Apple’s iOS 4 operating system collects information about where iPhone and 3G iPads users travel, security experts Alasdair Allan and Pete Warden revealed at the Where 2.0 conference.
The continually-updated log is held on both the iPhone and the computer it connects to and contains a list of coordinates, and associated timestamps. The records go back to the release of the 4th iteration of the iOS operating system in June last year.
The data, consisting of latitude and longitude coordinates and corresponding timestamps, is stored unencrypted and, apparently, without conspicuous notification. Apple did not respond to a request to explain whether any of its user agreements cover this practice.
The true contents of the enigmatically-named file “consolidated.db” were discovered by two British software developers who were working on ways of visualising location data for websites.
“At first we weren’t sure how much data was there, but after we dug further and visualised the extracted data, it became clear that there was a scary amount of detail on our movements,” said Alisdair Allan and Pete Warden. Mr Warden previously worked for Apple in an unrelated area.
“We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behaviour and improve our products, services, and advertising.”
Mobile network operators keep records of users’ movements based on which masts they are connected to, which police and intelligence agencies can access legally. The data stored by the iPhone could however be accessed by anyone with access to it or the computer it connects to, and is not protected by a password or encryption.
Mr Allan and Mr Warden have set up a website to publicise their findings and allow iPhone users to test whether their movements are being recorded. To further highlight the issue they have developed a simple application that plots the coordinates and timestamps on web-based mapping software.
“One guess might be that they have new features in mind that require a history of your location, but that’s pure speculation,” said the researchers, adding that the way the data is copied between the iPhone and computer indicated it was not gathered accidentally.
Other technology giants including Facebook and Google encourage users to hand over location data partly because it is potentially valuable to advertisers.
Apple’s actions may result in litigation because its data collection is similar in some respects to what Google was doing when it unwittingly allowed its Street View cars to collect information from open Wi-Fi networks without disclosure.
While Apple’s software is not collecting actual packet data traveling over Wi-Fi as Google did, it is recording the MAC addresses of Wi-Fi access points near the iPhone owner being tracked.
Dr Ian Brown, a senior research fellow at the Oxford Internet Institute, said: “I certainly think it’s something they should have brought much more to the attention of the user, and that it should only be switched on after an explicit user decision.”
Graham Cluley, senior technology consultant at security firm Sophos, said that it was unlikely Apple Inc. planned to use the information for commercial purposes.
“I think there are some legitimate privacy concerns and people will probably look for a way of obscuring that data,” he said. “But it is an object lesson about reading the terms and conditions.” [via The Telegraph (UK), BBC and Information Week]