Late last week, two British security experts went public with their discovery of a hidden file on the Apple iOS4 system that records where the user’s iPhone has been and when it was there. This database of information is stored by default and, perhaps of more concern, is unencrypted. Every time a user backs up her phone or synchs it on iTunes, she’s also backing up the file. The data is stored and updated even if she switches to a new phone. And the data isn’t just stored on the user’s smartphone or iPad 3G: iTunes transfers the SQLite file to any computer on which the user synchs his or her device.
While the two men, Alasdair Allen and Pete Warden, were not the first to have discovered this file, they are the first to make it more widely known, and have since created an app to let iPhone users see what details about them are being stored on their own devices.
The file’s existence is as befuddling as it is disconcerting. It’s not clear just what the point is of storing the data on the devices, especially since they’re not being transferred to Apple, as far as anyone can tell. As the Wall Street Journal notes, “wireless providers have long collected similar location data, which is important to have for call routing and for billing. But they store the data securely and the data aren’t saved on phones.” Apple didn’t respond to the WSJ’s request for comments.
The FCC is looking into the issue, and senator Al Franken (chairman of the Subcommittee on Privacy, Technology and the Law) has sent a letter to Steve Jobs asking for clarification and an explanation for the tracking. Apple’s current privacy policy indicates that user’s locations and activities may be tracked as part of iOS 4′s mobile advertising platform.
Meanwhile, some are wondering what the existence of this kind of data means for the discovery process in lawsuits and criminal investigations. The locations aren’t very precise (the phone records all cell towers within range, and wifi networks), but they may be enough to check on alibis. Then again, a phone that never left a 100 yard radius logged locations from all over the city of Huntington, WV, so the data may not be that reliable.
