Given how much confusing and often contradictory information has been filling the media over the last week, it wouldn’t surprise me if some iPhone users were calling in priests to exorcise the demons of privacy invasion.
There are reasons to be concerned about the ways Apple, cellular carriers and third-party software developers handle your personal information, including location data.
Taking privacy mobile: Embedding the principles of Privacy by Design
Apple hit with another suit alleging privacy violations
Researcher finds Safari reveals personal information
But how big a threat is the iPhone’s penchant for holding on to a database of your locations for as long as a year? In a word: small. The chances of someone actually getting their hands on that data and finding a way to use it are remote.
In case you missed the brouhaha: A pair of researchers last week began a new discussion of the fact that Apple iPhones and iPads track users’ locations and store the data in an unencrypted file on the devices and on owners’ computers. It turns out that Google’s Android phones also record and transmit a certain amount of location data as well.
Since Apple has been stubbornly silent on the matter, it’s not surprising that people are confused. What’s more the story has been changing on a daily basis. Here’s what you really to know about the issue:
1. What data are we talking about?
Like any cell phone, the iPhone needs to know where you are to make and receive calls or to upload and download data. It does this by deriving your position from the location of nearby cell phone towers, or through GPS applications. In either case Apple stores that data on your iPhone and then backs it up via iTunes. Although Apple won’t confirm it the researchers who made news last week – Alasdair Allan and Pete Warden – believe the data comes from the cell towers.
2. Why is the data being stored at all?
Apple isn’t saying. Andrew Storms, director of security operations for nCircle, a security vendor, says it would make sense to have some of that data available so the phone always knows where it is. Having the data in hand speeds up the process in much the same way your browser caches data so it can quickly call up a page you’ve already visited. What’s more, it saves battery life since the device isn’t working as much to determine its location. But keeping a year’s worth does not make sense, he says, adding that Apple owes users an explanation.
3. Is the data encrypted?
No. However, the files are compressed and the file names are changed, says Michael Sutton, vice president for security research at Zscaler. He was able to read his own files by using a Unix tool called Grep. Not very many people would know how to use that tool, but Allan and Warden wrote a program that makes finding and viewing those files much easier. Remember, since the files are on your phone and on your computer, someone would have to have direct access to those devices, either by stealing or hacking them remotely.
4. Does anybody else have access to this data?
Yes and no. The data files that have everybody in a twitter (pun intended) are not leaving your computer, as near as anybody can tell. However, as numerous criminal defendants have learned, the carriers know where you’ve been because the cell towers log that information. Various law enforcement agencies use that data for criminal investigations; in some cases they don’t even bother to get a warrant, says Rebecca Jeschke of the Electronic Frontier Foundation, or EFF. But remember that location data is entirely separate then the logs kept in your iTunes folder.
5. What about other data?
This gets complicated. In a letter Apple wrote last July to Rep. Ed Markey, a Massachusetts Democrat, and Rep. Joe Barton, a Texas, Republican, the company said it collects some location data anonymously and only when consumers agree to use its location-based services like maps, or any apps that ask a user’s location, and for its advertising system, iAd. It’s not clear if the data broadcast back to Apple is the same as the data in the backup file it keeps.
6. What can I do to avoid having my location hacked or tracked?
• It’s easy to encrypt the data your iPhone backs up. Click on your device within iTunes and then check “Encrypt iPhone Backup” under the “Options” area.
• Turn your phone off when you’re in a location you’d like to keep to yourself.
• Turn off location services by going to “Settings” and then “General.” You’ll notice that if you drill down one more level, there’s a list of applications that use locations services; you can switch off the ones you don’t use or trust. But remember, if you turn off locations services, things like mapping will not work.
7. Are other types of mobile applications grabbing my data?
They sure are. When Zscaler’s Michael Sutton looked at the iPhone backup data on his computer, he discovered that various passwords were stored in plain text by an app that he uses fairly often. It’s called JotNot Scanner Pro and it turns your iPhone into a mini-scanner for things like travel receipts. (You can read his post here.) JotNot itself doesn’t require a password, but if you use it in conjunction with say Google Docs or Evernote to store the documents you scanned, you need those passwords – and all of them were stored in Sutton’s iPhone data.
Related story – Onus on tech firms to build responsible privacy controls: a guest blog from MaRS
Even worse, scores of mobile applications grab data such as the names in your address book, according to a study by the Wall Street Journal. Although apps are supposed to get permission from the user before accessing information on the iPhone, some do not, and there’s no way to know what data is being harvested.
There’s a larger point here as well. Mobile apps often work in conjunction with applications and platforms you’ve never heard of or weren’t aware of. So even if the makers of your device’s operating system and applications are careful, a third party might not be, says Sutton. Apple, of course, controls what apps are allowed on its App Store, but the company doesn’t seem to be paying nearly as much attention to the trustworthiness of those apps as it does to their user friendliness, says Sutton. “This is Security 101,” he adds.
Again, the latest information leak is probably not something to be terribly worried about. But as we increasingly rely on mobile services of all types we may well be giving up some privacy in return for the convenience the apps offer. I honestly don’t know if that’s a bargain we really want to make. But vendors like Apple and Google have the responsibility to let their customers (thats us) know exactly what’s going on so we can make up our own minds. “People have the right to know if they are carrying a phone or a beacon in their pockets,” says EFF’s Jeschke.
San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at [email protected]
Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline.