous with its claims or it's being lazy.
Regardless, the story laid dormant for months until the O'Reilly team was able to visualize the data in a very personal way. Running the team's open-source iPhoneTracker software to see the detailed locations of our worldly travels is absolutely fascinating. Imagining the same data file in the hands of a stalker, misguided detective, or a jealous lover is downright creepy.
But how is it possible that an issue like this has avoided the tech community at large for more than a year? And more importantly, what can you do about it? Read on to find out.
Update: A timely discovery from Vishal -- here's a note from Apple General Counsel Bruce Sewell [PDF] to Congressmen Edward Markey and Joe Barton, providing a detailed look at its privacy policy, presumably regarding this issue.
Sure the visualization is powerful, but so is the emotive energy that surrounds any issue related to Apple. Toss in big brother privacy concerns and you've just unleashed the perfect storm into the blogosphere echo chamber. Yet, we heard nary a peep emitted outside of forensic circles until yesterday. Ryan Block, lover of fine coffee and Engadget Editor Emeritus, postulated an answer to our question over at gdgt, theorizing that perhaps the forensic community, unlike the security world, is so insular that it lacks the incentive to go public with such privacy concerns. After all, criminals will change their behavior if they know what you're tracking. But who's the so-called "criminal" in this case?
For that, we have to dig into Apple's privacy policy, something you accept every time you blindly click away Apple's terms and conditions. The policy was last updated on the 21st of June, 2010 -- the same day that Apple released iOS 4. Guess what? It talks a lot about collecting and using non-personal information, including location data. Here are a few choice paragraphs:
We also collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose.
Apple then cites several examples:
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
The company later expounds on location services specifically:
To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.
Problem is, the location data is very personal and hardly anonymous because it's stored right on your phone -- the most personal device we own. The consolidated.db is also replicated (unencrypted by default) to any PC or Mac your iPhone syncs with, and subsequently any additional backup devices you might use (Windows Home Sever, Time Capsule, etc.).
But what's actually being captured by the consolidated.db file? Is it really the precise location of the device, i.e., you? No, actually, it's not. According to "iOS Forensic Analysis for iPhone, iPad, and iPod Touch," written by Sean Morrissey and Alex Levinson, the data collected is the geolocation of the cell towers that the iOS device communicates with. So it's an approximation of your location. However, the researchers go on to say that, "This data, along with corresponding data from carriers, can link a phone to a specific location on a given date and time." Levinson concludes, however, that the data is never transmitted to Apple, and is used exclusively by built-in iOS apps like Maps and Camera.
Apple's not alone in this behavior, either. Just last month, The New York Times ran a story titled, "It's Tracking Your Every Move and You May Not Even Know." In this case, however, "it" does not refer to Apple, it references the cellphone companies who have to track your location in order to provide the best possible service. That meant 35,000 longitude and latitude coordinates collected over a six month period for one very unhappy Deutsche Telekom subscriber who had to go to court in Germany to find out what his provider knew. See, like the United States, German carriers are not required to report the data they collect.
Don't get us wrong, we're not letting Apple off the hook here -- we also want to know why the company needs to collect and maintain so much of our location data for such a long time. And why is it so easily accessible? But we, as consumers, have to pay better attention if we want to reserve the right to scream foul.
If this issue really concerns you, then there are a few things you can do right now to take control of your privacy. First, you can go into iTunes and start encrypting your iPhone and iPad backups. Second, you can purge the consolidated.db files sitting on your various hard disk drives. Lastly, if your device is jailbroken, you can install the free Untrackerd app to continuously clean the consolidated.db file. That should keep you busy while we wait for Apple to respond.