Apple's iPhone and iPad have secretly been saving a complete, unencrypted history of location data for nearly a year now. Privacy advocates say the practice is irresponsible, and authorities question its legality.
Free software maps an iPhone user's movements
Many functions on Apple's wildly popular iPhone and iPad rely on users' physical locations to deliver services like real-time maps, and location-based social networking and commercial offerings.
However, unbeknownst to most users, the devices are storing that information in a hidden file, two British researchers announced Wednesday at the Where 2.0 conference in Santa Clara, Calif., 72 kilometers (45 miles) south of San Francisco.
Alasdair Allan and Pete Warden said the tracking has been in place ever since Apple's operating system update to iOS 4 in June of last year.
"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device," the pair wrote in a blog post on Wednesday. "It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released."
An iPhone or iPad equipped with iOS 4 stores latitude and longitude coordinates - most likely triangulated from cell phone towers - along with a time stamp, Allan and Warden said. In addition, the pair released free software which lets users visualize their own tracking file and plots it on a map.
Hypponen said Apple is likely using iPhones to create a location database
No comment from Apple
Apple's German headquarters in Munich declined to comment when contacted by Deutsche Welle.
While Apple's worldwide headquarters in California has not responded either, some security researchers have already begun to speculate what Apple might be doing with this information.
In a Thursday blog post, Mikko Hypponen, a security researcher with the Helsinki-based security firm F-Secure, pointed out Apple, like many other companies, can locate users based on their proximity to known WiFi networks.
One large such WiFi location database that Apple previously had access to was from an American company called Skyhook. However, in April 2010, Apple began replacing the Skyhook database with its own.
"And the real question is: How did Apple create their own location database?" Hypponen wrote. "They did not have cars driving around the world. They didn't need to. They had existing iPhone owners around the world do the work for them. If you run a modern iPhone, it will send your location history to Apple twice a day. This is the default operation of the device."
The tracking has been in place since June of last year
According to Peter Meier, deputy director of the Bavarian Data Protection Authority - which has the most direct jurisdiction over Apple in Germany - the legal implications of the tracking are being assessed.
"We will approach Apple in a timely fashion and request they take a position, on which basis we'll judge how data protection is to be seen," Meier told Deutsche Welle.
Peter Schaar, Germany's Commissioner for Data Protection and Freedom of Information, called on Interior Minister Hans-Peter Friedrich to take action in creating a law forbidding secret tracking.
"Apple customers need to be in a position to make decisions about their data," he told Deutsche Welle in an e-mailed statement. "I see Apple as being in an obligation [to let their customers be able to make decisions about their own data]."
However, other legal scholars say that there may not be such a clear path for a legal case, as there is no firm evidence yet that the location data has been transferred back to Apple.
"But, data security standards [have been] violated," wrote Thomas Hören, a professor of communications law at the University of Münster, in an e-mail to Deutsche Welle, noting that the personal data stored was unsecure. "Users might give back their iPhones due to a clear violation of these standards. Furthermore, the high risk of damages has to be answered by Apple by [recalling] the phones or quickly establishing strategies for deleting the data and/or stopping its storage."
Haphazard and secretive
Gus Hosein, the deputy director of the London-based advocacy group, Privacy International, said his watchdog organization is already drafting legal complaints against Apple to submit to the data protection regulators of individual EU countries. It won't file them, though, until the particulars are known, he added.
"There is still the question of when Apple gets access to this data, if ever," he told Deutsche Welle. "Apple seriously screwed up here. It's time we start keeping an eye on what all these smart phone operating systems are doing. I don't know how, but over the years, location data has suddenly become fair game."
Hosein added location data can be "very, very dangerous information to be collecting, particularly in such a haphazard way."
Author: Gerhard Schneibel
Editor: Cyrus Farivar