Two secu­ri­ty researchers inves­ti­gat­ing visu­al uses for geolo­ca­tion data revealed today that gad­get giant Apple has been secret­ly ship­ping spy­ware inside of its mobile oper­at­ing sys­tem (iOS) that con­stant­ly records its cus­tomers’ whereabouts.

The dis­cov­ery, which has ignit­ed a firestorm of crit­i­cism, was first made pub­lic at O’Reil­ly Radar by the researchers (Alas­dair Allan and Pete War­den) pri­or to being announced onstage at Where 2.0, a con­fer­ence about the “busi­ness of loca­tion”, present­ly tak­ing place in San Francisco.

To us and oth­er crit­ics of Apple, the dis­cov­ery is a grim con­fir­ma­tion of our long­stand­ing sus­pi­cions about the com­pa­ny’s busi­ness prac­tices and policies.

Over the years, we have repeat­ed­ly con­demned Apple for mar­ket­ing and sell­ing gad­gets which its cus­tomers can­not ful­ly con­trol, except by jail­break­ing (which voids the war­ran­ty). Now we find out that Apple has pro­grammed all of its devices to track its users’ move­ments.

And to be clear, we’re not talk­ing about a list of gen­er­al loca­tions. No, we’re talk­ing coor­di­nates for lon­gi­tude and lat­i­tude, plus pre­cise time­stamps, near­by Wi-Fi net­works, and oth­er information.

Shock­ing­ly, all of this infor­ma­tion that Apple’s devices col­lect­ing is being stored in an unen­crypt­ed file, which means a thief with hack­ing skills can eas­i­ly map the move­ments of any per­son they can steal an iPhone or iPad from.

(War­den has released an open-source appli­ca­tion that allows iPhone users to map the infor­ma­tion that their device is record­ing about them. It’s pret­ty amazing).

The researchers stress that at this time, it does­n’t appear that iOS devices are “phon­ing home” to Cuper­ti­no with this data. But that’s no con­so­la­tion. Undoubt­ed­ly, Apple has the capa­bil­i­ty to remote­ly com­mand any device that has this infor­ma­tion to trans­mit it to servers under its control.

If what Apple is doing isn’t ille­gal, it should be. No doubt who­ev­er designed and imple­ment­ed this spy­ware checked with Apple’s lawyers to make that it is cov­ered under the “end user license agree­ment”, or EULA, that a user must agree to after pur­chas­ing and acti­vat­ing one of Apple’s devices. If true, it does­n’t mean Apple is com­plete­ly pro­tect­ed against lit­i­ga­tion over this, but it will make it dif­fi­cult for any out­raged cus­tomers to get jus­tice in a court of law.

The time has come for Con­gress to step in and act to ensure that Amer­i­cans’ right to pri­va­cy is pro­tect­ed from unac­count­able cor­po­ra­tions like Apple, Google, and Face­book, which con­tin­ue to invent new excus­es to jus­ti­fy their unac­cept­able busi­ness prac­tices. These com­pa­nies are wag­ing war on the very idea of a right to pri­va­cy. They are mak­ing the Inter­net, and all of us, less secure in the process.

Apple’s deci­sion to join Google and Face­book in this race to the bot­tom is espe­cial­ly iron­ic con­sid­er­ing that Apple is respon­si­ble for one of the most famous cul­tur­al ref­er­ences to the works of George Orwell: the famous 1984 ad.

Less than thir­ty years after pro­duc­ing that ad, Apple increas­ing­ly resem­bles the Big Broth­er-esque enti­ty it once appealed to Amer­i­cans to reject.

Legal­ly, the hard­ware that Apple sells belongs to the peo­ple who buy it. Prac­ti­cal­ly, how­ev­er, the hard­ware that Apple sells remains under its con­trol well after a cus­tomer takes pos­ses­sion of it, because the soft­ware answers to Apple, not the user. And Apple’s poli­cies are draconian.

For instance, only non-free soft­ware that Apple approves of can be down­loaded and installed on its devices. Apple’s terms even pro­hib­it the dis­tri­b­u­tion of soft­ware released under copy­left through its App Store.

The Library of Con­gress has ruled that jail­break­ing an iPhone or iPad is legal, but less than ten per­cent of Apple’s cus­tomers report­ed­ly jail­break their devices.

Peo­ple who buy Apple’s gad­gets are thus more like renters than owners.

And Alas­dair Allan and Pete War­den’s dis­cov­ery just affirms that. Apple’s track­ing is being con­duct­ed invol­un­tar­i­ly. The only way to opt out is to not use iOS at all. So much for free­dom from conformity.

About the author

Andrew Villeneuve is the founder and executive director of the Northwest Progressive Institute, as well as the founder of NPI's sibling, the Northwest Progressive Foundation. He has worked to advance progressive causes for over two decades as a strategist, speaker, author, and organizer. Andrew is also a cybersecurity expert, a veteran facilitator, a delegate to the Washington State Democratic Central Committee, and a member of the Climate Reality Leadership Corps.

Adjacent posts

3 replies on “Researchers’ discovery demonstrates that Apple users don’t really own their devices”

  1. Andrew, cell phone companies–all cell phone companies–record the same infor­ma­tion for all cell phone. It is eas­i­ly avail­able to police agen­cies, and prob­a­bly not all that hard for crim­i­nals to get at, as well.

    Con­gress, in its defense of police author­i­ty (ter­ror­ism! think of the chil­dren!), is unlike­ly to act in these cas­es until major changes in US pol­i­tics occur.

    1. There are impor­tant dif­fer­ences between what Apple is doing here and what mobile car­ri­ers have been doing for years.

      First, it’s gen­er­al­ly under­stood that mobile car­ri­ers have the abil­i­ty to record the posi­tion of devices on their net­work… and do so. The car­ri­ers have pri­va­cy poli­cies in place which gov­ern what they do with the infor­ma­tion they col­lect. Apple, in con­trast, start­ed ship­ping this spy­ware back in June with­out say­ing any­thing about it to its cus­tomers. Until the researchers dis­cov­ered what Apple was doing, nobody except for peo­ple inside the com­pa­ny knew what was going on.

      Sec­ond, Apple is stor­ing the infor­ma­tion it is pro­gram­ming its devices to col­lect in an unen­crypt­ed file, *on the device*. That means any­one who gets hold of the device can ascer­tain the where­abouts of the per­son it belonged to. That’s very dif­fer­ent than a car­ri­er like Ver­i­zon or AT&T log­ging loca­tion data and stor­ing it in one of its dat­a­cen­ters. We obvi­ous­ly don’t know how secure all of the car­ri­ers’ dat­a­cen­ters are, but the car­ri­ers at least make an effort to secure the data they have. Apple obvi­ous­ly isn’t. 

      As MoveOn’s staff — who are self-pro­fessed Apple fans — say:

      It’s as though you’re wear­ing a GPS ankle bracelet every day, and Apple nev­er told you about it, or asked you to opt in, or even let you opt out.


      As it is today, anybody—a jeal­ous spouse, a nosy employer—with access to your phone or com­put­er can get detailed infor­ma­tion about where you’ve been.

      And if and when Apple starts look­ing at where you go, they will also be able to guess with a great deal of accu­ra­cy your age, gen­der, race, income lev­el, etc. Sus­pi­cious­ly, Apple began this track­ing around the same time they launched a major new pro­gram to sell ads in iPhone and iPad apps—are they plan­ning on sell­ing the data to marketers?

      Many Apple fans and cus­tomers chose Apple because it’s gen­er­al­ly more secure. Apple has real­ly bro­ken our trust, and hope­ful­ly when they hear how upset we are, they’ll change their practices.

      I’m not hold­ing my breath. I don’t trust Apple any more than I trust Google.

Comments are closed.