Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[JimH]

From CNET:

"Researchers announced today that they found what look like secret files on theiPhone that track user location and store it on the device, without the permission of the device owner. It's unclear what the data is used for and why Apple has been collecting it in iOS products that carry a 3G antenna for nearly a year now.

"Alasdair Allan, senior research fellow in astronomy at the University of Exeter, and writer Pete Warden, who discovered the log file and created a tool that lets users see a visualization of that data, say there's no evidence of that information being sent to Apple or anybody else. Even so, the pair note that the data is unencrypted, giving anyone with access to your phone or computer where backups may be stored a way to grab the data and extrapolate a person's whereabouts and routines. "

Full article:
http://news.cnet.com/8301-13579_3-20055885-37.html?tag=topStories3

[glynor]

While certainly not the greatest news ever, this isn't really The Terrible Thing it appears to be on first glance.  A few points just to temper all of the OMG! Hype:

0. The data stored is a cell tower connection record.  While this can be used to triangulate your location with a fair degree of certainty, it is not GPS data down to the foot-scale.  The "tracking" can be (and is on mine) off by miles and miles.
1. This is not new.  Security researchers discovered this last year and published papers on it.  The only thing that is new here is that someone wrote a clever Mac app that displays this data on a map grid.  Well, that, and the newsmedia suddenly paid attention to it.
2. The file is encrypted if you tell it to be.  If you aren't encrypting your backups, then your email and calendar and web history and all sorts of other nefarious details are ALSO available unencrypted on your hard drive for anyone with access to your drive, a copy of DD, and the will to use it.  If you took the reasonable (and simple) step of encrypting your backup, their little hack doesn't work.  If you aren't encrypting your backups, then you kinda deserve what you get.
3. Apple says that they don't collect this information, it is just locally stored.  Apparently the device was supposed to wipe the cache of old information, but this isn't happening due to a "bug" (aka laziness).  The information should also be encrypted on the phone, but Apple's closed App ecosystem makes it unlikely that an on-device app could exploit this data, and you can remotely wipe your device if it ever falls into the wrong hands.
4. There is no evidence that this information is being transmitted to Apple or anywhere else.  The original security whitepapers posited that it is likely collected for network performance monitoring reasons.
5. Google DOES collect this same exact information on Android.  The file on their systems is handled properly though and old data does get wiped regularly (kudos for that).  There is no word on if Google (or any of their handset partners) is collecting this information remotely though.

This last point brings up something else that always makes me uneasy about using Google Android on a location-aware device, though... Google is an Ad Company.  They make north of 97% of their profits from selling targeted ads.  You are not their customer, you are their product.  This is a fundamentally different relationship than what you have with Apple (or even Microsoft, though Microsoft also doesn't view the end-users as their customers for handsets).

What makes me uneasy is this:  Why wouldn't Google transmit the information and collect that information themselves?  Even if the info is cleared off of your phone after some period of time, if it has already been transmitted to Google, that doesn't do you any good.  My device tracking me constantly and keeping that information on my hard drive is not great, but it is also not the end of the world (or that surprising).  I can just delete/encrypt the backup file if I don't like it, or format the phone, or both.  But for Google?  That's extremely valuable information for advertisers.  Why show you ads for Bojangles if the closest one is 600 miles away from anywhere you've ever been?  There is certainly no law that says they can't collect this information, and it is extremely valuable for their core business...

If they aren't collecting this information, it is because either: (A) they haven't gotten to it yet, or (B) they aren't doing it out of the "goodness of their hearts" (or because they are afraid to get caught, which is basically the same thing with a multi-billion-dollar international corporation).  I don't trust that B will last...

[glynor]

The best article I've read about this:
http://ihnatko.com/2011/04/20/hey-wonderful-theres-a-location-tracking-file-on-my-iphone/

[glynor]

Apparently, Microsoft just admitted that they're tracking users too, and doing it in a potentially much creepier way.  From CNET today (emphasis mine):

Microsoft says its operating system transmits the MAC address of the Wi-Fi access point (but not the name), signal strength, a randomly generated unique device ID retained for an unspecified limited period of time, and, if GPS is turned on, the precise location and direction and speed of travel. That happens when the "application or user makes a request for location information," the company says.

So, unlike iOS, where this information is:

A) Based on cell tower location triangulation, not GPS positioning
B) Stored locally on the device, in a protected directory where it is inaccessible to apps on the device (so long as you're not jailbroken, yet another reason to avoid that)
C) Included in the full device backup, which can be encrypted by the user by simply entering a password in iTunes
D) Isn't being transmitted anywhere to anyone

Microsoft is admitting that the devices are actually transmitting the GPS data to Microsoft any time an application uses the location services on the device and GPS is enabled.  They made no statements to CNET at all about what, exactly, they're using this information for, but you know... Surely you can trust them to not keep a record associated with your devices' GUID.  I'm really only sort-of kidding.  In all likelihood, they're just using this to accelerate the "Find My Phone" feature they offer for WP7 (the iOS variant takes forever to find the devices because it has to actively poll them to get the GPS lock, and doesn't have any idea where you are until then).  But, who knows?  They could certainly be keeping it and selling it to advertisers and whomever else might want it.

I really think all of this is a tempest in a teapot.  If you are using a cell phone, ANY cell phone not just smartphones, you can be tracked by anyone with access to the cell network infrastructure.  They've publicly used this capability to track people down when lost in the wilderness, and any moderately intelligent criminal already knows this and therefore uses burner pay-as-you-go phones for their nefarious purposes.