Two security researchers investigating visual uses for geolocation data revealed today that gadget giant Apple has been secretly shipping spyware inside of its mobile operating system (iOS) that constantly records its customers’ whereabouts.
The discovery, which has ignited a firestorm of criticism, was first made public at O’Reilly Radar by the researchers (Alasdair Allan and Pete Warden) prior to being announced onstage at Where 2.0, a conference about the “business of location”, presently taking place in San Francisco.
To us and other critics of Apple, the discovery is a grim confirmation of our longstanding suspicions about the company’s business practices and policies.
Over the years, we have repeatedly condemned Apple for marketing and selling gadgets which its customers cannot fully control, except by jailbreaking (which voids the warranty). Now we find out that Apple has programmed all of its devices to track its users’ movements.
And to be clear, we’re not talking about a list of general locations. No, we’re talking coordinates for longitude and latitude, plus precise timestamps, nearby Wi-Fi networks, and other information.
Shockingly, all of this information that Apple’s devices collecting is being stored in an unencrypted file, which means a thief with hacking skills can easily map the movements of any person they can steal an iPhone or iPad from.
(Warden has released an open-source application that allows iPhone users to map the information that their device is recording about them. It’s pretty amazing).
The researchers stress that at this time, it doesn’t appear that iOS devices are “phoning home” to Cupertino with this data. But that’s no consolation. Undoubtedly, Apple has the capability to remotely command any device that has this information to transmit it to servers under its control.
If what Apple is doing isn’t illegal, it should be. No doubt whoever designed and implemented this spyware checked with Apple’s lawyers to make that it is covered under the “end user license agreement”, or EULA, that a user must agree to after purchasing and activating one of Apple’s devices. If true, it doesn’t mean Apple is completely protected against litigation over this, but it will make it difficult for any outraged customers to get justice in a court of law.
The time has come for Congress to step in and act to ensure that Americans’ right to privacy is protected from unaccountable corporations like Apple, Google, and Facebook, which continue to invent new excuses to justify their unacceptable business practices. These companies are waging war on the very idea of a right to privacy. They are making the Internet, and all of us, less secure in the process.
Apple’s decision to join Google and Facebook in this race to the bottom is especially ironic considering that Apple is responsible for one of the most famous cultural references to the works of George Orwell: the famous 1984 ad.
Less than thirty years after producing that ad, Apple increasingly resembles the Big Brother-esque entity it once appealed to Americans to reject.
Legally, the hardware that Apple sells belongs to the people who buy it. Practically, however, the hardware that Apple sells remains under its control well after a customer takes possession of it, because the software answers to Apple, not the user. And Apple’s policies are draconian.
For instance, only non-free software that Apple approves of can be downloaded and installed on its devices. Apple’s terms even prohibit the distribution of software released under copyleft through its App Store.
The Library of Congress has ruled that jailbreaking an iPhone or iPad is legal, but less than ten percent of Apple’s customers reportedly jailbreak their devices.
People who buy Apple’s gadgets are thus more like renters than owners.
And Alasdair Allan and Pete Warden’s discovery just affirms that. Apple’s tracking is being conducted involuntarily. The only way to opt out is to not use iOS at all. So much for freedom from conformity.
3 Comments
Andrew, cell phone companies–all cell phone companies–record the same information for all cell phone. It is easily available to police agencies, and probably not all that hard for criminals to get at, as well.
Congress, in its defense of police authority (terrorism! think of the children!), is unlikely to act in these cases until major changes in US politics occur.
There are important differences between what Apple is doing here and what mobile carriers have been doing for years.
First, it’s generally understood that mobile carriers have the ability to record the position of devices on their network… and do so. The carriers have privacy policies in place which govern what they do with the information they collect. Apple, in contrast, started shipping this spyware back in June without saying anything about it to its customers. Until the researchers discovered what Apple was doing, nobody except for people inside the company knew what was going on.
Second, Apple is storing the information it is programming its devices to collect in an unencrypted file, *on the device*. That means anyone who gets hold of the device can ascertain the whereabouts of the person it belonged to. That’s very different than a carrier like Verizon or AT&T logging location data and storing it in one of its datacenters. We obviously don’t know how secure all of the carriers’ datacenters are, but the carriers at least make an effort to secure the data they have. Apple obviously isn’t.
As MoveOn’s staff — who are self-professed Apple fans — say:
I’m not holding my breath. I don’t trust Apple any more than I trust Google.
Look at their patent — it is much more diabolical.