Sen. Al Franken wants answers. Security researchers on Wednesday revealed the existence of a file on iPhones and on their computer backups that logs detailed cell phone triangulation data – and has ever since iOS 4 was released last summer.
This privacy glitch was discovered by two British security researchers, Alasdair Allan and Pete Warden, who presented their findings at the location-centric O’Reilly Where 2.0 conference in San Francisco. They even released a downloadable application that plots users’ movements on web-based mapping software to illustrate the privacy implications.
In a blog post on the O’Reilly Radar Web site, Mr. Allan said, “The presence of this data on your iPhone, your iPad, and your backups has security and privacy implications.” The two programmers have contacted Apple’s product security team but said they had not yet had a response.
Overnight US Congressmen led calls for Apple to explain itself over the way the iPhone logs users’ coordinates based on the mobile network masts to which they are connected. The Federal Communications Commission meanwhile reportedly said it would look into the matter.
The hidden file, which is called “consolidated.db,” is stored on both the Apple iPhone 4 and the computer it is associated with, and is not protected by a password or encryption. The security firm F-Secure also claimed the iPhone reports location data back to Apple twice a day.
In a letter to Steve Jobs (PDF), the Democratic Senator Al Franken, who leads a Senate privacy panel, said: “Anyone who gains access to this single file could likely determine the location of the user’s home, the businesses he frequents, the doctors he visits, the schools his children attend, and the trips he has taken over the past months or even a year.”
Senator Franken asked the Apple CEO to explain why the data is captured, what it is used for and why it did not seek “affirmative consent” from users. “It is also entirely conceivable that malicious persons may create viruses to access this data from customers’ iPhones, iPads, and desktop and laptop computers,” the letter continues.
“There are numerous ways in which this information could be abused by criminals and bad actors. Furthermore, there is no indication that this file is any different for underage iPhone or iPad users, meaning that the millions of children and teenagers who use iPhone or iPad devices also risk having their location collected and compromised.”
In its statement the Information Commissioner’s Office said: “All businesses that are collecting people’s data should have clear and accessible privacy notices. This is especially important where users are unlikely to appreciate the privacy implications of a service they are using.”
“Apple has a legal obligation to make clear how people’s information might be used when customers sign up. Equally, customers should make sure they carefully read through terms and conditions. Anyone who has a data protection concern can bring their complaint to us and we will look into it.”
But Professor Ross Anderson, a privacy and security expert at the University of Cambridge, argued the location log could not be considered anonymous data. “If your location history were to be kept anonymous, it would have to be broken up into separate segments of a few hours or perhaps even less,” Prof. Anderson said.
“As it is, if our location histories were to be published without our names on, then anyone who knows where you were at a few definite times in the past can identify your location history from among all the millions of other people’s, and then work out where you were at (say) evenings and weekends.”
Apple Inc. has not yet publicly responded to the controversy. Readers, what do you think about it all?! Tell us your thoughts in the comments below. [via The Telegraph (UK), The Republic, CNN and NY Times]