This discovery, presented by researchers Alasdair Allan and Pete Warden, at the O’Reilly Where 2.0 conference this week, has sent shock waves through the high tech community. “What? This file contains my whereabouts for the past year? WTF?” was most people’s first reaction when the news broke.
Many iPhone/iPad apps have access to the geolocation of the device, but most only access it at a given point of time and do not attempt to log or create a history file of this information. The discovery that such logs exist begs the question why Apple was logging this data and whether it has any intention of utilizing the information.
I can imagine a number of reasons why Apple would want to collect this data and how they might use it. Device tracking, for instance, is a popular parental control feature that users want. Think your teenager lied to you about his/her whereabouts yesterday? No problem, just log into MobileMe and verify the location tracking information. Similarly, a credit-protection app can be instructed to report the phone’s general location at the time of a suspicious credit card transaction—if the card is used in England and the credit card owner’s phone is in Alabama, hmm..something could be amiss here.
But none of these scenarios could conveniently justify storing a year’s worth of location data, and even stranger is the fact that the phone automatically syncs this data to the host. Mind you, not all data from the phone is transferred to the host during the synchronization—Apple really intends to keep this data around. But why?
Legal experts are quick to point out that the mere collection of this data isn’t illegal. Sure, other GPS-enabled devices may collect this type of information as well. But on a device like iPhone/iPad where so many other activities can happen at the same time, the risk is different.
The first question we must ask is how this file can be accessed. It’s not immediately clear whether any apps could access the file. Typically, an iPhone app would ask for the user’s permission in order to access system resources such as GPS info. But that is enforced through the operating system APIs. Since what we talk about here is a plain file, which, from the sounds of it, is not in the “protectionComplete” class (ProtectionComplete means the file remains encrypted as long as the device is locked. The strongest protection class for file system objects on iOS). It’s unclear if the operating system prevents other apps from accessing the information.
Another critical question is that why Apple didn’t present an “opt-out” option to this tracking feature, or better yet, present it as an “opt-in” only feature. It continues to surprise me (well, I guess it shouldn’t surprise me anymore) how companies always elect the privacy-invasive features as default.
Some blogs I read yesterday talked about the danger of having this information available on the sync-ing host. If the host is compromised, this data would be available to intruders. True, but if your sync-ing host is compromised, you’ve got a bigger problem to worry about – ever heard of Apple’s “Escrow keybag” concept?
The real danger, in my opinion, isn’t in the existence of these logs. It is in the potential that the information contained within could be misused. Imagine if you are able to correlate this data with the user’s activity stream, you can then determine precisely where I bought a Starbucks coffee, where I gassed up my car, where I looked up a restaurant on the Yelp app, and where I checked into a flight. If this isn’t a complete invasion of privacy, I don’t know what is.
As mobile technologies continue to penetrate our everyday lives, privacy becomes an increasingly elusive notion. Consumers must sometimes make a choice between the loss of privacy and the convenience of the “always connected” lifestyle. But consumers cannot make that choice if they are not given the necessary information. C’mon, Apple, let the consumers decide that they want other apps or services prying into their every move, don’t do it for them.