Apple clarifies iPhone tracking practice, vows software tweaks

Apple on Wednesday released a statement about its iPhone location tracking, clarifying its practices and promising changes via a software update.

The statement is in a question-answer format that frames the questions with a characteristic Apple viewpoint. Apple flatly denies that it is either tracking or logging users' locations, though the statement doesn't explain the difference, if there is one, between those two terms.

Instead, Apple is simply "maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than 100 miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested."

Background: Apple iPhone location tracking has been no secret, researcher claims

Nevertheless, Apple promises two free software updates to iOS to address specific issues. In the "next few weeks," an update will:

* reduce the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone

* stop backing up this cache

* delete this cache entirely when Location Services is turned off (currently, when users shut off the phone, it sometimes keeps updating the Wi-Fi and cell tower data, an activity that Apple says is caused by a software bug)

Secondly, the next major iOS software release will encrypt the iPhone's cache of Wi-Fi hotspots and cell tower locations. Today, Apple says this cache, a subset of the entire location database, is "protected by not encrypted" on the phone. The backup, via iTunes, on a Mac or PC can be encrypted if the user selects the option for encrypted backups.

The Apple document is available online in full.

The statement begins with the question "Why is Apple tracking the location of my iPhone?" The answer repeats Apple's consistent position that the company "is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so." (A point Apple CEO Steve Jobs reportedly made as well in an email exchange with a customer earlier this week.)

The second question is: "Then why is everyone so concerned about this?"

Apple's answer is that "users are confused, partly because the creators of this new technology (including Apple) have not provided enough education about these issues to date."

"Providing mobile users with fast and accurate location information while preserving their security and privacy has raised some very complex technical issues which are hard to communicate in a soundbite."

LEGAL: iPhone, iPad users sue Apple over location tracking database

The company "is not logging your location," according to the statement. Instead, the iPhone is maintaining a Wi-Fi hotspot/cell tower location database. The reason for doing so is to let the phone calculate your location faster with this additional data, than it can do by relying on GPS satellite data alone. (A recently published Apple patent application seems to describe the underlying technology.)

This approach is very similar to the one Microsoft outlined this week in a blog post, about how the Windows Phone 7 mobile operating system deals with location data.

GPS positioning can take up to several minutes, but with the Wi-Fi hotspot and cell tower data this can be reduced to a "few seconds," according to Apple.

"These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple."

This database is far too big to be stored entirely on the iPhone, so Apple downloads to your specific phone just a subset of relevant location. "This cache is protected but not encrypted, and is backed up in iTunes whenever you back up your iPhone. The backup is encrypted or not, depending on the user settings in iTunes."

The maps of "iPhone locations" that have been created by various researchers are misleading, according to Apple. What the maps actually show is not the positions of the iPhone, but the positions of the Wi-Fi radios and cell towers surrounding it.

These geo-tagged hotspots and towers can not be used to locate an iPhone, because "this data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data."

Apple acknowledges that some people looking into the location data issue have found that up to a year's worth of data is being stored on the iPhone. "The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below)," according to the document. "We don't think the iPhone needs to store more than seven days of this data."

The statement reveals that Apple is currently collecting "anonymous traffic data" to build a second "crowd-sourced database" that will be used to create "an improved traffic service in the next couple of years" for iPhone users.

Finally, Apple reiterated how it uses iPhone-collected data with regard to third parties: anonymous crash logs, from users who have granted approval for this, go to third-party developers for debugging apps; Apple's iAds system can use location data to target advertisements; location data is only provided to a third party or ad when the user explicitly approves "giving the current location to the current ad."

Finally, in response to the question "Does Apple believe that personal information security and privacy are important?" the company gives the unsurprising answer, "Yes, we strongly do."

John Cox covers wireless networking and mobile computing for Network World.


Blog RSS feed:

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicsNetworkingsmartphonesPhoneswirelessiPhone tracking

More about AppleApple.Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Cox

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts