With all the modern technology and innovative ways of sharing information we all try to seek out a way to balance how much information we want to share with how much privacy we want to give ourselves. But in the last few weeks a couple stories have cropped up that really make we wonder how possible it is to balance the privacy side with the option to share and utilize our huge social network.
This jumped to mind when I read about Apple Iphone’s and Ipad’s were secretly tracking personal data about their users…and for what purpose? No one knows.
Researchers Pete Warden, a writer, and Alasdair Allan, a senior research fellow in astronomy at the University of Exeter, were the ones who uncovered this issue. They were working on some location data visualization projects and during that process discovered suspicious files on their Iphones.
What’s happening is that devices running iOS 4 are gathering location and storing it in an unencrypted file. The file, named “consolidated.db,” and it contains location data about cell towers the device accessed and Wi-Fi networks that it was within range of, plus other information, like the direction a device was facing as determined by the digital compass that became standard on the iPhone 3GS.
This data allows your information to create a digital map of where you were when you used your phone or Ipad. The file includes latitude-longitude coordinates and a timestamp. However, the coordinates aren’t always correct, probably because your location is being triangulated between cell phone towers.
According to Allan and Warden, the tracking didn’t begin until iOS 4, which was released in late June 2010. The previous version of iOS did in fact track a similar set of information, including cell towers and GPS information, but the data was not stored in a simple directory format.
The database of location information is stored primarily on your phone, though due to the iOS device backup system in iTunes, these files can also end up on your computer. When iTunes saves these backups, which are set by default to be stored every time you sync an iOS device, the data file goes along with it.
The concern as the researchers point out, is that this information is unencrypted. To quote the researchers: “By passively logging your location without your permission, Apple [has] made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements,”
This news has caused quite an uproar. Senator Al Franken, who is the chair of a new privacy panel for the US Government, sent a letter to Steve Jobs requesting an explanation. In addition the Federal Communications Commission (FCC) is also reportedly looking into the matter, while a Congressman from Washington State has followed Franken’s lead, promising to ask questions of his own.
But should we be getting so worked up over this? Why exactly is Apple doing this? We have a couple theories so far.
It turns out this isn’t new information. Location tracking was discussed last year by Digital forensic specialists and Apple did respond in a 2010 letter that its location tracking was purely to improve its services.
It’s also worth noting that there is no evidence that this data is being sent to Apple, the researchers also admitted that there is also “no immediate harm that would seem to come from the availability of this data.”
In terms of privacy, cell phone companies have always had this data and normally it would take a court order to retrieve this kind of data by law enforcement, which occasionally happens.
Apple has stated that they collect the data anonymously in a form that does not personally identify someone and its used by Apple and their partners and licensees to provide and improve location-based products and services.
It’s also worth noting that an Iphone’s position isn’t being continuously tracked. It tends to only get information related to when a location-related feature or app is used.
So why is the file unencrypted? Based on what I read, it probably has something to do with how Iphone collects location of available wi-fi networks. Apple’s iOS devices have three ways to determine your location: They can collect GPS data (provided the device supports GPS and can get a signal from enough GPS satellites), utilize cell tower triangulation (provided we’re talking about an original Iphone or a 3G Ipad and a cell connection can be established), or refer to a database of known Wi-Fi networks.
A few years ago, Apple began building its own list of database of Wi-Fi networks and their locations. As they build their global database of Wi-Fi networks and locations, collecting data from iOS devices worldwide is an ideal way to maintain and update that database. (And Apple’s not alone in doing that)
Another possibility is that third party apps are “sandboxed” from IOS to protect privacy. Therefore it’s conceivable that some location data had to be unencrypted for these apps to use.
But why does an iPhone or 3G Ipad store months and months of data? The consensus view — it’s probably a bug. Simply for performance and space reasons, it would make sense that a location cache be cleaned out periodically — just as any cache file on any desktop or mobile platform should be cleaned out. The fact that data isn’t being culled from the file means it likely got overlooked among other iOS engineering issues over the past year or two. The bug theory seems to have more credence after Apple announced a fix to help the problem. The update will limit the amount of data kept in the location file, will prevent iTunes from backing up the file to users’ computers and will delete all information in the file when users turn off location services.
In many ways I think the Iphone controversy is a bit overblown. But privacy fears were not allayed when another major company faced a similar situation. Sony, the company behind the Playstation 3 was hacked.
Sony's new slogan?
Over the past few weeks gamers were mystified when Sony’s online gaming network crashed. However that confusion soon turned to outrage when Sony later admitted the network was hacked and its users personal information was stolen.
Sony stated that hackers stole information including the names, address (city, state, zip), country, email address, birthdates, PlayStation Network password and login, and handle/PSN online ID. They also said it’s also possible that profile data, including purchase history and billing address (city, state, zip), and PlayStation Network password security answers may have been obtained.
Worse, it’s also possible that credit card information was stolen as well.
This is a good time to mention to any of our listeners who used Sony’s Playstation network to consider cancelling your credit cards and change all your passwords.
Sony is in hot water for this. Not only for the breach of security but also delaying informing its customers for over a week.
Already, the UK Information Commission is looking into the issue. In addition, Sony received a letter from the US Congress, the letter, which was written by the Subcommittee on Commerce, Manufacturing and Trade, asks a number of security and privacy related questions that Sony has never disclosed to the public. They included when the intrusion occurred, if Sony knew who was responsible for the attack and when the company notified law enforcement. The letter also asked Sony to explain what it knew about the type of data that was stolen by the hackers and if it included any credit card information
A class action law suit was filed against Sony by the Rothken law firm in a California district court as well.
According to security researchers, hackers have been observed on underground forums selling credit card information stolen from Sony. Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.
Sony is now claiming they were the victim of a ”of a very carefully planned, very professional, highly sophisticated criminal cyber-attack designed to steal personal and credit card information for illegal purposes,” – source BBC
Yes, Sony is claiming they were hacked by the group Anonymous, although they aren’t sure if the data theft was part of the hacking attack.
Either way it leaves us with some disturbing questions. To what extent can we expect our privacy to be maintained while engaging in the online social networking technologies we enjoy? Apple may have spooked a few people with its Iphone tracking but Sony clearly dropped the ball on their security that has resulted in credit card information falling into the wrong hands. Are they on the hook for this loss of data? Do corporations in general have a responsibility to protect private information or is it buyer beware?
As technologies advances, and as hackers learn and adapt new ways of breaking past security, what role does the consumer take in this odd dance? Will security standards eventually have to be dropped in order for folks to use such new technologies as Ipads and smart phones? If so, where does that put privacy rights? I clearly don’t have an answer to that question. But I do think it’s worth asking.