Home / Blogs

A Closer Look at Apple and Location-Tracking

There’s been a lot of media attention to a report that iPhones track your movements. It’s even reached the U.S. Senate. I’m underwhelmed. I think that the threat is overhyped.

What is happening is that these devices create a hidden file with your location. This can be determined by cell phone tower and/or WiFi access points encountered. It does not seem to include GPS data.

Fundamentally, the location file created is a log file. As I tell my students, log files are useful operationally, but also represent a privacy threat if misused. There are two bad things here: the operational purpose of this file has not been made clear, and users are unaware of its existence. (They also can’t clear the file if they’re willing to forgo the putative advantages, assuming that they knew what those were.)

But who has access to that file? Someone who has access to your phone or your backup device—your PC or Mac—can read it; however, if they have that sort of access, they can get at far more sensitive things, like your email passwords. Encrypt the backups? That isn’t a bad idea, but who has access to the keys? File encryption is only useful when the threat is physical rather than over-the-air, and does nothing to protect against someone who obtains custody of the phone rather than the backup device. It helps in some situations, but it’s hardly a panacea. (I note that whether or not one can refuse to disclose an encryption key is an unsettled question under U.S. law. Under British law, one must disclose such keys.) In fairness, I should add that there is one situation where encryption does help: if you’re backing up the iPhone to a folder stored on a network share controlled by others.

The threat, then, is that someone who wants to track your detailed movements will get hold of your phone and/or backup device. Certainly, this can happen. It’s not likely to happen if your gadgets are lost or stolen; most thieves are more interested in having a hot item to resell. It might be of interest to law enforcement, though for large-scale movements, such as airplane trips, credit card receipts will give them all the data they need. The new data is an advantage for tracking detailed movements within a city, though the increasing prevelance of license plate scanners may soon render that irrelevant.

There’s one wild card: is this data ever sent to Apple? Thus far, there have been no allegations that this happens. If it should turn out that Apple is receiving the data, the privacy threat becomes very great. It is also highly likely that Apple will suffer a major PR problem and probably legal consequences as well. Again, thus far there have been no allegations, let alone proof, that this has happened; I sincerely hope that the files are staying on their home machines.

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under

Comments

I agree Neil Schwartzman  –  Apr 21, 2011 4:08 PM

I can’t figure out what the explosion was yesterday. Cellphone operators know where you are, every single minute of the day, and yes, they track it. http://www.nytimes.com/2011/03/26/business/media/26privacy.html?_r=2 Cripes, we see t.v. crime/detective shows ostensibly showing the use of this tracking technology, constantly.

Every freaking app on the iPhone wants me to enable geo-tracking. THEY know where you are.
And, as you say, the file under discussion is stored locally.

So what precisely is the big deal, and why are people shocked, SHOCKED about it?

It's just another salvo in the smartphone market religious wars John Berryhill  –  Apr 22, 2011 6:05 PM

Leaving aside the GPS functions and so forth, how people thought the cellular telephone system operated WITHOUT knowing where you were, prior to now, is what leaves me dumbstruck on the panic reaction here.

It's more the uninteneded interaction... Valdis Kletnieks  –  Apr 26, 2011 2:26 PM

Sure, the wireless providers already know where you are all the time anyhow.  I see the *big* issue as being tools like Cellebrite, which is apparently being used by Michigan state troopers during traffic stops.  If that data wasn’t on the device, the trooper couldn’t hoover it out of there.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global