Leaked Apple device UDIDs were stolen from small publishing company
A collection of more than a million unique iPhone and iPad identifiers did not come from an FBI laptop, but were instead taken from a Florida publishing company called BlueToad.
The CEO of BlueToad, Paul DeHart, confirmed to NBC News that the identifiers, known as UDIDs, were taken from his company's databases. Technicians at BlueToad downloaded the list of UDIDs and found a 98 percent correlation between its own data and the leaked list.
"That's 100 percent confidence level, it's our data," DeHart said. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record, and take responsibility for this."
In a statement, Apple confirmed that BlueToad would have access to UDID device names and types, because the company is a registered iOS app developer. But the company also clarified that developers do not have access to user account information, passwords or credit card information.
BlueToad provides digital edition and mobile application support to more than 6,000 different publishers.
The public admission by BlueToad brings to a close the question of where the hacking group "AntiSec" obtained a list of more than 1 million UDIDs that were published online. The group originally said the identifiers were stolen from an FBI laptop, but the bureau publicly denied those claims.
After 1,000,001 UDIDs were published by AntiSec, the group claimed the list was just a small sampling of over 12 million total IDs it had stolen.
Apple also issued a statement on the situation last week, noting that it did not provide any UDIDs to the FBI, and that the FBI or any other organizations did not request such information from Apple. Starting with iOS 6, Apple will introduce a new set of application programming interfaces that will replace the use of UDID, and the company plans to ban the use of UDID.
The CEO of BlueToad, Paul DeHart, confirmed to NBC News that the identifiers, known as UDIDs, were taken from his company's databases. Technicians at BlueToad downloaded the list of UDIDs and found a 98 percent correlation between its own data and the leaked list.
"That's 100 percent confidence level, it's our data," DeHart said. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record, and take responsibility for this."
In a statement, Apple confirmed that BlueToad would have access to UDID device names and types, because the company is a registered iOS app developer. But the company also clarified that developers do not have access to user account information, passwords or credit card information.
BlueToad provides digital edition and mobile application support to more than 6,000 different publishers.
The public admission by BlueToad brings to a close the question of where the hacking group "AntiSec" obtained a list of more than 1 million UDIDs that were published online. The group originally said the identifiers were stolen from an FBI laptop, but the bureau publicly denied those claims.
After 1,000,001 UDIDs were published by AntiSec, the group claimed the list was just a small sampling of over 12 million total IDs it had stolen.
Apple also issued a statement on the situation last week, noting that it did not provide any UDIDs to the FBI, and that the FBI or any other organizations did not request such information from Apple. Starting with iOS 6, Apple will introduce a new set of application programming interfaces that will replace the use of UDID, and the company plans to ban the use of UDID.
Comments
AntiSec?
No, AntiSocial.
'Victimized' my a**... Why were they storing DDIDs in the first place?
Pull their dev account.
FBI Cover up / Damage Control? I put nothing past the Bureau...
Quote:
Originally Posted by GQB
'Victimized' my a**... Why were they storing DDIDs in the first place?
Pull their dev account.
I don't have the technical knowledge to answer this question: maybe because they needed to do so? Are device IDs how developers track users with licenses through the API? Are they necessary for push notifications? The fact that Apple is working on phasing them out in future version of iOS suggests that they're necessary for something and need to be replaced by something else.
I honestly don't know, but this could well be something that all or at least many developers are doing?
This is pretty much what I thought all along was the real story.
So ad networks (like Google) have been using this to correlate activity recorded within on app to cross reference activity in another associated with the same UUID, so that those behaviors can be combined into a semi-anonymous profile used to target ads.
So one example might be linking the likely demographics of unknown game player with UUID x to the web browser ad cookies also tied to that UUID so Google can market games to that user as they browse, rather than tampons or travel sites or healthy food.
Not exactly as scary as privacy advocates portray, but still something that many people don't like the idea of. In iOS 6, Apple is removing the ability for apps to obtain UUID, so there's no way to compile this data without users opting in to a program (say, signing into websites or multiple apps with a login that advertisers can cross reference across them).
Quote:
Originally Posted by Corrections
UUID is a serial number that developers use because its the primary (essentially the only) thing one app can collect and another app can cross reference to know that both apps are on the same iOS device.
So ad networks (like Google) have been using this to correlate activity recorded within on app to cross reference activity in another associated with the same UUID, so that those behaviors can be combined into a semi-anonymous profile used to target ads.
So one example might be linking the likely demographics of unknown game player with UUID x to the web browser ad cookies also tied to that UUID so Google can market games to that user as they browse, rather than tampons or travel sites or healthy food.
Not exactly as scary as privacy advocates portray, but still something that many people don't like the idea of. In iOS 6, Apple is removing the ability for apps to obtain UUID, so there's no way to compile this data without users opting in to a program (say, signing into websites or multiple apps with a login that advertisers can cross reference across them).
A couple of corrections for Corrections: First, it's UDID (not UUID). Second, it's exactly how privacy advocate portray it.
bra-vo! so effing clever.
FWIW Apple still considers your UDID to be non-identifiable and has your permission to use it or share it in anyone in any way they would like to. Even assuming they phase out developer use of it they can still link general "non-identifiable" information about you (I've seen iTunes demographics mentioned by an advertiser) with the UDID and sell it for iAds for example. IMHO, that "non-identifiable" information could be anything short of your SS#, name and address. The number of people in your household, the neighborhood you live in, where you work or other semi-private info may be perfectly fair game. Other examples, tho they don't limit it to these, are below.
We also collect non-personal information ? data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:
We may collect information such as occupation, language, zip code, area code, unique device identifier (UDID), location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
http://www.apple.com/privacy/
... and yes, it's understood that others like Google and Facebook may do the same.
Quote:
Originally Posted by thataveragejoe
FBI Cover up / Damage Control? I put nothing past the Bureau...
Right... because only government is evil and sainted businesses are pure. Got it.
oh, your cynicism is so clever and witty. really. now let's ask ourselves which of the two scenarios is more probably and more likely, an FBI cover your ass scenario (highly probably and highly likely, given Fast and furious) or an obscure developer scenario (where a single small dev group has, for some reason, 12 million UDIDs in their database.
I can fathom no logical reason for any developer, ever a very large one, to have 12 million UDIDs in thei database. Therefore, I am leaning toward FBI covering its own ass.
Yes, distrust your government first, before you distrust an American business. Your government has been dishonest for far longer than any business ever has.
To suggest otherwise is a fool's argument.
Quote:
Originally Posted by echosonic
oh, your cynicism is so clever and witty. really. now let's ask ourselves which of the two scenarios is more probably and more likely, an FBI cover your ass scenario (highly probably and highly likely, given Fast and furious) or an obscure developer scenario (where a single small dev group has, for some reason, 12 million UDIDs in their database.
I can fathom no logical reason for any developer, ever a very large one, to have 12 million UDIDs in thei database. Therefore, I am leaning toward FBI covering its own ass.
Yes, distrust your government first, before you distrust an American business. Your government has been dishonest for far longer than any business ever has.
To suggest otherwise is a fool's argument.
You forgot the sarcasm tag. While you might think that everyone would realize that this is too ridiculous to be what you actually believe, crazy people really do believe this kind of stuff, and you wouldn't want to get the reputation of being one of them.
I could believe it. Some governments more than others, but all governments to a degree. I am not saying this was the case in this situation, just that it would not surprise me if it was. There are still those that believe the way government works is how it is explained in a Social Studies or Civics class. Nice in theory, but not in practice. Too much money and power involved for that to be true. Of course the same could be said for how businesses operate as well. It reminds me of the exchange between Rodney Dangerfield and the business professor in Back to School.
Quote:
Originally Posted by echosonic
oh, your cynicism is so clever and witty. really. now let's ask ourselves which of the two scenarios is more probably and more likely, an FBI cover your ass scenario (highly probably and highly likely, given Fast and furious) or an obscure developer scenario (where a single small dev group has, for some reason, 12 million UDIDs in their database.
I can fathom no logical reason for any developer, ever a very large one, to have 12 million UDIDs in thei database. Therefore, I am leaning toward FBI covering its own ass.
Yes, distrust your government first, before you distrust an American business. Your government has been dishonest for far longer than any business ever has.
To suggest otherwise is a fool's argument.
Quote:
Originally Posted by iSteelers
I could believe it. Some governments more than others, but all governments to a degree. I am not saying this was the case in this situation, just that it would not surprise me if it was. There are still those that believe the way government works is how it is explained in a Social Studies or Civics class. Nice in theory, but not in practice. Too much money and power involved for that to be true. Of course the same could be said for how businesses operate as well. It reminds me of the exchange between Rodney Dangerfield and the business professor in Back to School.
Meant to reply to echo sonic...