The revelation this week that the latest versions of the iPhone and iPad contain a file that records the geographical location of the popular mobile devices has created quite the privacy stir.
O’Reilly Radar researchers Pete Warden and Alasdair Allan, who announced their discovery this week at the Where 2.0 Conference in Santa Clara, Calif., said in a blog post that Apple devices running iOS version 4 contain a system that logs location information — longitude/latitude coordinates with timestamp — to a file known as consolidated.db.
“What makes this issue worse is that the file is unencrypted and unprotected, and it’s on any machine you’ve synced with your iOS device,” Allan wrote. “It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you’ve been over the last year, since iOS 4 was released.”
Naturally, this has prompted some to wonder why Apple needs this information, including Sen. Al Franken, D-Minn., who sent a letter on Thursday to Apple CEO Steve Jobs, raising privacy and security concerns, such as the possibility that an unauthorized person or malicious application could access the data.
But experts say this type of data collection is nothing new within the mobile world. In fact, according to new research performed by researcher Samy Kamkar, Google regularly transmits the location data of its smartphones back to a central server. A Wall Street Journal report on Friday expounded on Kamkar’s findings.
Perhaps the larger concern with data collection of this kind may not be what Apple or Google want to do with it, but that it opens the possibility that law enforcement may seek warrantless access to it, say researchers.
Christopher Soghoian, a privacy researcher at Indiana University, said in a blog post Friday that the federal law governing digital privacy sorely needs an update to address today’s mobile landscape. Right now, it is unclear if the current version of the Electronic Communications Privacy Act (ECPA), enacted in 1986, protects location data from being obtained by law enforcement merely armed with a subpoena instead of a court-issued warrant.
“[I]t is quite possible that if and when these firms [such as Apple or Google] receive a request for this data, they could refuse to comply with the subpoena, and argue that it should be subject to the protections of the Fourth Amendment,” Soghoian wrote. “Certainly, some judges around the country have decided that mobile phone location data is sensitive enough to require a probable cause warrant issued by a judge
“However, many other judges do not agree with that theory,” he added. “Without the protections of the ECPA, if the courts do not think this data deserves Fourth Amendment protections, there is nothing to stop law enforcement agencies from getting it with a subpoena.”
Apple collects the anonymous data — meaning it is not tied to a specific user — twice a day, according to a Thursday blog post from security firm F-Secure. Although Apple has remained mum on the topic, the computing giant appears to be using the information to build its own location database.
This would help to improve the “geolocational cognition” of applications running on Apple devices, something that would minimize the resource strain on the phones as they search for and access cell towers, Alex Levinson, a student and researcher at Rochester Institute of Technology in New York, told SCMagazineUS.com on Thursday.
Levinson, who has studied the location file, said he does not think Apple is up to anything nefarious.
“There’s all sorts of data on a phone,” Levinson said. “Just because it’s there doesn’t mean it’s being stolen or being used against you or being harvested. I am not denying that the data is on the phone. But I think it’s on there to enhance the functionality of Apple devices.”
He said approved applications installed on the iPhone are sandboxed and thus “cannot talk” to this file.
“I didn’t find it any more intrusive from a privacy perspective than having text messages on my phone,” Levinson said. “I believe people are creating this idea that this data is just wanting to be gobbled up, and I think people are failing to recognize the steps that Apple is taking to prevent this from happening.”