Government officials voice concern to Apple over location tracking
U.S. Senator Al Franken and Congressman Ed Markey have sent letters to Apple CEO Steve Jobs expressing concern over recent reports that Apple's iOS 4 maintains a database with detailed location information, while several European officials are planning investigations into the practice.
Security researchers sounded an alarm earlier this week over a database file in iOS 4 regularly logs the location of both the iPhone and 3G iPad. According to the researchers, the current version of the log began with the launch of iOS 4 last year, resulting in as many as "tens of thousands of data points" collected over the past year.
"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device," wrote one researcher. "It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released."
The researchers did note, however, that they had yet to find evidence that the location data had been sent to anyone.
Senator Franken sent an open letter to Jobs on Tuesday, noting that the stored location information "raises serious privacy concerns."
"I read with concern a recent report by security researchers that Apple's iOS 4 operating system is secretly compiling its customers' location data in a file stored on iPhones, 3G iPads, and every computer that users used to "sync" their devices," Franken wrote.
Franken found the fact that the file is stored in an "unencrypted format" to be "even more worrisome."
"Anyone who finds a lost or stolen iPhone or iPad or who has access to any computer used to sync one of these devices could easily download and map out a customer's precise movements for months at a time," he continued. "It is entirely conceivable that malicious persons may create viruses to access this data from customers' iPhones, iPads, and desktop and laptop computers."
iPhone location data plotted | Source: O'Reilly Radar
Franken took particular issue with the possibility that underage users could be at risk, citing an analytics report that found 13 percent of iPhone users to be under the age of 18.
The senator concluded his letter with a series of questions for Apple. "Why does apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?"
Franken also queried Apple on how the data is generated, why Apple chose not to encrypt it, whether the practice had been outlined in Apple's privacy policy and to whom the data had been disclosed.
Rep. Markey's letter closely resembles Franken's and includes a list of questions that Apple is to respond to by May 12. "I am concerned about this report and the consequences of this feature for individuals' privacy," he wrote.
According to The New York Times, the Italian Data Protection Authority has opened an investigation\t into Apple's data collection. CNIL, the French data protection authority, is currently in the process of verifying the location tracking practice and may also initiate an investigation.
Given the involvement of elected representatives, this week's privacy incident has taken on echoes of a controversy from last year. Last summer, two U.S. congressmen, including Rep. Markey, sent a letter to Apple after an erroneous and alarmist report claimed that Apple had changed its privacy policy to begin "collecting, sharing iPhone users' precise locations."
In fact, Apple had not changed its policy and was simply restating the privacy policy in its EULAs. Apple allows users to opt-out of location services on a system wide level or within specific apps. Those wishing to prevent iAd, the Apple-developed ad network, from accessing location data can visit an "Opt Out" URL from their device.
Apple general counsel Bruce Sewell responded to the congressmen with detailed explanations of Apple's privacy policy for location services. In the letter, Sewell noted that Apple keeps location data for six months to improve its iAd network. ?These databases must be updated continuously,? Apple wrote.
However, recent findings from security researchers would appear to dispute that fact, since the database they discovered had location records that dated back almost a year.
The location file is nothing new, according to researcher Alex Levinson, who claims to have discovered the log months ago. Prior to iOS 4, the location data was stored in a /root/Library/caches/locationd folder, Levinson said.
John Gruber of Daring Fireball noted on Thursday that the tracking log appears to be an error. "My little-birdie-informed understanding is that consolidated.db acts as a cache for location data, and that historical data should be getting culled but isn't, either due to a bug or, more likely, an oversight," Gruber wrote.
Security researchers sounded an alarm earlier this week over a database file in iOS 4 regularly logs the location of both the iPhone and 3G iPad. According to the researchers, the current version of the log began with the launch of iOS 4 last year, resulting in as many as "tens of thousands of data points" collected over the past year.
"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device," wrote one researcher. "It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released."
The researchers did note, however, that they had yet to find evidence that the location data had been sent to anyone.
Senator Franken sent an open letter to Jobs on Tuesday, noting that the stored location information "raises serious privacy concerns."
"I read with concern a recent report by security researchers that Apple's iOS 4 operating system is secretly compiling its customers' location data in a file stored on iPhones, 3G iPads, and every computer that users used to "sync" their devices," Franken wrote.
Franken found the fact that the file is stored in an "unencrypted format" to be "even more worrisome."
"Anyone who finds a lost or stolen iPhone or iPad or who has access to any computer used to sync one of these devices could easily download and map out a customer's precise movements for months at a time," he continued. "It is entirely conceivable that malicious persons may create viruses to access this data from customers' iPhones, iPads, and desktop and laptop computers."
iPhone location data plotted | Source: O'Reilly Radar
Franken took particular issue with the possibility that underage users could be at risk, citing an analytics report that found 13 percent of iPhone users to be under the age of 18.
The senator concluded his letter with a series of questions for Apple. "Why does apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?"
Franken also queried Apple on how the data is generated, why Apple chose not to encrypt it, whether the practice had been outlined in Apple's privacy policy and to whom the data had been disclosed.
Rep. Markey's letter closely resembles Franken's and includes a list of questions that Apple is to respond to by May 12. "I am concerned about this report and the consequences of this feature for individuals' privacy," he wrote.
According to The New York Times, the Italian Data Protection Authority has opened an investigation\t into Apple's data collection. CNIL, the French data protection authority, is currently in the process of verifying the location tracking practice and may also initiate an investigation.
Given the involvement of elected representatives, this week's privacy incident has taken on echoes of a controversy from last year. Last summer, two U.S. congressmen, including Rep. Markey, sent a letter to Apple after an erroneous and alarmist report claimed that Apple had changed its privacy policy to begin "collecting, sharing iPhone users' precise locations."
In fact, Apple had not changed its policy and was simply restating the privacy policy in its EULAs. Apple allows users to opt-out of location services on a system wide level or within specific apps. Those wishing to prevent iAd, the Apple-developed ad network, from accessing location data can visit an "Opt Out" URL from their device.
Apple general counsel Bruce Sewell responded to the congressmen with detailed explanations of Apple's privacy policy for location services. In the letter, Sewell noted that Apple keeps location data for six months to improve its iAd network. ?These databases must be updated continuously,? Apple wrote.
However, recent findings from security researchers would appear to dispute that fact, since the database they discovered had location records that dated back almost a year.
The location file is nothing new, according to researcher Alex Levinson, who claims to have discovered the log months ago. Prior to iOS 4, the location data was stored in a /root/Library/caches/locationd folder, Levinson said.
John Gruber of Daring Fireball noted on Thursday that the tracking log appears to be an error. "My little-birdie-informed understanding is that consolidated.db acts as a cache for location data, and that historical data should be getting culled but isn't, either due to a bug or, more likely, an oversight," Gruber wrote.
Comments
I suspect this issue will be dealt with quickly and I'm less concerned about a file that shows roughly where I have been rather than precisely where I am right now. Just the same i will be glad when this is fixed.
I'm more keen on how the Government is tracking my whereabouts than what Apple's doing. I can pay cash for a Mac without raising suspicion unlike purchasing a plan ticket with cash which is a red flag.
Everyone in power wants to track those who have little power.
I mean, all the important stuff is taken care of. So now they can devote time to things like this.
Given Apple don't collect the data I don't quite get all the tin foil hat responses. I do get it that the data should be encrypted.
On the flip side, if this data was encrypted when other data isn?t and it was discovered people would be claiming that Apple must be up to something otherwise they wouldn?t have tried to hide it from us with encryption.
In reading through all the coverage of this topic during the last 48 hours I have a couple of questions: Is the Apple iPhone the only phone that collects and sends location information? Is it just a coincidence that this story broke on the day Apple was releasing their quarterly earnings?
It doesn?t appear to send the data anywhere.
All the others have a similar file, but they don?t appear to be keeping the old cache.
I think it is a coincidence.
PS: My Mac make a lot of extra com.apple.quicktimex.plist.????? files for no apparent reason. They have some arbitrary alphanumerics where the question marks would be. I assume these are also oversights in OS X not removing caches.
Pretty much has the same data. Every cellular call or link my phone makes puts me in a certain area at a precise time. You can either choose to take this information at a net positive or negative.
You'd be surprised how an innocuous check-in could save your life
http://articles.cnn.com/2009-11-12/j...te?_s=PM:CRIME
Slow news day. Franken should be more concerned with creating jobs and helping get this country back in the black.
You'd be surprised how an innocuous check-in could save your life
http://articles.cnn.com/2009-11-12/j...te?_s=PM:CRIME
How can they be sure his father or someone else didn?t do the FB update? How can they be sure he didn?t write a script that will update his FB status from his father?s computer at a particular time? How do they do he didn?t have an app phone with a VNC app that could access his father?s computer right before or after the robbery?
John Gruber of Daring Fireball noted on Thursday that the tracking log appears to be an error. "My little-birdie-informed understanding is that consolidated.db acts as a cache for location data, and that historical data should be getting culled but isn't, either due to a bug or, more likely, an oversight," Gruber wrote.
[ View this article at AppleInsider.com ]
Fixing this "bug" doesn't really solve the problem, if I understand correctly. The "correct" cache is supposed to store data for 6 months. So someone could still track, say, the movements of a 13 year old girl for the last 6 months.
Also difficult to believe this is a "bug" if Apple moved the file from one directory to another during an iOS update. They create the file, they moved the file, they use the data in the file to make money, yet they never QAed the file?
I think they really are not worried about the people or customers. Most of the government uses iOS devices so I feel they are more concerned that their actions and movements can be tracked. Because they lack the technology intelligence to shut it off the service for themselves they have to protect "The People" because we all know the government is looking out for our best interest.
... and hey when all else fails, divert attention from the big problems like our entire congress acts with an attitude of that of a 6 year old. Good Job Al. Go back to writing Jack Handy poems.
Get real.
Telcos have allowed communications to be tapped for nearly 4 decades and this service everyone leverages for their applications is the big bad wolf?
Whine about today's Military GPS+ and the ability to see yourselves humping from Space. That seems to be ignored by all as ``for our own protection.''
Funny how the "researchers" missed that one.
2. I guess it is also a coincidence that the directory "locationd" in which these so called "hidden" files is located in the "Caches" directory. I wonder why that is? A red herring? I doubt it.
3. How exactly are these files hidden? When I tried to locate this "hidden" file, I found it very quickly and easily. If they were hidden, then no one would know they were there. They are as hidden as the SMS parts, or the Address book. I'm also going to raise a stink because my photos are being stored in a secret directory called "DCIM". It must be a conspiracy.
4. Lastly, in the original article, it is stated "that your iPhone, and your 3G iPad, is regularly recording the position of your device into a hidden file." Later the statement "the timing of the recording is erratic" is made. So which is it?
Whine about today's Military GPS+ and the ability to see yourselves humping from Space.'
That would make an interesting porn category.
http://markey.house.gov/docs/applema...ton7-12-10.pdf
Taking refuge in 'but everybody does it' is simply lame, and you know it. If that logic were applied across the board, Apple would be no different from from 'everybody' -- i.e., it wouldn't be Apple. I hold the company to a higher standard.
Someone senior from Apple should just come out and clarify immediately, and get it out of the way. I can bet that the EU, in particular, is going to be all over this in 24 hours. They take their privacy very seriously over there (unlike here in the US.)
This is Cook's first public PR crisis. Let's see how he handles it.
It looks like the file that was discovered by Alasdair Allan [and] Pete Warden has existed since iOS 3 and has been known since the launch of iOS 4.
Under iOS 3, it was a .plist file called h-cells.plist, which was in /root/Library/caches/locationd and contained the same information as the iOS 4 file. With the sandbox design for third party applications and multitasking introduced in iOS 4, the file had to change in order to allow apps to access it.
It is now called consolidated.db and would only be used by applications requiring location services. A network traffic analysis of connections to Apple servers shows that the information contained in that file is not sent to Apple. Anyway, Californian law forbids Apple or anyone else to do so.
• http://www.hardmac.com/news/2011/04/...an-explanation
OK good- I am glad the senators are investigating a bug in iPhone software that is likely to be fixed shortly and can already be stopped by a program released on cydia.
Honestly I would be more worried about those jailbroken apps. I've have heard reports of some systems opening up all kinds of security holes in devices if things aren't handled right. An app could do what Apple doesn't and send you information out to a central database along with your phone number and who knows what else and you might never know it.
That kind of thing is way more worrisome than some file on your iphone that you can't directly access from the iphone or even the back up files without some kind of 3rd party tool