Heat grows on Apple over iPhone location tracking issue
Privacy watchdogs are demanding answers from Apple Inc. about why iPhones and iPads are collecting location data on users -- records that cellular service providers routinely keep but require a court order to give up.
So far Apple hasn't answered that question or made any other comment.
It's not clear whether other smartphones and tablet computers are logging such information on their users. And this week's revelation that the Apple devices do wasn't new. Some security experts began warning about the issue a year ago.
But the worry that was prompted by a report from researchers Alasdair Allan and Pete Warden at a technology conference in Santa Clara, Calif., raises questions about how much privacy a person surrenders by carrying around a smartphone.
It also raises questions about the responsibility of the makers of smartphones to protect sensitive data that flow through their devices.
Allan and Warden also created and made available an application that people can use to find and display the data.
Much of the concern about the iPhone and iPad tracking stems from the computers logging physical coordinates without users knowing it and from the information being stored in an unencrypted form that would be easy for a hacker -- or a suspicious spouse or a law enforcement officer -- to find.
Such location points and times are some of the most valuable information a mobile phone can provide because they can tell advertisers where someone has been and where they might be going -- and what they might be inclined to buy when they get there.
Researchers emphasize that there's no evidence that Apple has access to this data. The data apparently stay on the iPhone or iPad and on any computer the information is backed up to.
Charlie Miller, a prominent iPhone hacker, said Apple had made a change that makes the data -- though unencrypted -- difficult to get off the phone. The data are "pretty well protected on the phone," said Miller, principal security analyst with Independent Security Evaluators.
But the information is much easier to steal if it's backed up to a PC, especially if the computer is infected by a virus.
In addition, the tracking can be turned off -- if a user knows it's occurring and gives the right command, said Alex Levinson, a security expert.
Levinson also said tracking isn't new -- or a surprise to those in the computer forensics community.
The Apple devices have been retaining the information for some time, but it was kept in a different form until the release of the iOS 4 operating software last year, Levinson, technical lead for the Katana Forensics firm, wrote on his blog.
Through his work with law enforcement agencies, Levinson said, he was able to access the location data in older iPhones and warned people about the issue more than a year ago. The location data are now easier to find because of a change in the way iPhone applications access the data, he said.
Tracking is a normal part of owning a cellphone. What's done with that information, though, is where the controversy lies.
A central question is whether a smartphone should act merely as a conduit of location data to service providers and approved applications or as a more active participant by storing the data itself, to make location-based applications run more smoothly or help better target mobile ads or many other uses.
Allan and Warden say the location coordinates and time stamps in the Apple devices aren't always exact but appear in a file that typically contains a year's worth of data. When taken together, the data provide a detailed view of users' travels.
"We're not sure why Apple is gathering this data, but it's clearly intentional, as the database is being restored across backups and even device migrations," they wrote in a blog posting announcing the research.
Allan said in an email that he and Warden had not looked at how other smartphones behave in this regard, but there's suspicion that phones running Google's Android software behave in a similar way. Google also did not respond to a request for comment.
The issue has prompted several members of Congress to write to Apple, based in Cupertino, Calif., to ask questions about the practice.
Sen. Al Franken, a Minnesota Democrat, said it raises "serious privacy concerns," especially for children using the devices, because "anyone who gains access to this single file could likely determine the location of a user's home, the businesses he frequents, the doctors he visits, the schools his children attend and the trips he has taken -- over the past months or even a year."
In the meantime ...
You can password-protect your computer so someone else can't download the researchers' app and run it on your iPhone backup. Or turn off your phone's Location Services (in Settings), at least whenever you're going somewhere you're not supposed to be. Or encrypt your iPhone backups. In iTunes, click your phone's icon and turn on Encrypt iPhone Backup.
| David Pogue, The New York Times