Apple put out a press release last week, and issued a software update yesterday that addresses the location tracking issue that was made public two weeks ago. It’s a step in the right direction, but there are still unanswered questions and things to be concerned about.
The software update does a few things right. iOS version 4.3.3 makes some good changes…
- Only 24 hours’ worth of data is stored on the phone.
- The local cache of location data can be turned off entirely.
- The data file is not backed up to your computer.
These are all great steps. Apple should be commended for making these changes. However, they haven’t really gone quite far enough. The data on the phone is still not encrypted (that change is coming sometime in the future), potentially making it available to apps and people if a phone has been jailbroken or a software exploit is discovered that allows access to such files. I’m not going to make too much more of a stink about that because on easy way to avoid that is to not jailbreak the device in the first place.
Their press release was still a little bit troubling, though. First, they engaged in a game of semantics. They claim that “Apple” does not track “your” location. Instead, the phone keeps a list of cell phone towers and WiFi access points near its location. Uhhh… how much different is the location of things near you from your current location? WiFi access points typically have a very short range (how far away from your house can you use your WiFi?) so the accuracy of WiFi location data is actually fairly good. Nice try, Apple, but your word game doesn’t work on me.
The more troubling thing about their release is something that I haven’t heard anybody bring up, anywhere. One of the things they stated was that the data on the phone isn’t really the phone’s location, but a local cache of list of cell towers and WiFi access points that have been near your phone, right? Well, that data is coming from an Apple database. And that database is huge. Certainly bigger than what can be stored on a phone. So Apple sends small subsets of that data to the phone, and this is stored locally (indefinitely for iOS <4.3.3, 24 hours for 4.3.3) to make calculating your location easier. Sounds okay conceptually, right? Well, there’s a big problem with that. In order to decide what data to send to you, Apple has to know what cell towers and WiFi access points are near your phone in the first place. They haven’t made any sort of statement about what they are doing with that data.
Imagine this scenario… you’re lost, and you need to know where you are. You might call a friend and tell them a little about what you see around you. You can describe buildings and other landmarks, hoping that based on that information your friend will be able to help you figure out where you are. But in the process, haven’t you revealed your position to your friend? It just isn’t possible to get your location using this method without letting someone know where you are. This is exactly what happens with cell phones (not just the iPhone) when they use this method to locate themselves.
Apple claims that it uses a unique ID number which isn’t tied to your account, and it changes (now) every 24 hours when making these requests. Microsoft has said it changes the ID number as well periodically, but not how often. Google never changes this ID number. So in theory, Apple can only track a phone for 24 hours, Microsoft for an indefinite amount of time, and Google can track it forever. They all claim they can’t tie this to an individual phone, but that just is not accurate. Here’s why…
Every data conversation that takes place on the internet does so using an IP address. It’s sort of like a phone number, and it is used to route data from point A to point B. It’s fundamental to the way that the Internet works. For two computers to have a two way conversation, both have to know the other’s IP address. So these conversations where phones download the list of nearby cell towers and WiFi access points have to include this IP address. It’s absolutely required.
If the cell tower and WiFi location data was hosted by a third party (as all three of these players once did), there might not be as much to worry about because the IP address couldn’t necessarily be tied to an individual phone. The trouble is that the companies providing the location data are the same ones that create the operating systems for the phones. And you have to sign into their services to use the devices. With the iPhone, you have to tie it to your Apple ID. With Google, it has to be tied to your Google Account. With Windows Phone, it has to be tied to your Windows Live account. And all devices call home to update various aspects of those services… such as checking for app updates or checking email, for example. Those conversations ALSO take place using an IP address, which happens to be the same for both these services as well as the location database download as well. Bingo… they have a link between you, your device, and your location.
All three companies have claimed that they do not upload YOUR location to their services tied to your account. The problem is that they DO have enough information in various places to be able to piece together your location. A request for a list of nearby cell towers and (Your login to a company’s services + IP Address) + (WiFi access points + IP Address) = You + Your Location.
I’m not saying that the companies are actually doing this, I’m just saying that the potential is there for these companies to tie a lot of information together than they’re admitting. In all cases, you, your location, your purchasing habits, the contents of your email, and more can all potentially be tied together. The possible implications can be scary.
The good news is that Apple now allows Location Services to be turned off entirely, so the phone won’t even ask for location information tied to nearby radio signals. The down side is that turning this off completely disables all GPS functions. It is technically possible to enable GPS functionality without the local cache functionality, but none of the phone manufacturers are allowing that. GPS devices do it all of the time, but for some reason cell phones aren’t allowed to.
No comments:
Post a Comment