iPhone watching every breath you take, every move you make

iphone_data

Most people tend to enjoy a certain modicum of privacy. Aside from the data we all share willingly on the web in the form of forum posts, Twitter activity, etc., people generally like keeping to themselves.

What would you think then, if you found out your iPhone (or any iDevice with 3G) was tracking and logging your every movement?

That’s exactly what two researchers from the UK are claiming. They state that the phone is constantly logging your location using cell towers, placing the information into a timestamped database. That database is not encrypted, and is copied to your computer each time you sync with iTunes. Additionally, the database is copied back to your new phone should you ever replace your handset.

We understand that many iPhone apps use location awareness to enhance the user experience, and law enforcement officials should be able to pull data from your phone if necessary – we’re totally cool with that. However, when everywhere you have been is secretly logged in plaintext without any sort of notification, we get a bit wary. At the very least, Apple should consider encrypting the file.

While this data is not quite as sensitive as say your Social Security number or bank passwords, it is dangerous in the wrong hands just the same. Even a moderately skilled thief, upon finding or swiping an iPhone, could easily dump the contents and have a robust dataset showing where you live and when you leave – all the makings of a perfect home invasion.

Continue reading to see a fairly long video of the two researchers discussing their findings.

[Image courtesy of Engadget]

89 thoughts on “iPhone watching every breath you take, every move you make

  1. $5 gets you $7 that Apple’s response boils down to “There’s nothing to fix here; the innocent have nothing to hide.”

  2. …that said, the idea that somebody’s going to hack your Mac and use your iPhone’s backed-up location data to find out when you won’t be home, so they can break in and steal your stuff?

    Yeah, I saw that one! It starred Sandra Bullock, didn’t it?

  3. I’m just wondering what possible non-insidious reason there could be for this existing? What harmless and friendly explanation will Apple provide for having your phone log your location at all times?

    I could see, for instance, a mapping app wanting to do this for caching commonly traveled areas or something, but I can’t think of a reason that the phone as a whole needs to know this info.

  4. I’m more surprised people aren’t more aware that the vast majority of all phone calls are now recorded in a two year backlog. Petty much all phone conversations using new technology.

    Don’t believe me? Try making an obscenely expensive phone call and try to deny you made it, that your phone was hijacked. “Sir I think your mistaken, this certainly sounds like you… (plays recording)”

  5. I like how they started saying “without asking for your permission,” completely ignoring the fact that they agreed to some horrifying EULA which probably had a footnote about gathering all your data ever.

    This sort of thing shows a growing trend in service providers in recent years: “Do things which would otherwise make your clients very uncomfortable without telling them because they’ll appreciate it after they’ve had it for a while.” Facebook does this by basically trying to force people’s profiles to be more open, and Apple does this by putting people in walled gardens.

    I’m pretty shocked at how calm these guys are about the fact that their location is being recorded over 100 times per day! I have an extra dumb phone because I hope to avoid shenanigans like this as much as possible (and I don’t trust google as far as I could throw a company, which isn’t very far. It has a lot of emplyees!)

    Anyway: yet another reason for me to not like Apple! Huzzah!

  6. Reason why you would keep this information: Advertising location-based items.

    For example:
    Travel a lot? hotel and flight ads
    Don’t travel? online shopping ads

    This is the only thing I could think of.

  7. the flood of indifference over this is kinda creepy. there’s no reason for this sort of data to exist in unencrypted form.

  8. How long ago was this going on? If this is really what is happening that Apple is logging your where abouts why did it take up until 4 iPhone revisions to identify this? *assuming it was implemented day 1*

    Shouldn’t we all look at how technology is being used for instances like this in case they are leaking data? I would think someone would have done this before.

  9. @Aaron

    It does not seem that you need to hack anyone’s home PC to get the data. The file is also stored on the phone and is accessible once jailbroken. It means that when you get up from your table at Starbucks to grab your qudruple venti nonfat double whip extra foam cherry mocha latte chino, I can snag your phone off the table and walk out the door…with thousands of datapoints giving me unique insight to your daily routine. Sure I could sit at the end of your block and watch your house, but it is much easier to stalk you in the comfort of my own home.

    @Odin

    Some data would make sense. How about “Odin was at least 20 miles away from his home for at least 40 hours this month” as an indicator of travel instead of “Odin was at 43.101298321, 21.090031341 at 09:01:13 on April 20, 2011″? The fact that it is not encrypted boggles the mind.

  10. I wonder if the police will be able to get a court order to access the iPhone logs of suspected criminals and use it as evidence?

  11. This does not happen with every phone.

    1. This isn’t logging what tower you are connected to. It is triangulating your location based off of multiple towers.
    2. Most phones do not have enough storage for a years worth of logs even if they wanted to log this info.
    3. While the telecom companies can log your position from their end, this would constitute direct tracking of all individuals using a cellphone. That type of database would be noticeable to at least someone at the FCC.

    What is being asked is if your devices ever send this file to Apple. This is what you get when you sign up for a closed source operating system.

  12. Has it really took these pair of geeks to bring this to the world media attention?

    Does this show just how stupid / ignorant the average Apple user it? I mean, these guys just took a little while to browse some files in a back up folder.

  13. @Decius

    This issue was introduced with the iOS 4.0, meaning all iPhone 4’s which shipped with that OS and all older iPhones which upgraded are affected.

    @Doktor Jeep

    The iPhones don’t have easily accessible batteries to pull.

  14. @Bob: re your first point, all 3G phones _do_ triangulate your position. It was government mandated as part of the original license agreement (to pinpoint you when you make an emergency call) and can locate you to about ten metre accuracy in optimal conditions.

    And yes all modern cell phones, even plain old GSM, do store a log of the cells they’ve seen recently in order to reconnect to them quicker.

    Can only suppose Apple do this on the sly for marketing purposes. Unpardonable of them to store it unencrypted though.

  15. Look at the advert at the right, fleet GPS monitoring for $3300 per. Truckers are going to have forced auto-logging for time on the road, on NPR yesterday. Eventually we won’t use accelerators because the GPS will know the speed limit on the exact road and run you accordingly.
    All of e-space including your connected hardware will be public and searchable. Only inert stuff and your dumb house will be exempt. Smart houses will be public, your utility bill already is.

  16. a guy announced that quite a while back on the Chaos Congress during a talk. But just wifi syncs and every user is a wardriver by default. The wifi data got synced with skynet.
    that’s how they build and maintain their database..
    and it’s the same with android (just easier to shut it off)

  17. @nuit
    Android does this? Do you have any links? I’ve actually always wanted to keep a log of my position over time for fun visualizations in the future (“man I went to lunch at that place a LOT!”) but I’ve always been too lazy to set it up and I’ve been concerned about battery life. If it’s already doing it, I’d love to have that data.

    Or was that a guess?

  18. @echodelta: ‘noticed that the google-ads are placing lphone products with this posting. LOL.

    we need to know what Rights we still have and keep on defending them. Truckdriving is not nessesarily a Right, but we do have a Right to Privacy. Stuff like this happens because people let it happen to themselves.

    @Scuzz: i agree about the EULA comment. we are doing this to ourselves by buying these products.

  19. @taylor
    during his talk he said, their exists a database with macadress and location. i don’t have an android phone on my hands…it would be interesting to look through them…have a look and your filesystem and your running processes :)
    investigate on your own ;)

  20. Turn off location services. I usually have location services turned off, and there are large gaps in the database corresponding to the times that location services were off.

  21. Who is really surprised? Apple is a company that builds their brand on doing things their way at the expense of the customer. You simply don’t have the right to criticize, complain, or question in their world. This makes sense in that context, it is better for Apple to have this information than not have it.

    As to the balance of privacy and individual rights, our generation will have enormous influence on the future of these matters. If you aren’t happy with where things are going, do something about it!

  22. Anybody who gets ahold of somebody else’s smartphone likely has much easier ways of getting much more sensitive information than this.

  23. This file – or the new content of the file thereof – is sent to the mothership every night over wifi.

    This isn’t really news as it’s been a “feature” of the device since version 4. What wasn’t clear was whether or not this database would be cleared every time it uploaded. Apparently not.

    Enjoy your freedoms. >.>

  24. Ahh the iSheeple. They’ll update their facebook status and tweet with their twits…
    and then, almost instantly, rationalise why there is nothing wrong “really” and the future is iShiny!
    cognitive dissonance ftw!!

  25. and law enforcement officials should be able to pull data from your phone if necessary – we’re totally cool with that

    I’m afraid you’re very alone in this. I’m totally not cool with that.

  26. >law enforcement officials should be able to pull data from your phone if necessary – we’re totally cool with that.

    You shouldn’t be.

  27. This nicely states that it logs where your phone has been.
    Not where you have been.

    I would recommend not to log this kind of information at all as it isn’t relevant.
    This kind of information is only relevant for applications who can obtain it from the GPS module at runtime anyway.

    Fix it Apple, it is senseless.

  28. btw, law enforcement officials -will- take data from your phone (if they can obtain your phone), indeed with the proper warrant, anyway when they think it is relevant. That is just how law works.
    When there is a case, and the information is neccesary to sustain the case, it is justified.

    It’s just that -this- kind of information should not have been on your phone and certainly not synced onto your pc when there is no technical reason to have it there.

    Current and/or last known location, fine. But timestamped in a database for ages, no.

    cheers!

  29. take a picture with the iphone send it to someone they can pull the GPS coordinates off of it and trace where it was taken in google.

  30. There is a web based location viewer here:

    http://www.courbis.fr/Localisation-iPhone-votre.html

    You’ll need to pull “consolidated.db” from your iTunes backup, or from the phone itself. Its located here on the phone:
    /private/var/root/Library/Caches/locationd/consolidated.db”

    I tried it, and it works… I am able to see all where I have been over a period of time in google maps!

  31. The responses here are so predictable. Apple has replaced Microsoft as the company people love to hate. It’s a conspiracy I tell you! lol.

    Why hasn’t anybody considered that somebody at Apple simply f***ked up? Maybe the database was supposed to be encrypted. Maybe it was one of the diagnostic logs from when apple were trying to fix the reception problems, and was accidentally left behind.

    It’s great that these issues are found and made public rather than taken advantage of. We have to ‘keep the b@st@rds honest’ as they say. But the paranoia some people have is just plain scary.

  32. @nuit

    No, Android does NOT do this, not even close… If it did, don’t you think people would have found it by now? You know, considering the source code is freely available to anyone and that devs tear every version of Android apart as soon as the source is released… You even stated yourself that you do not have an Android phone, so how would you know? There is nothing built into Android itself that tracks your position silently without the user knowing about it like the video shows here… The only thing that comes close is Latitude, which is an app you have to sign in and run manually, and you can turn it off whenever you want… What Apple has is a hidden function that silently records all your location data without the user even knowing about it, not to mention its unencrypted and easy to obtain. And you can also find it in your backups in iTunes…

    Another plus for open source software.

    @Taylor Alexander

    No, Android doesn’t do this by default… You can track your movements with the app called Latitude which should have come with your phone, but you have to sign in and enable it since it’s off by default.

  33. @Simon

    Wow… Are you serious?

    Yea, Apple mistakenly coded tracking software on your phone which records your every move since you’ve updated to iOS 4…

    Why are they tracking your every move in the first place? What do they need the data for and how are they using it? Encrypted or not, Apple shouldn’t be tracking your every move to begin with. Period.

  34. @JJ neat tool, but I’d kind of leery about taking the very file containing this personal information and uploading it to some website…

  35. Since it started with the update and was immediately used by law enforcement I’m thinking they were involved. and not just geo-fencing as is suggested at one point by the guys in the vid.
    Because the cops normally take some time to discover these things and it’s a bit telling they were reportedly on this immediately.

  36. Incidentally, I think MS can sue them for their taking their idea of storing everything without giving a clear reason and telling the user too much about it, MS has been doing that for years, outlook express even keeps a db of deleted e-mails, that people deleted, to be you know.. deleted.
    And the registry is full of logs too and there are many other db’s om windows.

  37. Just looking at the full path to the database file tells you a lot about what the file is used for.

    /private/var/root/Library/Caches/locationd/consolidated.db

    It’s a cache file created by locationd. The location daemon. It’s not an application designed to track you. It’s part of the location API.

    The location API in iOS, that can be called by any app that needs it, returns not just the latitude and longitude. It also returns the altitude, speed, direction, as well the date, time, and gmt offset. It’s a cache, so it needs to store the last couple of recorded locations to be able to calculate the speed and direction. You need more than 2 coordinates to calculate the speed and direction or you’ll end up with wildly fluctuating results even just standing still. Caching the last dozen or so locations make perfect sense. Obviously there’s no need to store any more than this.

    To me it still looks like it was something accidentally left in the release version of iOS. It may have been added to help find who had access to the iPhone 4 prototype that went missing.

  38. Surprised no one mentioned anything about Steven Rambam’s presentation at the Last HOPE keynote, which pretty much gives you an insight about the disturbing trend of tracking people.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s