Takeaways from Apple’s Location Data Privacy Incident

iphone.jpg.scaled500
Last week two O’Reilly analysts posted a video explaining that Apple’s iOS 4, the operating system used on the iPhone and iPad, contained code that automatically logged a variety of time-stamped data that could be used to pinpoint where a device had been.This would allow someone with access to this data to construct a detailed picture of the device’s location history. Notably, the phone did not log GPS location data, but instead recorded location-related data based on cell towers and wifi networks. Neither has there been any evidence presented to date that this data was transferred to a third-party, such as Apple, a mobile application developer, or an advertiser. Apple has yet to respond to requests for comment from major news outlets or to provide more information about this specific issue; however, Apple has already provided a detailed memo outlining how it uses location-based data. Apple has not yet confirmed whether this memo still accurately reflects their data collection and use policies.

Even though there is no evidence of actual wrongdoing or harm, policymakers have already jumped into the fray. Rep. Edward Markey has called for a Congressional investigation into the matter and Sen. Al Franken has scheduled a hearing on May 10 to discuss mobile device privacy and has asked Google and Apple executive to testify. Officials in Germany and South Korea have also announced their intent to investigate and many other countries will likely join in.

Privacy advocates have quickly jumped all over the latest Apple news and the non-story reported in WSJ last week detailing how Android devices use mobile location-based data. As ComputerWorld tech columnist Mike Elgan describes the situation, “The self-appointed guardians of privacy are breaking out the pitchforks and torches. The news media have been alerted. TV talking heads are aghast.”

The reaction among privacy groups is not surprising given that many privacy fundamentalists gleefully salivate over any appearance of impropriety as a chance to advance their message that consumer privacy is dead, U.S. corporations are holding the bloody knife, and privacy regulations are needed to curb further abuses.

The sensationalism surrounding this story, including the original post on O’Reilly Radar titled “Got an iPhone or 3G iPad? Apple is recording your moves” has fanned privacy fears by alluding to threats that have yet to materialize (or in some cases even exist). Even the original analysts at O’Reilly were forced to backpedal their original comments following public scrutiny. After posting their original article, they later clarified that Apple was not actually recording anyone’s location. “Who has access to this data? Don’t panic. As we discuss in the video, there’s no immediate harm that would seem to come from the availability of this data. Nor is there evidence to suggest this data is leaving your custody.”  But by then the rumors and mischaracterizations had already begun.

Moreover, as other security researchers have pointed out this so-called discovery by O’Reilly’s crack researchers is not news in the sense of it actually being “new”. The details about how Apple stores this location data and what information is included in the file in question, “consolidated.db,” has been presented at conferences, published in an academic journal,and even printed in a book (which, yes, is available on the iPhone and iPad).

So just what exactly is at stake here?  The safety of your children if you believe some privacy advocates (I don’t). As Rep. Markey explains, “’Do you know where your children are?’ is a question that every parent should know the answer to. But predators shouldn’t be able to hack into an iPhone or Android to find out for themselves, with devastating consequences for families. Unprotected personal location information could be a treasure trove for troublemakers.”

While high-tech kidnappings of iPhone-toting children may not be a widespread concern, certainly the availability of detailed location-based data presents privacy implications for some mobile device users.  The existence of this unknown and unsecured data set can introduce certain privacy risks if this data is somehow abused or misused. Although as others, such as PCMag.com’s editor-in-chief Lance Ulanoff, have rightly pointed out, for the vast majority of users location data is not that sensitive.

So is all of this concern unwarranted? Not entirely, although the real issues have been overshadowed by the endless condemnation by privacy advocates.

There are at least three legitimate concerns that have not yet been answered:

1) The device was collecting this data even when the user had chosen not to collect location data. Perhaps the most serious problem here is a lack of transparency about what data is logged and what choices are available to users.

2) The device was logging a detailed history of location data over a long period of time. There may be a good reason that these devices logged this data, but Apple has not yet stated that purpose. However, this was not just a few data points about recent connections which might be justified for purely operational purposes (such as locating the most recent cell tower when restarting the phone).

3) The data was not stored securely.The presence of unsecure sensitive data (and not just location-based data) is the more serious risk for users of mobile devices. Unencrypted data poses a greater privacy risk in the event that a phone is lost or a third party gains access to these data files.

What is the takeaway from this story so far?

First, transparency is essential. Fair or not, this story would have been a much smaller news item had Apple made more clear what data was being stored on the user’s phone behind the scenes. However, transparency only goes so far. Devices and applications routinely log a variety of information in order to provide a service, troubleshoot issues, and improve products. Most users are willfully oblivious to data logging and more transparency would not necessarily change this.

Second, organizations need to be aware of the privacy implications of generating user data, but they should not be discouraged from this activity. In fact, while many users might have been surprised to learn that this data was being stored on their phone, few would object to this data being used to provide them better apps or service. Hasty proposals, like extending “do not track” to mobile devices (itself a terrible idea), misdiagnoses the problem and prescribes a painful solution that could harm innovation in new areas. Location-aware apps provide information that is contextually more interesting and more relevant.  For example, searching for an ATM on your smartphone is more useful if the app knows where you are. Moreover, location-based data is tremendously useful and is helping to spawn an entire new generation of mobile apps like Foursquare that let users work and play in new ways.

Third, nobody has been harmed. Unfortunately, privacy advocates routinely fail to make a distinction between privacy risks and privacy harms. As I have argued before, the purpose of government privacy regulation should be to protect individuals from harm, not from risks. Individuals face risks every day and government cannot eliminate all risk. Instead, we learn to cope, create appropriate controls, and balance potential risks with potential benefits.

Image credit: Flickr user “ebatty

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.