Is your iPhone tracking you? Does Apple know where you've been for the last year? Does it really matter? All these questions have been swirling around the blogosphere this week after two researchers published a blog post that said Apple is gathering your location via the iPhone and other devices and storing it in an insecure file.
The revelation prompted a flood of coverage, calling into question how much Apple really knows about your whereabouts. It appears, however, that this news was actually first reported last year, and Apple isn't the only company collecting data in this manner.
We took a look at some of the bigger questions emerging from this story. Let us know of any other burnings inquiries in the comments below.
What is going on?
Two researchers this week published a blog post that said Apple devices like the iPhone are keeping track of where you've been via location-based services, and logging that data in an insecure file on your device—a file that can also be accessed on any computer with which you've synced your iPhone.
Isn't that a bit Big Brother of them?
It depends on how you look at it. Location-based services can be rather helpful. How many times have you used Google Maps on your iPhone to pinpoint your location and get directions, find a nearby ATM, or see which subway stop is closest? It can also help when using recommendation apps like Yelp or MenuPages; narrowing a search for "Thai" in your immediate vicinity is much more helpful than searching every single "Thai" listing available on either of those services.
OK, so what's the big deal?
The researchers in question seemed to take issue with how the data is stored. "The file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released," wrote Pete Warden, founder of the Data Science Toolkit, and Alasdair Allan, a senior research fellow at the University of Exeter.
Seems pretty bad, but does anyone really care where I've been?
Again, depends on how you look at it. Just like some people take every opportunity to broadcast their location via Foursquare or Facebook Places, there are just as many people who find that to be intrusive and TMI. In this case, there are those who could care less if Apple knows that you go to the same coffee shop every morning or that you were in Atlantic City last weekend, but there are also those who think that data might be used for more sinister endeavors. In a letter to Steve Jobs this week, for example, Sen. Al Franken suggested that hackers might create viruses to access this data from customers' iPhones, iPads, and desktop and laptop computers. It could then presumably be used for anything from spamming to robbing your house while you're out. Franken also took issue with the fact that the data might be collected from minors who happen to have iPhones.
So anyone can grab this data?
As Warden and Allan pointed out, there is no "evidence to suggest this data is leaving your custody." F-Secure's Mikko Hypponen also said in a blog post that "this file can't be accessed by third-party apps on an iPhone, as you need root rights to reach it." But the file is copied to your computer during iPhone synching and is accessible there, he said.
How do I know what's being collected about me?
Allan and Warden built an app that helps you look at your own data. PCMag tested it out in a story published earlier today: How to See the Secret Tracking Data in Your iPhone.
What does Apple have to say about this?
Officially? Nothing. (Update: In an email to a user, Steve Jobs reportedly denied any wrongdoing, and Apple later posted a Q&A about iPhone tracking) But the company did provide details on its location-based services in a July 2010 letter to a House committee. "To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device," according to Apple's customer privacy policy, which was updated in June 2010— prompting the congressional inquiry.
So does Apple have a list of where I've been over the last year?!
In that same letter, Apple claimed that all collected data is done so "anonymously in a form that does not personally identify you." For example, Apple might share your location with an app provider when you activate their location services. However, specific products from Apple, like MobileMe or the "Find my iPhone" feature will "require personal information for the feature to work," Apple said.
Why does Apple even want this information?
The simple answer is to provide you with location-based information like mapping and targeted search results. Apple started collecting this information in 2008 due to increasing consumer demand for services like "getting directions to a particular address from their current location, locating their friends or letting their friends know where they are, or identifying nearby restaurants or stores," Apple said in the House letter.
How do they collect the information?
According to F-Secure's Hypponen, "Apple maintains a global database of the locations of Wi-Fi networks. They use this to get an estimate of your location without using GPS. For example, if your handset sees three hotspots which have MAC addresses that Apple knows are within a certain city block in London, it's a fair bet you're in that city block."
Click here for more answers, including what other kinds of phones may be tracking you.
So this all started in 2008?
Not exactly. Prior to 2008, Apple got its location data from a company called Skyhook Wireless as well as Google. Starting with iOS 3.2, however, Apple started gathering its own data, which "must be updated continuously to account for, among other things, the ever-changing physical landscape, more innovative uses of mobile technology, and the increasing number of Apple's customers." While Apple did not state explicitly why it ditched Skyhook and Google, it was likely a money-saving decision. Why pay those companies when you can just collect the information yourself?
What Apple devices include location services?
The iPhone 3G, iPhone 3GS, iPhone 4, iPad 3G include location-based services, Apple said. To a more limited extent, so do older iPhones, the Wi-Fi iPad, the iPod touch, Mac computers running Snow Leopard, and Windows or Macs running Safari 5.
How do I know if location services are on?
On the iPhone, click the "Settings" icon. There will be a "Location Services" option in the main menu, which will either say "On" or "Off." Also, if you see an arrow icon in the top-right hand corner of your iPhone, that signals that your phone is currently accessing your location.
Can I turn location tracking off?
Yes. You can turn off the Location Services setting on your iPhone under "Settings," and decline any requests to access your location on third-party apps. (Update: A PCMag test appears to confirm this.)
Can I do anything else?
Warden and Allan suggested that concerned users encrypt their backups via iTunes. To do so, click on your device within iTunes and then check "Encrypt iPhone Backup" under the "Options" area.
Haha, I have an Android-based phone, so I'm safe. Right?
Not exactly. As the Wall Street Journal pointed out this morning, Google also collects data on its Android platform to serve up location-based services. The Journal cited a report from security analyst Samy Kamkar, who has an "Android Map" tool that lets people enter a BSSID/MAC address and pinpoint an exact location. "When the [Android] phone detects any wireless network, encrypted or otherwise, it sends the BSSID (MAC address) of the router along with signal strength, and most importantly, GPS coordinates" to Google, Kamkar claims.
What does Google have to say about this?
Google did not immediately respond to a request for comment about Kamkar's research, but the search giant has been in hot water for its Wi-Fi data collection before. It used to collect Wi-Fi data via devices attached to its Street View cars. But last year, it revealed that those devices had accidentally captured data traveling over unencrypted Wi-Fi networks, including emails and passwords. The revelation resulted in inquiries from data protection agencies all over the world, and prompted Google to stop collecting data in this way.
What about other OSes like Symbian, WebOS, Windows Phone, or BlackBerry?
These competing OSes have thus far flown under the radar on this particular issue, but as Alex Levinson, a Rochester Institute of Technology researcher and technical lead for iOS forensics consultant Katana Forensics, pointed out recently, third-party-applications and other OSes definitely use location tracking. "From a security standpoint, the OS is not necessarily the biggest vulnerability. The third-party apps are," he told PCMag. "That's also true from a forensics standpoint. And if you're going to hold Apple accountable, you have to hold the third-party app developers accountable. And you have to hold Android and the other OSes accountable."
So this is a pretty big find for Warden and Allan, huh?
They probably think so, but Levinson and Christopher Vance, a Marshall University digital forensics specialist, actually reported on this phenomenon last year and are a bit miffed that Warden and Allan are getting the credit. Vance said it was a "bit of a letdown," while Levinson said he feels "a little bit professionally disrespected."
What happens next?
As mentioned above, Sen. Franken has penned a letter to Steve Jobs asking for more information, as has Rep. Edward Markey. So unless Apple releases a statement on the matter, we'll have to wait until Cupertino responds to Franken and Markey's letters to get any more information. In the meantime, if you're really concerned, just turn off location services on your Apple device, encrypt that data, or lock up your iPhone and computer with a password in case it's lost or stolen.
For more, see Don't Freak Out About iPhone Tracking. Yet and A Reason to Distrust the iPhone: Secret Tracking.