Researchers Disclose iPhone and iPad Location-Tracking Privacy Issues

[charlituna]

I thought this was an FCC mandate (to track GPS information for cellphones) after 9/11. The real issue is that this is not encrypted in anyway so anybody can get the information if they have access to the file.

As I recall the mandate was that all phones must have GPS in them and it has to be available real time under particular circumstances.

As for this file it isn't really available to anyone at any time. They have to have your iphone or your computer. And even then it isn't like they tap 4 times and suddenly the list is there. They have to have access to your file system via specifically written programs etc. Most of the time anyone that has your iphone wants a free iphone so they first thing they do is to wipe it to erase any 'find my' type stuff. IF they are goofing around they are in your even more open and accessible email, facebook etc. Although if you put on a passcode lock with the auto wipe they might not even get that far.

I would be more worried about the tool on this pair's website. It calls out to at least two sites. One is google maps but what is the other one. I mean we only have their word that they aren't recording any data about us when we use their software.

 

[idunn]

The reminder why

'These are the actions of a government with unbridled power. One day the authorities detain activist Ni Yulan -- who is now confined to a wheelchair as a result of being tortured -- another day they sentence critic Liu Xianbin to 10 years in prison. Then they warn Zhao Lianhai, who fought for an investigation into the 2008 milk powder scandal, that if he doesn't stop speaking out, he's going back to prison. Zhao had dared to describe in a newspaper interview how he had been force-fed through the nose with a milk powder solution. He had also called for Ai Weiwei's release.' [1]


Here is a little something for the 'if you have nothing to hide' crowd.

There are a lot of places in this world where discretion is not only advisable, but vital. That would be right now, today. If not concerned about 1/6 of the Earth's population and because not Chinese, they are not the only ones with an aversion to freedom, or using most any means to retain power. If having paid attention one will realize that even the Unites States does not have a perfect human rights record, some grievous sins in the past, and in press freedom, freedom of speech, and civil liberties in general headed in the wrong direction.

Beyond any of this there is simply the issue of personal privacy, of the innate human need for a measure of it, and just decency in general.

But if with nothing to hide and one's life a forever open book for every voyeur, fine. Only never hope the absolute need of discretion, as by then likely long since having lost the ability to retain it, character or means to say no.

1) 'Dozens Targeted in Chinese Crackdown on Critical Voices,' Der Spiegel
http://www.spiegel.de/international/world/0,1518,758152,00.html​

 

[Miss Terri]

This is nothing extraordinary or of any concern, in fact completely the opposite as everyone should always be able to justify why they are at a certain place at a certain time.

The only ones ho need to worry are those that are up to no good....

I disagree with that completely. As long as I am not harming anyone, I don't see any reason I should "always be able to justify why I am at a certain place at a certain time." That's my business.

If your way were to be the case, to whom would I be "justifying"? And to whose values? "Up to no good" in whose opinion?

I strongly disagree.

 

[Piggie]

This story was on the UK BBC Radio news this morning.

Short story, saying that researchers had just found the Apple iPhone is tracking your every location secretly.

 

[lilo777]

What are you talking about? AGPS does not require that the phone keep a timestamped log of everyplace I've been. That's not at all how AGPS works.

Even if there was some reason for it to cache locations for a bit, there is no reason for it to keep track of it for more than a year, across backups, etc.

Yep. Besides, Android phones somehow manage doing it without keeping such a log (at least as far as we know today). I suspect that the data is used by Apple to build WiFi maps. They might want to store the log for a long time in case users connect to iTunes very infrequently. Time stamping would be then necessary for cross-checking data from different users and to discard old readings.

 

[nowonder24]

can someone confirm whether or not this is malware?

join date today, one post and all.. :/

- apologies evill33t if it's not, this news is getting me all paranoid all of a sudden..

I wouldn't touch it without seeing the source code. But you can just apply the patch attached to this message and use the original one. Download the source code (e.g. using "git clone git://github.com/petewarden/iPhoneTracker") and change into the directory containing "iPhoneTrackingAppDelegate.m". Download the patch file to the same directory. Then use "patch -p1 < precision.txt" to apply the patch. Open the xcode project by "open iPhoneTracking.xcodeproj" and press "Build and Run". Done

The patch is very small and if you look at it, it only takes out the deliberate loss of precision introduced by the authors.

Enjoy!

 

[AppleScruff1]

It's just like in 1984. Steve is watching you. Be careful.

 

[gavin83209]

I don't know if anybody brought this up already, but if somebody installed one of the SSH/Terminal apps on a jailbroken iPhone, couldn't they locate and replace the file with a symlink to /dev/null to effectively disable tracking?

 

[Blue Fox]

Why does any of this matter? Why does it anger anyone? (other than the fact that the people who are getting angry have NO idea what it's for or what it does). The Government or AT&T or Verizon or Hackers can track you REGARDLESS of a small, un-accessible file that keeps logs of where you've been. Not to mention, it's keeping a LOG of where you've been/where you are, not "tracking" you and transmitting your location to anyone.

Not to mention, if you believe you have ANY privacy left in this world, you are only fooling yourself. For all you angry people out there wanting your privacy back, there is only one way to do it.....loose the phone, fake your death, and drop off the grid entirely. That's the ONLY way you'll ever regain your "privacy" as you "think" you have it now. But I'm willing to bet all you privacy-advocates out there probably have FaceBook, Twitter, etc. and probably share more information about your life and where you are online in an unsecured fashion than people who could really care less at this point about a small file keeping data of where the phone's been.

Give it a week or two and this will be old news an no one will care anymore. That's how important this really is........it isn't. Nor is it anything new as I'm willing your Android and Blackberry phones and devices do very much the same thing.

 

[Nebrie]

An insightful post from reddit:

I figure this thread is as good a place as any to brain dump on this. I went to WWDC last year where the new Core Location system was discussed in great detail. If you went as well, or have the videos, look at the video for session 115, "Using Core Location in iOS". Skip to around 13:45 for the discussion of "Course Cell Positioning" where they discuss the cache in detail.

The purpose of this is offline GPS. Normally, each cell tower has an identifier and Core Location sends that identifier to Apple and asks for the lat/lon for that tower. This requires a data connection, and the use of data. Since cell towers don't move, however, it's inefficient to keep going back to Apple for that information so they cache it. Now if a tower appears with the same ID as the cache, tada! you have a cache hit and a faster fix with no data use. Which also means you can get a "course location" (as in rough) if you are near known towers and don't have a data connection.

That's all this is. It's a cache of identifiers (cell and wifi), locations, and their age (it's a cache, after all). Someone made the decision to never clean it out so they would have more and more information about those GPS "assists" (you know, A-GPS) and so they'd use less and less power and data over time for the places you frequent. It's a great idea, technically.

Practically, yes, you can track location over time. The file is readable only by root and you're free to encrypt your backups for now. I'm sure Apple will either encrypt the file or truncate the data in a future update (I would prefer encryption as I think it's technically sound, but I know many will disagree). I'm also sure someone is considering a toggle for the feature or a button to clear the database. Both are great ideas.

This isn't nefarious, this isn't being sent anywhere, and this isn't as bad as everyone is making it. This is a real feature with a major oversight. That's it.

 

[AppleScruff1]

Remember a week or two ago when it was falsely reported that Samsung had a keylogger on their new notebooks and everyone here was in an uproar about how devious Samsung was? Now that the shoe is on the other foot, it's not a big deal.

 

[Piggie]

I would guess, basically, a customer should be informed by information along side any such product, before purchase, that the item they are buying is going to do this as keep a large record of every location the person takes the item.

It's going it, without the buyers knowledge I would say is the key thing here.

You as a customer as not being allowed to decide if you accept this before you agree to purchase.

 

[Trauma1]

I would guess, basically, a customer should be informed by information along side any such product, before purchase, that the item they are buying is going to do this as keep a large record of every location the person takes the item.

Most of the times they are, they just don't realize it.

It's called Terms of Service. They're thirty-five pages long, in extra small print, and no one ever reads them.

 

[ChazUK]

So I just want to clear on this. You people complaining about this do not want to have AGPS or any sort of location services on WIFI only devices? Is that what you want or do you believe it is supposed to work through "magic"?

Yesterday according to you, it was only limited to AT&T, then it was "statistical data" and now it's collectng past location for AGPS purpses for wifi only devices?

How do wifi only devices use this data when the database is not transmitted anywhere?

 

[Trauma1]

Why does any of this matter? Why does it anger anyone? (other than the fact that the people who are getting angry have NO idea what it's for or what it does). The Government or AT&T or Verizon or Hackers can track you REGARDLESS of a small, un-accessible file that keeps logs of where you've been. Not to mention, it's keeping a LOG of where you've been/where you are, not "tracking" you and transmitting your location to anyone.

Not to mention, if you believe you have ANY privacy left in this world, you are only fooling yourself. For all you angry people out there wanting your privacy back, there is only one way to do it.....loose the phone, fake your death, and drop off the grid entirely. That's the ONLY way you'll ever regain your "privacy" as you "think" you have it now. But I'm willing to bet all you privacy-advocates out there probably have FaceBook, Twitter, etc. and probably share more information about your life and where you are online in an unsecured fashion than people who could really care less at this point about a small file keeping data of where the phone's been.

Give it a week or two and this will be old news an no one will care anymore. That's how important this really is........it isn't. Nor is it anything new as I'm willing your Android and Blackberry phones and devices do very much the same thing.

Thank you. I couldn't have said it any better myself.

 

[McGrol]

I wouldn't touch it without seeing the source code. But you can just apply the patch.. ..press "Build and Run". Done

The patch is very small and if you look at it, it only takes out the deliberate loss of precision introduced by the authors.

Enjoy!

Hmm.. It looks like English, even sounds like it. So how come I don't understand a word you just said

Thanks for the reply, but I'm no developer, so I wouldn't know what I'm looking at anyway, even if I had the source code.

 

[evill33t]

can someone confirm whether or not this is malware?

join date today, one post and all.. :/

- apologies evill33t if it's not, this news is getting me all paranoid all of a sudden..

I understand your concern's, i gonna upload the source after some clean up later then you can check it yourself.

I also gonna add markers displaying time and a time slider similar to the original but with hour scope instead days.

cheers

 

[wrkactjob]

Oh no! I've just got back from SE Asia and took a lot of pics ;-) hope the feds don't come aknocking on my door now they have me tracked me thru my paddy n ip4!

 

[MagicBoy]

I thought this was an FCC mandate (to track GPS information for cellphones) after 9/11. The real issue is that this is not encrypted in anyway so anybody can get the information if they have access to the file.

That's fine for the Americans. What about the other 96% of the planet's human population who are potentially being illegally tracked?

 

[caspersoong]

As long as they don't send it or sell it, I'll embrace it.

 

[hynke]

Opt-out

This all is not a new information. This thing has been in iOS Terms and Conditions (which obviously nobody reads) since iOS 4.0. Apple keeps the information for use with their iAd adds and can also give them to third parties. However you can always opt-out of this simply by visiting http://oo.apple.com in Safari browser on any of your iOS devices.

 

[antster94]

http://news.sky.com/skynews/

The story is on the Sky News homepage now. Hopefully Apple will realise it's a dent to their reputation and release some sort of statement as to why this is happening.

 

[KnightWRX]

Why does any of this matter? Why does it anger anyone? (other than the fact that the people who are getting angry have NO idea what it's for or what it does).

It matters because the file is potentially a breach of privacy and an added liability in case one of your devices get stolen (either the Mac or the iPhone). It angers people because we should not stand up for any breach of privacy, no matter how much one thinks they don't have privacy anymore.

Erosion of privacy happens because people like we've seen in this thread think the little things "don't matter". The fact is, Core Location doesn't need a 1 year cache, much less a 1 week cache or even a 1 day cache of locations to do its job. It also doesn't need to back it up to the Mac (just start fresh in case of a phone restore).

Just because there is a bug in the code that flushes it or because the programmers got lazy and never got around to making some flushing code doesn't mean we shouldn't be asking questions from Apple and asking them to fix this.

Let me turn the tables on you. What does it matter that people are getting angry ? What does it matter that people are asking for a fix ? Why does it bother you that there are some people left who care about their privacy ?

Why do you feel we should expose our lives more and more ? If you're fine with it, be fine with it all you want, but don't try to impose your acceptance on those who would defend their rights, no matter how little of them are left.

 

[Lennholm]

It's so funny to see how people who always complain about how Google is evil for not respecting their privacy now are all "No biggie, if you got nothing to hide. Apple, feel free to provide my consolidated.db to any one you see fit, I trust you"

 

[marksman]

It's so funny to see how people who always complain about how Google is evil for not respecting their privacy now are all "No biggie, if you got nothing to hide. Apple, feel free to provide my consolidated.db to any one you see fit, I trust you"

This has nothing to do with privacy.. Why do people think this is a privacy issue?