iPhone & iPad location-tracking file: "Evil" privacy problem (consolidated.db)

Steve Jobs (Norbert von der Groeben / Reuters)
By Richi Jennings. April 22, 2011.

Updated: The curious story of the iPhone and iPad location-tracking file continues to attract interest. Is consolidated.db an evil privacy problem, a useful assistance to GPS, or an Apple (AAPL) oversight? In IT Blogwatch, Alasdair Allan and Pete Warden come in for criticism for renting the forensics curtain.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Raymond Chen's top ten tips from Vegas...

Gregg Keizer reports Senator Al Franken wants answers:

Franken's letter to ... Steve Jobs came after a pair of British researchers reported Wednesday that ... iOS 4 logs up to 100 location entries daily. ... The data [are] stored in an unencrypted SQLite file ... [and] saved on the device owner's Windows PC or Mac.

...

"There are numerous ways in which this information could be abused," ... said Franken ... "There is no indication that this file is any different for underage ... users, meaning that the millions of children and teenage [users] ... also risk having their location collected and compromised."

...

[The] FCC is also reportedly looking into the matter.  
M0RE

Christopher Vance also noticed the tracking, six months ago:

The consolidated.db is not by any means a bad thing. ... I have also not found any information to suggest that Apple ... is collecting this information. ... Why Apple does the things they do is beyond me.

...

There are multiple tables within this database. ... [such as] CellLocation and WifiLocation. ... I believe the CellLocation table will contain information pertaining to local cell towers. ... The WiFiLocation table had similar information: Time, Longitude, Latitude, etc. but also including Mac Addresses ... [of] the networks the device sees.

...

Will it give you a 100% accurate GPS point? ... No. Will it give you real-time tracking data to track someone? No. Can it help you narrow down timeframes and locations? ... Absolutely, if used properly.  
M0RE

  Pete Warden responds to criticism:

We went public with this ... because it already seemed to be an open secret among ... forensic phone analysis [people], but not among the general public. ... We were freaked out by the implications ... but most of the forensics community seemed to miss quite how creepy ordinary people would find it.

...

The fact that there's thousands of different points scattered across small areas ... seems like pretty strong evidence that they're not just the locations of cell towers. ... There's a lot more points than there are towers. There's also lots of points with the same tower ID ... in different locations.  
M0RE

  Brian X. Chen has been digging through Apple's previous pronouncements:

Apple’s general counsel Bruce Sewell in July 2010 sent a 13-page letter ... explaining its location-data-collection ... [to] Congressmen Joe Barton and Edward Markey. ... The collected geodata is stored ... anonymized with a random identification number ... and finally transmitted over an encrypted Wi-Fi network every 12 hours. ... At Apple, the data gets stored in a database “accessible only by Apple.”

...

In older versions of [iOS] ... Apple relied on Google and Skyhook Wireless to provide location-based services. ... [But] starting with iPhone OS 3.2 ... Apple has started using its own databases to provide location-based services. ... In short, Apple’s stored location database is intended to assist and quicken location processes.

...

[But] after that data is transmitted to Apple ... there’s no reason for it to stick around on your device ... accessible to anyone with physical or remote access to your iPhone or iPad. Again, that’s a security issue. ... It doesn’t need to be stored on your device permanently.  
M0RE

Here's John Gruber, with rare praise for Android:

Android phones store the same type of location information, but, unlike iOS, Android’s cache only contains recent entries — which is to say Android is doing it right.  
M0RE
 

Meanwhile, in a parallel universe, Andy Marlatt reports from "Cupterino":

Researchers who uncovered the hidden file ... created a program allowing users to ... build a map that researchers termed “remarkably detailed” and iPhone owners called “depressingly accurate.”

...

Expressing the fears of many iPhone owners ... Caldwell, N.J. resident Brian Porteri ... said he is concerned the information could fall into the wrong hands. “If my dad gets a hold of this file, I am screwed. ... It will validate everything he’s ever said about me.”  
M0RE

But what does Levi Sumagaysay say?

Is this a turning point in privacy in the digital age? ... Some people are outraged, including the ACLU. But ... many people are indifferent to all the hullabaloo. To paraphrase ... “My life is boring. I have nothing to hide. Let them track me.”

...

The ACLU has asked for data from the Michigan State Police, whom they allege have taken data from mobile phones in violation of the Fourth Amendment. ... Some of us may have trouble sticking to our convictions. Yes, we value our freedom and privacy. ... But then we fire up Google Maps ... to help us find our destinations by using our current locations.

...

Will we switch from smartphones back to “dumb phones” to minimize our chances of being tracked? ... Technology has come a long way since the wiretap — and there may be no turning back.  
M0RE

 

And Finally...

Raymond Chen's back from Vegas, with ten top tips

[OK, they're not all tips, but sometimes alliteration is better than accuracy]

 
 
Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's also the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld, plus The Long View. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com. You can also read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon