Members of Congress demand that Apple provide more details as to why it's collecting location information on iPhones and iPads and why the data is not protected.
Amid a brewing controversy
over a tracking feature in Apple's iOS 4, several members of Congress have
called on Apple to explain what the information is for.
Rep. Edward Markey
(D-Mass.) wrote to Apple CEO Steve Jobs on April 21 requesting information and
suggesting that the practice may violate the Federal Communications Act. Markey
asked Apple to confirm that the collection feature exists, explain why it was
developed, describe how customer information is collected and verify whether
users can disable the collection.
Markey's letter expressed
concern that collecting user-location data and storing it unprotected on the
device runs counter to the provision in the Communications Act that requires
companies to get express authorization from customers to use, disclose or
access location information for commercial purposes.
"Apple needs to safeguard
the personal location information of its users to ensure that an iPhone doesn't
become an iTrack," wrote Markey.
Apple's iPhone and the 3G
iPad running iOS 4 are regularly recording the device's location position into
a hidden database file, Alasdair Allan, one of the researchers who discovered
the file, wrote April 20 on the O'Reilly
. Location data is being saved to the file and is regularly
backed up when the device is synced to the PC, according to Allan.
The data saved in consolidated.db
appears to contain cell-tower triangulation information and names of WiFi
access points, not actual GPS data from the phone.
"What makes this issue worse
is that the file is unencrypted and unprotected, and it's on any machine you've
synced with your iOS device," Allan wrote. Anyone can look at the file to know
where the user-or at least, the device-has been over the past year since the
iOS was released in June, said Allan.
It's not clear if the data
is being sent on to Apple, and Apple is not saying anything at this point.
However, in a letter to Markey last
, Apple said it may "collect and transmit cell tower and WiFi
Access point information," which it would then use to build a cell tower and
WiFi access-point database. The data is "batched and then encrypted and transmitted
to Apple over a secure WiFi Internet connection every 12 hours," Apple
said in that letter.
Apple used to build the
location database by licensing the data from Skyhook, which collected the
information by sending cars to "drive around the world," F-Secure's researchers
wrote on the News
from the Lab
blog. Apple started replacing the Skyhook database with its
own iPhone OS 3.2, which was released in April 2010. Apple asked user
permission via a highly misleading prompt shown during the initial iTunes
installation, according to F-Secure.
Google also maintains its
own global database of the locations of WiFi networks, based on information
collected when the Google Maps Street View cards were going around the globe.
Since the database is
currently unprotected and unencrypted, it's possible that malware can target
the data, either on the mobile device or on the desktop PC. In fact, it's even
possible that law enforcement can look at the information to determine where
the person has been for the past year, raising privacy flags, F-Secure's
Allan and his co-researcher,
Pete Warden, have released an open-source iPhone Tracker
application that can plot the collected information on a map.
This is the second such
unprotected file containing user information found on mobile devices this
month. Skype recently fixed a security flaw that would have allowed a
third-party application to view user data stored in a Skype
database on Android
Markey is not the only
concerned voice in Congress. Sen. Al
(D-Minn.) penned his own note to Jobs asking for details on why it
is collecting the data, on what devices, how frequently it's being collected,
what Apple does with it, why it's not encrypted, and why Apple didn't notify
its users, among other things.
It's also possible that this
is a bug, and Apple will fix it immediately. "My little-birdie-informed
understanding is that consolidated.db acts as a cache" for recent location data,
and historical data is supposed to be removed, wrote John Gruber on the Daring