By now everyone has read something about the controversy about Apple tracking people through their iDevices. Unfortunately, most of the information out there is misleading and/or wrong and has been from the beginning. Furthermore, not only does this misinformation not help, but it’s clouding the serious, legitimate problem.
It’s not GPS nor only about Apple
Let’s get two things out of the way first: the data in question is not GPS and Apple isn’t the only party collecting this data. The data consists of cell tower and Wi-Fi hotspot locations, not GPS coordinates. Second, it’s been shown that Google collects this data from Android devices, and anyone else in both the mapping and smartphone businesses should be doing the same. If they aren’t, they’ll be out of one of those businesses soon. Remember these points for later.
Taking it from the top…
The firestorm ignited when Pete Warden and Alasdair Allan announced their discovery of a file called “consolidated.db” that contains a list of locations and time stamps. This file is located on iOS devices and their backup files located on users’ computers. They further demonstrated how the data can be used to generate a map of these locations.
By itself, that would have been a fine piece of work. However, Allan and Warden peppered their report with insinuation and omissions that led others to draw their own conclusions as to the purpose of this data, which led to the current atmosphere of controversy and misinformation. Perhaps worst of all, they failed to give credit where it’s due.
Taking it from the REAL top…
Turns out the existence of the consolidated.db file was published in a book called “iOS Forensic Analysis for iPhone, iPad and iPod touch” in December 2010. This revelation comes from Alex Levinson, a contributor to that book, who posted this photo of page 335 for proof. Levinson further points out that he and Sean Morrissey, the book’s primary author, demonstrated their own utility similar (and superior) to Warden and Allan’s mapping application in February 2011 at the DoD Cyber Crimes Conference in Washington, DC.
Levinson explains that while the consolidated.db file is new in iOS 4, the data is not. It previously existed in a file called “h-cells.plist”. Levinson also shares his thoughts on how the data is used in both that post and a new one. However, to really understand its purpose, I think we need to go back even further.
They’re not spying; you are.
See, technically, what’s in that consolidated.db isn’t a list of places your iPhone has been. It’s actually a list of cell tower and Wi-Fi hotspots your iPhone has detected. Your iPhone’s location can be inferred from that list (with varying degrees of accuracy), but that’s not its purpose.
Think of a spy tracking a terrorist cell. As the cell moves, the spy reports back to his or her agency with their locations. The spy does not report his or her own location, but since he or she is maintaining proximity to the terrorists, a rough estimate can be inferred from the data. That’s what’s happening with the location data in consolidated.db. Apple isn’t spying on you; you’re spying for Apple.
I didn’t sign up to be a spy
It’s important to note this agreement is separate from any agreement to use location-based services. LBS is about using your location, while the relevant part of this agreement is about acquiring the location of cell towers and Wi-Fi hotspots. Your location can be inferred from the data if and only if someone knows it’s from your device. Collected anonymously, it’s a map of tower and hotspot locations. Aggregated with data from other users, it loses relevance to any one user. The data collection really has nothing to do with tracking users.
So what’s the point?
The reason Apple is collecting this data is to build and maintain their own assisted GPS database. Using the known locations of cell towers and Wi-Fi hotspots, assisted GPS estimates your location without a GPS lock and cuts the time required to get a lock. When Apple launched the iPhone, they signed a deal with Skyhook Wireless to provide this service. But in April 2010 with iOS 3.2, Apple started using their own database, and they’re not alone.
Location-based services are building to be big business with a big pot of money attached to it. Research by Microsoft indicates the LBS market is growing rapidly. Skyhook Wireless went after Google for millions in a lawsuit in which they claim Google pressured Motorola into breaking their contract for LBS with Skyhook.
Any company that offers location-based services needs a dynamic database of waypoints, such as cell towers and Wi-Fi hotspots, in order to accurately tell mobile users where they are, particularly in urban environments where GPS is restricted. One option is to license that database from Skyhook Wireless. Another is to build your own, such as Apple and Google are known to be doing. I guarantee Microsoft, RIM and others who offer mobile location-based services are either already following Apple’s and Google’s lead or figuring their own method of leveraging their user base to do so. If they’re not, they’re watching someone else eat their piece of the LBS pie.
So if everyone does it, what’s the problem?
While folks wrestle with an imaginary privacy scare grown through misinformation, there remains a legitimate privacy concern that is going mostly unnoticed. It concerns the lack of clear disclosure that this data was being collected and the risks involved in collecting it.
Apple asks for diagnostic and usage information about your iPhone, which is fair enough to do. However, I don’t believe tracking tower and hotspot locations counts. That information is external to the device, not part of it. If Apple wanted to collect data on my iPhone’s location, I would consider that a fair part of that agreement. But instead they’re using my iPhone to collect tower and hotspot locations, and that’s not right. I only signed up to give info about my device, not those belonging to other people.
The lack of transparency on that point is a serious problem, far more legitimate than the paranoia circulating. To be clear, I don’t think there’s anything wrong with reporting tower and hotspot locations back to Apple. I just think this falls outside the range of “diagnostic and usage information about your iPhone”. It’s about property that belongs to others. Therefore, it requires separate, specific permission, as well as a detailed explanation of the risk involved.
By retrieving the data anonymously, Apple protects your privacy from Apple. What they don’t do is protect your privacy from anyone else. If someone else extracts this data from your iDevice or the backup file on your computer, that person is the one violating your privacy, beginning the moment they access your device without consent. True, it’s not Apple’s fault someone else accessed your data, but they should have told users this data was there to be taken.
As far as privacy invasion goes, this data is trivial compared to the call and message history, contacts, and appointments on most people’s phones. The difference is users know that data is there and can erase it. Can’t do that with a file you don’t know about.
The bottom line is, there is a problem, a serious one, but it’s not the one most people think. Apple is not spying on you; you’re spying for Apple. Same goes for Google and Android users. And if you think Microsoft, RIM, Nokia, and the wireless carriers are not or will not be deploying their own spies, well, you must not think very highly of their ability to compete. It’s not about who’s doing it, but how, and Apple isn’t doing it the way they should. Congress dropped the ball when the issue was raised last year (probably because they didn’t understand the problem), and all the fearmongering and misinformation this time only obscures the real problem.
Update 4/27/11: Nailed it.