Apple's iOS location-tracking headaches: 5 questions

OK, Apple; the tracking secret's out. Now it's time to talk.

Apple appears to be headed for a Google-size privacy snafu over its iOS location-tracking database after lawmakers in Europe and Washington recently started asking questions.

U.S. Senators Al Franken (D-Minn.) and Rep. Edward J. Markey (D-Mass.) have each sent letters to Apple CEO Steve Jobs looking for answers about Apple's customer-tracking policies. Meanwhile, privacy regulators in Germany and Italy are investigating this policy, and France may follow suit, according to a The New York Times report.

Apple's privacy headaches started after two researchers released an open source application called iPhone Tracker that reads your iOS device's location history from an unencrypted backup file on your PC. The app then plots this information on a map and allows you to play back your location history complete with time and date stamps. The iOS file with your location history, called consolidated.db, has been known about for some time but has received a large amount of publicity since Wednesday.

As is typical for Apple, the company has yet to issue any statements or respond to several days of press inquiries about its tracking policies and consolidated.db. In the absence of any public statement from the company, we are left to wonder why Apple is saving a record of your device's location history based on triangulation from cell towers and, possibly, Wi-Fi access points.

So in the absence of any meaningful statement from Apple, here are five more questions we need answers to about Apple's iTracking headaches.

What Specific Information is Apple Gathering?

Apple admitted in July 2010 that it was pulling anonymous location information from some users' devices in a letter to U.S. Reps. Edward J. Markey (D-Mass.) and Joe Barton (R-Texas). Apple said it was doing this to build its own cell tower and Wi-Fi access point location database. The database helps Apple find your smartphone's location quickly for use in location-based services such as Foursquare and Facebook Places. Previously, Apple had relied on data from Google and Skyhook for cell tower and Wi-Fi access point locations. You can read Apple's response here.

Most experts seem to agree that Apple is not retrieving information stored in consolidated.db from your device, contrary to my theory from Thursday. The problem is Apple has admitted to collecting information similar to what's contained in consolidated.db. So if Apple is not collecting information from this file, where are the files Apple is retrieving from your device and what specific information are those files sending back to Apple?

How is the File Secured on Your Device?

This file isn't just on your PC, but also on your iPhone or 3G iPad where it can be updated. So what kind of protection does this file have while residing on your device? Is it encrypted? How hard would it be for a hacker to recover the file from your device? Macworld's Dan Moren says it would be pretty difficult to get off your phone, but Apple should answer this concern more clearly.

Why Apple? Why?

Apple needs to spell out very clearly why this database is there, and what the device needs it for. Some analysts believe this file helps your device find out where it is faster than continually communicating with Apple's servers. But is that the case? If so, why is this file recording your history instead of just reading location points off a list? Some are also guessing that a software bug is causing iOS to record this data instead of deleting it every few hours.

Did You Know Law Enforcement was Using This?

Several reports are claiming that law enforcement officials have been using forensic techniques to access the iPhone's location database for at least a year.

Was Apple aware of this? If so, why hasn't it worked to make this database less accessible in the interests of securing user data from unwarranted intrusion?

Isn't it Time for a Wider Discussion?

While Apple may be the company on the hook for tracking a user's location right now, almost every cell phone in the wild today can be used for the same purposes. A recent report by The Wall Street Journal says Google's Android phones are doing something similar. Cell phone carriers have been handing out user location data to law enforcement officials for years. In March 2010, Kevin Bankston, senior attorney for the Electronic Frontier Foundation told NPR's On The Media that Sprint had set up a Web portal that allows law enforcement officials to ping cell phones and find their location based on GPS. Over a one-year period, law enforcement officials used this site over eight million times, Bankston said.

It's not just Apple that can track you, but also Google, Sprint, Verizon, AT&T, and (for now) T-Mobile. If you want to get serious about cell phone location privacy, then it's important to ask not only what Apple is doing, but what every company in the mobile industry is doing, especially the wireless carriers. And, more importantly, how quickly are these companies handing over your cell phone location data to law enforcement?

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicsGoogleiossecurityonline privacyiPhonePhonesprivacy

More about AppleElectronic Frontier FoundationFacebookGoogleSprintT-MobileT-MobileVerizonVerizonWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts