Hacker News new | past | comments | ask | show | jobs | submit login
IPhones and 3G iPads log your location in an unencrypted file on the device (oreilly.com)
415 points by petewarden on April 20, 2011 | hide | past | favorite | 190 comments

I didn't know this was news. I and other security researchers & law enforcement have known about it for a while. I assisted in one court case where the data was used as evidence.

I suspect the slick-looking iPhoneTracker app finally made it interesting to the media.

Edit: There was a similar deal on iOS 3 but it seemed more like a bug, not a feature. Data would be purged at some unpredictable interval. I can't recall the file path and don't have an iOS 3 device handy.

In deed nothing new. About a year ago a man discovered that his wife's iPhone was sending about 75 Mb of data to Apple via wifi in early morning : https://discussions.apple.com/thread/2450738?threadID=245073... It turned out it was dumps of GPS data and other stuffs.

Apple acknowledged that to the House of Representatives. They're gathering data about their customers, including GPS : [PDF] http://markey.house.gov/docs/applemarkeybarton7-12-10.pdf

II / C / 1 / a. : "Second, to help Apple update and maintain its database with known location information, Apple may also collect and transmit Cell Tower and Wi-Fi Access Point Information automatically. With one exception, Apple automatically collects this information only if the device’s location-based service capabilities are toggled to “On” and the customer uses an application requiring location-based infomiation. If both conditions are met, the device intermittently and anonymously collects Cell Tower and Wi-Fi Access Point Information from the cell towers and Wi-Fi access points that it can “see”, along with the device’s GPS coordinates, if available. This information is batched and then encrypted and transmitted to Apple over a Wi-Fi Internet connection every twelve hours (or later if the device does not have Wi-Fi Intemet access at that time)."

Good info, thanks.

It's important to note that the above use of "anonymous" is laughable in context.

In order for that uploaded data to be useful by Apple, it needs to maintain both the lat/long and wi-fi access point ethernet addresses & signal strengths. This is pretty much a globally-unique identifier.

Identifier of what, though? The two data points you just described identify the wireless network, not the iPhone. In fact, what you just described is precisely the data required for obtaining a device location from the nearby wireless networks, a la Skyhook.

I noticed Google asks to do this in Android, too. They make you explicitly OK it though, at least on my (Verizon Droid) phone.

In location options, if you check certain options it warns you that Google will be logging wifi info and other details even while apps that access this info are not running.

The warning shown when you click "Use wireless networks" in Location settings is

"Location consent Allow Google's location service to collect anonymous location data. Collection will occur even when no applications are running."

My analysis is that this turns the phone into a mobile sensor that performs the same function as one of the Google mobiles driving around with cameras performs relating to wifi and location logging. Google probably collects the GPS coordinates and SSID of every wifi network that comes into range of a phone with this enabled. Given their recent legal troubles relating to wifi discovery, hopefully it doesn't gather more than that.

Yes it does scan surrounding wifi SSID because Google Maps uses Skyhook ( http://www.skyhookwireless.com/ , belongs to Google) to geolocate users faster than just using pure GPS signal. So does Apple which also use Google Maps geolocation services on their iPhones.

My guess is that Apple is gathering all those data in order to build their own Skyhook. It makes sense, specially when you keep in mind that Apple bough the mapping company Poly9.

Google don't use Skyhook. They use their own database.

Skyhook is suing them due to this.

What's news to me is that this is persisted forever on the device in an unencrypted format.

"and the customer uses an application requiring location-based infomiation"

Curious. It certainly seems to be logging way more than just when the location services icon is showing.

Makes me curious about what else "isn't news" that I don't know about this "discovery". That's a lot of awkwardly disclosed (if at all), personal (why do they even care), unencrypted data points (I'd be in trouble for not encrypting) for the one of the world's most valuable companies to persist into eternity. Would it be news if this was MSFT?

Maybe the news just hasn't happened yet?

Side question, could you explain your ethics in helping the cops bust someone by using a tracking device they did not know they were carrying? Personally I find it repugnant and would not participate, the right to privacy is more important than a single crime.

Hopefully I have a better solicitor than the poor chap who had iOS location data submitted into evidence ;)

Given the response on HTCIA, HTCC, and the CCE lists, this was news to many people in the LE community. I think your edit touches on the difference - this is a new source for the information, and it is very easy to collect from the sync host.

I'll be checking in here for technical questions. The github direct link is http://petewarden.github.com/iPhoneTracker/

Thanks for the app -- quite eye-opening. The data looks good, except there is a bunch of data in Minnesota. I've never been to Minnesota! Any ideas?


EDIT: Data appears around the time I flew from NJ to Seattle -- perhaps my phone was on in-flight and connecting to MN cell towers? Seems unlikely, though, given the # of points.

Also unlikely because if your phone had not been in the "off position" then your plane would have undoubtedly crashed.

That could be related to the iOS location bugs. I know there were a couple where the phone would refuse to believe that it was anywhere but 1000 miles away.

Pete, the iPhone Tracker application is showing data points in a grid-like pattern, with multiple points visible simultaneously.

I haven't dug into the raw data - is that an artifact of the iPhone Tracker application, or is the raw data already rounded by Apple to fit on a grid, with multiple locations having identical timestamps?

How much I care about this depends a lot on the granularity of the underlying data.

From the FAQ:

To make it less useful for snoops, the spatial and temporal accuracy of the data has been artificially reduced. You can only animate week-by-week even though the data is timed to the second, and if you zoom in you’ll see the points are constrained to a grid, so your exact location is not revealed. The underlying database has no such constraints, unfortunately.

Although since it's open source, it shouldn't be too hard to remove this restriction.

I just went through the code and it is indeed pretty trivial to remove both restrictions. If you want to do it, in the iPhoneTrackingAppDelegate implementation file:

* Change the precision variable on line 149 to something bigger than 100 (10000 did it for me) - this will mark points in the map with higher precision:

  const float precision = 10000;
* Change the timeBucket variable on line 180 to change the date precision (the app currently gives you weekly based data, but it can go as far a data point every second). You could also just "cheat" and change the notion of weekInSeconds:

  const float weekInSeconds = (7*24*60*60);

Yo! I realise the likelihood of you seeing this is very low, but is there any chance you would do a brief runthrough of how to implement this code? I'm very interested to increase the precision of this app but don't know enough and can't locate the iphonetrackingappdelegate file you speak of..

I'll check back often! Thanks..!

You need a Mac, git, and XCode

in terminal type: 'git clone https://github.com/petewarden/iPhoneTracker.git

open that new iPhoneTracker folder, and load up the xcodeproj ( iPhoneTracking.xcodeproj )

in there go to iPhoneTrackingAppDelegate.m on the left sidebar

from that look at line 179 for changing the time inbetween registering, and look at line 149 for the locational precision

with those changed, hit the play button in the top left corner and the app should build and run

Thanks for posting the instructions. After doing this, it's easy to see that the tracking data is way off base quite a lot. And interestingly, places I visit a lot but never use my location for it has very few data points for. In fact, there's only one even near my office, which I visit nearly 5 days a week. Every week.

1 data point / second would be cool on flights, but of little practical use on the ground and would seem to be data overkill.

If this is only tracking cell towers as has been reported in a few places, why are there so many more dots than cell towers? Actually the FAQ says it is using triangulation, how accurate is that supposed to be?

Thanks for putting it online. I have a similar project not involving the iPhone logs, but I'm looking to using your visualizations to make sense of the data that I've been collecting.

So after doing a quick analysis of the data on my iPhone, I've come to the conclusion that this isn't a huge issue at all.

First, I'll start with the WiFi data (WifiLocation table): Among the information captured is MAC, Timestamp, and Lat/Long. I have a total of 118,640 records in my table. I did a "SELECT DISTINCT MAC FROM WifiLocation", and got... 118,640 records. This tells me that it's not "tracking my every move" via Wifi location since there's a single entry for each MAC. The question might be, is it updating the Timestamp when I'm near a specific Wifi Network? My guess is no. I did the backup and analysis this morning, April 20th. Yet the last entries in my database are from April 16th. This tells me that it's not an always on tracker and that it's not updating timestamps.

Next, I looked at the CallLocation table: The same thing held true with this table. The last entry on my phone was from April 16th. Also, I have 6300 entries in my CellLocation table. I decided to start restricting the precision of the Lat/Long to see if there were duplicates that would indicate "tracking". At 5 decimal points, there were no duplicates. At 4 decimals, there were a handful that had 2 dups. At 3 decimals, there were more dups, with the most being 6. At this point I still had 5672 uniques. At 2 decimals, the most had 89 and I had 2468 uniques. At 1 it really went down, obviously, and I was down to 253 uniques. The other thing I noticed was that there was no regular timing of entries, and that when there were entries, a large number of them had the same timestamp.

So based on my analysis, this isn't a feature that enables detailed tracking of a user. It will allow you to see if a user has been in a certain location the first time, but that's the extent of it. For instance, I could see that I made a trip to Washington DC in late October of last year. But you can't really tell my movements around my home town with any amount of precision. My assumption, like others, is that Apple is using this to enable easier use of Location based services. I assume (which I'm going to test), that whenever a user enables a Location Based app (Google Maps, FourSquare), iOS updates this database with all local cell towers/wifi locations and the Latitude/Longitude. The more comprehensive the local database is, the quicker/easier it is for Location Based Services to help pinpoint a users location. Instead of waiting for GPS to spin up and get a satellite lock, it will be able to get a more accurate lock off of cell tower/wifi triangulation.

Great analysis which is the first I've seen to come up with a reasonable explanation for the existence of this file. Caching this data is a logical method by which to speed up location lookups.

However, there's no reason why this data should not be stored by default under the OS's "Data Protection" encryption as email is by default on devices where a passcode is set:


The problem is this data is being recorded without the user's knowledge or permission. (Unless it's a tiny line in the EULA I'm unaware of.)

If the data is being used to help the performance of Location Based Services, there is no need to keep years worth of data, that persists, and is backed-up every time you sync. Apple could simply keep a log of the last 4 or 5 data points.

Further, the data may not be super accurate, but that's only because the technology isn't good enough. If it were (and it will be eventually) that table would have pinpoint precise data. The precedent is being set right now. Is this ok? Personally I think this sort of behavior is unethical. Location tracking logs should be opt-in. It certainly shouldn't be hidden or a secret.

Unethical? Really? I don't think it is that at all. A mistake it isn't encrypted? Yes.

I think the fact that they're logging my location without my knowledge or permission for their personal interests (whether their exploiting it now or not), is unethical. The lack of encryption is just an implementation oversight on their part.

It is covered in the EULA. You did read the EULA right? The only issue IS the lack of encryption.

Relevant portion: http://pastebin.com/EdFJr6iU

Burying it in the EULA doesn't make it acceptable, it makes it sneaky.

I just ran the additional test I noted above. I went into Google Maps and had it locate my position. Then I did a new backup to look at the data again.

I had 9 additional records, all Timestamped identically, from while I was using Google Maps. However, there were 112 other records where the Timestamp was updated.

So again, it seems to only update the database when you use a Location Based Service. And it does update any existing records with a current timestamp.

Location tracking on iOS devices without GPS (for example an iPod touch) sometimes works without any internet connection (it nearly always works with an internet connection – WLAN access points are used to determine the approximate location), especially in urban environments (with a lot of WLAN access points). I always figured that iOS devices download location info on all the surrounding WLAN access points (maybe even those not in range – it seemed like that in my tests) as soon as you use location services and are connected to the internet.

This database could have something to do with that.

Yes, when you use the location services in, say, a new city then your device will download and cache the WiFi location data for a large radius around that initial lookup the next time it has an internet connection. It's pretty cool, actually.

That database isn't infinitely large, as unused location information will be removed as new location data comes in.

Android achieves this well, too. I guess Apple are just following Google's move (remember when Google recorded all the wireless access points with their streetview vans?)

I seem to remember this being talked about at one last year's WWWDC sessions.

I remember hearing this on reddit but the post is mirrored at http://www.volnation.com/forum/pub/127425-iphone-bug-2.html#...

'Look at the video for session 115, "Using Core Location in iOS". Skip to around 13:45 for the discussion of "Course Cell Positioning" where they discuss the cache in detail.'

Does the iPhone actually have real GPS, or is it just based on 3G towers?

It has A-GPS, which is inferior in some ways to true GPS, but is much more accurate than triangulating from towers (which it will resort to under certain conditions.)


The iPhone (3G, 3GS, and 4) and the 3G iPads have fully functional GPS hardware, and also use A-GPS to acquire a position fix.

If you've ever used a normal standalone GPS in one city and gotten on a plane and flown across the country and tried to use the GPS again, you'll know that it can take 5+ minutes to reacquire a fix that first time off the plane.

Assisted GPS seems to be a very poor choice of name. I have repeatedly met people who wrongly believe that Assisted GPS is not actual GPS.

Some AGPS devices cannot determine their own position from a satellite signal, whereas others can as long as they have received an almanac from a server in the recent past. It depends what you mean by "actual GPS". Some implementations are completely incapable of acting in a standalone capacity.

Here is what the Wikipedia article you linked to says: "Standalone" or "Autonomous" GPS operation use radio signals from satellites alone. A-GPS additionally uses …


I don't see how this contradicts what I said, which is that some AGPS implementations require assistance in order to accurately determine your location. Not every AGPS device can map radio signals to a lat-long; some can only do that with assistance.

It also lists some ways that various implementations require assistance:

Assistance falls into two categories:

Information used to more quickly acquire satellites

It can supply orbital data or almanac for the GPS satellites to the GPS receiver, enabling the GPS receiver to lock to the satellites more rapidly in some cases.

The network can provide precise time.

The device captures a snapshot of the GPS signal, with approximate time, for the server to later process into a position.

Accurate, surveyed coordinates for the cell site towers allow better knowledge of local ionospheric conditions and other conditions affecting the GPS signal than the GPS receiver alone, enabling more precise calculation of position. (See also Wide Area Augmentation System and CellHunter and openBmap.)

Calculation of position by the server using information from the GPS receiver

The assistance server has a good satellite signal, and plentiful computation power, so it can compare fragmentary signals relayed to it

That’s not what the article says. It says that AGPS devices are just like GPS devices. The only difference is that they use additional information to improve startup times.

Assistance is described as something that’s entirely optional. Why do you think that’s not the case? I googled around for a bit and it seems as though every source I can find tells me that AGPS is just like GPS if you have no data connection.

I'm sorry but I don't know how to make it more clear than I already said before: some AGPS implementations are not capable of operating in standalone mode. The Wikipedia A-GPS article states:

A typical A-GPS-enabled receiver will use a data connection (Internet or other) to contact the assistance server for aGPS information. If it also has functioning autonomous GPS, it may use standalone GPS, which is sometimes slower on time to first fix, but does not depend on the network, and therefore can work beyond network range, and without incurring data usage fees.[3] Some aGPS devices do not have the option of falling back to standalone or autonomous GPS.

I've added emphasis. The last point is all I was saying.

And what's your point pertaining to this discussion? Neither iPad nor iPhone are one of those devices.


So first, someone asked whether the iPhone triangulates position from cell towers or uses GPS. I responded that it does AGPS, and that in some ways AGPS is inferior to standalone AGPS.

You objected to this, saying that AGPS is "actual GPS" which, in fact, it is not. If by "actual GPS" you mean standalone GPS, then you are wrong. I correctly pointed out to you that AGPS is not a standard definition, but a name for one of a wide range of techniques which involve assistance from a third party in determining position. You, in fact, were incorrect.

Failing to comprehend the article from Wikipedia which, in fact, enumerates the methods by which an AGPS device may receive assistance, you asserted that AGPS only refers to the technique of optionally downloading an almanac from a network resource instead of an orbitally transmitted signal. Again, you were incorrect.

Now that I've shown that you were incorrect, you want to object to raising irrelevant points? My only point was that the device uses AGPS, and that AGPS is not standalone GPS -- that in some ways it is inferior. I showed those ways because you asked, not because the Apple implementation is encumbered by them.

Ew, mate, you are using the wrong words there. Fair enough, AGPS may be inferior in a few devices but usually it is superior (i.e. has better startup times and is exactly like GPS in every other way).

Apologies if my tone of voice turned you off. I am getting fatigued with this thread. I feel like the distinction being seized here is minor, bordering on pedantic.

Assisted GPS is better than normal GPS.

It uses towers to work out how to find the GPS satellites quicker than normal, and additionally can provide some location information when no GPS is available.

> Assisted GPS is better than normal GPS.

Really? My Garmin device can locate itself without entailing the possibility of communicating my position to a third-party. There is no possibility that my checking my position can enable anyone else to know it as well. That's not true with AGPS.

That is one pretty significant way that standalone is superior.

If that’s important to you, sure. I’m, however, a bit foggy on the actual implementation of AGPS and don’t really know whether it actually sends your location info to a server. Would be nice to get some implementation details about that.

I think it was pretty clear that we were talking about performance – time until and precision of the first lock (which AGPS does improve), overall precision (which AGPS doesn’t improve) and so on.

That is one pretty significant way that standalone is superior.


The majority of people just want to know where they are and the quicker the better.

Inferior in what ways?

My understanding is totally opposite, would you mind explaining a bit more?

It is better. He has no idea what he's talking about.

Actually I do. I answered the question on sibling posts.

This may be "good enough for legal work" if they want to associate you with the location of a crime/event.

Not really, since you have physical access to the file you can edit it. That should immediately disqualify it as evidence. I think this type of data normally is gathered from the phone company when used as evidence, then the involved parties can not tamper with the file.

That's not how law works. They don't require absolute proof like in math. This will be included as evidence - evidence is not proof, it's weaker.

You can claim "I edited it", which then weakens the evidence. Then they will look for other evidence, and try to look at everything as a whole.

It might not be directly related but there was a news story on CNET [1] yesterday about cops in Michigan using a device from Cellebrite to download information from phones of people they stopped for violations that includes contacts, phone logs, messages, photographs and location history.

Does Apple's decision of having such information stored on the phone unencrypted make it easy for such devices? The device claims to subvert phone passwords though.


I've actually used that device before. It's fairly common in law enforcement and inteligence agencies, and it will take everything. Including passwords/deleted info. There is no reason for using it on a traffic stop though, that's just straight up invasion of privacy and would piss me off to no end. It's use is (and should be) for the more criminal/forensic cases.

And it doesn't work on all devices out there, and doesn't fully collect the devices it does work with.

Most forensics labs have multiple tools such as this, and still have issues fully collecting devices.

I wonder if that device utilizes some form of "law enforcement backdoor API", a phone analog of the "lawful intercept" in networking. Because frankly I don't understand how else it could retrieve previously deleted data from the phone.

If you look at apps like BitPim, you'll see there's a standard protocol that many phones use for syncing. That protocol gives access to far more data than you might expect. If you have USB Debugging enabled in Android, the level of access is probably similar, and even if not, they can read your entire micro SD card via USB mass storage. I don't know enough about Android syncing to say whether it's possible to access contact data via USB when the phone is not in debugging mode, or whether there's a way to activate mass storage mode or Bluetooth transfers without unlocking the phone.

Perhaps you could answer a question. If the phone screen is locked will this device still gather data? I assume it will.

iTunes will happily sync with your iDevice when its screen is locked, so locking is clearly no barrier.

If you plug your iOS device into another computer it won't connect to iTunes until you unlock the device. Whether that is enforced by the phone or iTunes I don't know.

> We're not sure why Apple is gathering this data, but it's clearly intentional, as the database is being restored across backups, and even device migrations.

My understanding is that all data and files is persisted in that manner. Not sure why they're implying this file has been singled out.

The intention was to indicate that it's not just a temporary log file that's not being deleted properly. Poorly expressed though, I agree.

I wish this wasn't presented as sinister.

The fact is, that phone companies store all that data for EVERY cell phone, and it's always available to government agencies and divorce attorneys after a subpoena.

All this does is raise the common man's awareness, and possibly provides an afternoon of fun looking at your travel history. If you want your iphone data secret, it prompts you to encrypt your backups when you first plug the phone in.

The issue is that this data used to only be available via the service provider. Now it is available from the device, and the device it syncs to.

No. Given eg the police in Michigan using devices to dump phone contents on a regular basis [1], there is an enormous difference between unencrypted data on a device just sitting there and anything requiring a subpoena.

[1] http://www.mobiledia.com/news/87523.html

Elsewhere in the threads you can see that device won't work with a password-protected iPhone

For those with jailbroken iPhones and SSH, the data can be accessed or copied directly. The information is stored in this file: /private/var/root/Library/Caches/locationd/consolidated.db

The file can be viewed with any ol' SQLite browser, and the location information is stored in the "CellLocation" table.

After using an iPhone 4 since release day, I have ~1400 entries.

To make it work with Pete Warden's app, add this block to the bottom of loadLocationDb, before the displayErrorAndQuit:

    if (!loadWorked) {
        loadWorked = [self tryToLoadLocationDB: @"/path/to/your/consolidated.db" forDevice: @"iPhone"];

This is a perfect timing for promotion of Playbook and BB security. I am sure RIM will miss the opportunity though.

And I'm sure Playbook has its own gaping security holes that no one will find or care about because no one's going to buy it.

Someone should make an app for jailbroken phones to disable this location logging (or delete it regularly).. many would likely pay for it!

Interesting idea, although I actually like just injecting noise (add say 500nm to all of the co-ordinates or some such) which would basically corrupt the database that this was being injected into.

On a more interesting note if you put '); droptable; into your file could you delete the receiving database? A whole new vector for SQL injection hacks I suspect.

According to http://news.ycombinator.com/item?id=2467895 it is being used to get a faster fix for Locations based applications, so doing that would remove the ability for that work.

This was noted last September by C. Vance here:


Good detail on how and why it is generated.

BTW all cellular devices are recorded as they move through tower locations while they are on and police don't feel they need a warrant for such data, so your location is pretty much available without that file.

My phones location is available. Not my location.

Way to miss the point.

Earlier, entities recording: cell company. Earlier, entities with access: police, cell company

Now, entities recording: cell company, Apple Now, entities with access: police, cell company, anybody who temporarily gains access to my phone, anybody who temporarily gains access to my iTunes computer

See, how the "attack surface" is dramatically bigger now?

Oh I am not saying this isn't a huge scandal.

I'm just saying keep in mind this info is also available to others without an iphone.

Created a GPX file generator. Use it to convert the database into a GPX file format. Open it up with Google Earth.


I'd love to use this data to geotag the photos I've taken on my digital camera over the past year, so I've downloaded this script along with the consolidated.db file into a directory, however, when I execute: python iphonegpx i get the below error, could you provide some more detailed usage instructions?: C:\Users\<xxxxx>\Desktop\serialx-iphonegpx-a124079\serialx-iphonegpx-a124079>pyth on iphonegpx.py File "iphonegpx.py", line 24 <time>""" + data[0][0].isoformat() + """</time> ^ SyntaxError: invalid syntax

Maybe you are using Python 3?

make print statement to print() function.

The same community that would generally react very negatively to reports of a company storing passwords unencrypted in a database seems to effortlessly explain away Apple's approach to storing a significant amount of personal tracking data unencrypted, not on one pretty inaccessible server but on multiple easily-accessible devices. Fascinating.

Could this be related to the mobleMe "Find my iPhone" feature that Apple added in 4.0?

If so, this is probably a non-story. I'd be interested if it still logs if Location Services are off, too.

If it is, the database is seriously overengineered. Find my iPhone will not let you access past locations, it seems to always only let you access freshly requested location information.

Such sensitive data should not be saved without the user's explicit permission if it's not needed for some purpose the user explicitly wants to use the device for.

Of course, Apple would know your location most of the time anyway, whether or not this file exists. You send the ID's of cell towers and wifi points to Apple, which returns you the location of those points. Apple could always have been storing your location based on that interaction alone.

In fact, keeping a database like this could actually give Apple LESS information about your location, as you don't have to request a new location if you already have the info of all the near ID's in your database. I'm not sure if this actually happens though.

The same, of course, can be said for any Android device and Google's A-GPS database; you have no guarantees that Google isn't logging your location whenever you're using location services.

In addition to cell tower and Wi-Fi hotspot locations iTunes keeps a backup of all text messages and recent calls. A while ago I've even made a small web app to chart it - http://datalysed.com/?p=130

Apple is simply building a mandatory foursquare competitor, it's not a big deal guys

I can sort of understand the outrage but I don't see the utility of it. Apps that are written for the App store don't have access to this data without the permission of the user. And the only way an app would be allowed access to a file outside the sandbox is if its jailbroken.

I'm not familiar with the in and outs of iOS LocationManager but it generally gives you the immediate coordinates at the time you request and nothing more. As for why the database of locations? It's entirely possible they are using it for QoS.

As for access to device backups. If someone has unauthorized control of your desktop computer you have bigger problems.

They are collecting private information about a person and make them somehow accessible.

I'll give you an example: now your technologically savvy and pathological jealous partner can open that file on your phone while you are sleeping and check where have you been in the past months, day by day.

Iphone users should be aware of that possibility.

EDIT: Actually, now that I looked at the software presented here, it doesn't even require access to the phone, just to the computer. Your partner can do this while you are at work.

Yes, your partner can do this if you let him or her access to your computer's account. Keep in mind that if you let your partner use your account, he or she can also look at all your cookies, your browser history, and probably your Facebook account and Gmail accounts.

If you don't trust your partner and want to rummage through his or her computer—or if you worry about the prospect of your partner rummaging through your computer—you may want to go to a couples' therapist.

>If you don't trust your partner and want to rummage through his or her computer—or if you worry about the prospect of your partner rummaging through your computer—you may want to go to a couples' therapist.

Thanks, I am fine. But you should know that a number of marriages do in fact end badly in the real world and that a tool like this one can give evidence of cheating and cost a lot of money in a divorce trial. Do I need to make any more examples of why collection of private information is frequently a problem in everyday life?

Yes, evidence is a problem for people who do things that have legal or economic consequences. Of course, actions often have moral and ethical consequences even if they leave no evidence behind.

Are you suggesting that a privacy leak is a concern only for those who have something to hide?

No. Are you suggesting that Apple's highest moral obligation is preventing the collection of data that might conceivably expose their users' wrong-doing—e.g. their betrayal of their spouse?

To be clear, the collection of the data is only a "problem" if it exposes you as a liar. And it's not a "problem" for the person who was lied to; it's a boon. And if you weren't cheating, well, showing your call or location logs might be a way of saying, "Look, I have nothing to hide."

Privacy vs. disclosure of data is a complicated issue. It involves issues of personal autonomy as well as trust. Do you give up some autonomy because you know that people know what you're doing at any moment? Of course. But there is often a pay-off to doing so: people actually trust you.

Life is complicated, and you can't down-vote moral complexity out of life, no matter how high your karma is.

"collection of data that might conceivably expose their users' wrong-doing"

So to answer his question honestly: Yes, you are implying exactly that.

No, I am not. I wrote, "Life is complicated."

Turn the issue around: how would you feel if Apple bent over backwards to help your partner fuck other people behind your back and leave no trace?

I don't know why I'm bothering to write this, because you seem resistant to the concept of moral subtlety, but I will anyway: Studies have been done that show that morally equivalent choices can be posed in ways that lead to people using different moral heuristics for making decisions and reliably making different choices.

People move through the world and leave traces of that movement. Where should device makers stand on the continuum between recording everything and distributing it to everyone and recording nothing (and erasing everything it possibly can) and making sure that no information about a user's actions can leak out.

Do you understand that this is not a binary choice? Do you understand that there are outcomes that you and I can agree to call good or bad that can result from making a decision anywhere along this continuum? Do you understand that there is no easy solution? Do you get it?

There is an easy solution. Apple has no business making moral judgements about my right to privacy. They should do everything in their power to protect it unless some lawful authority says otherwise in the course of a criminal investigation.

In such an investigation, your location history could be obtained from the mobile provider. Therefore this additional data could only possibly be of use to people who have no right to it in the first place.

So to phrase it in your language; yes, Apple's highest moral obligation is preventing the collection of unnecessary data about me, and indeed to tell me what it is collecting, why, and to whom it will be disclosed. In fact, where I live, all these principles are enshrined in a law called the Data Protection Act.

In the UK and the wider EU at least, Apple could be in a considerable amount of trouble for collecting this data.

Edit x2: grammar.

I don't see where and why you find the need to make such as Shakespearian dilemma out of it. Nokia, RIM, Android, you-name-it, don't record your position with a day to day resolution. There is no need to do that. Apple does it; it does so in an almost hidden way and without apparent reason. Anyone should at the very least be quite suspicious or concerned about it while you seem to come up with a lot of ethical bullshit.

"to help your partner fuck other people behind your back and leave no trace?"

You really are hung up on this "nothing to hide" deal aren't you?

All that's needed is physical access to the computer. Your computer account is not a real protection.

The iphone doesn't have a file browser and apps are sandboxed. So how they would get access to this file without jailbreaking or the backup file is a much better case.

Besides, everyone knows mobile me is a jealous stalkers best friend. And it doesn't even require tech savvy, just access to the iPhone to activate the service is enough.

Since the backups are unencrypted it would be trivial to steal the data exploiting a Flash hole or worst case an email virus.

Flash hole... on an iOS device?

Backups... on an iOS device?

The backups are stored on your Mac/PC, which are likely to have Flash.

There is an option to encrypt backups.

I think Matthew is talking about taking the backups from your computer.

What is QoS?

I agree that it's not a security risk from an app store perspective but I'd still prefer not to be tracked.

Quality of service. Like when the iPhone 3G first came out you could only buy it in areas where 3G service was available. AFAIK, most carriers already do this on all their handsets but their data is restricted to just a few days to a a few months.

Right, if QoS were a concern to att, my phone would not drop/fail to make seriously, 75% of the calls.

I am switching to Tmobile because ATT makes me want to go on a rampage. Of course, now using this file, they'll be able to predict where that rampage will occur.

If it makes you feel better, the little dots aren't your location specifically but the location of the tower you are connected to at that instance.[1]

[1] This is according to a commenter on another blog. I'm still on 3.1 so can't verify these claims either way. But this seems to confirm it http://blog.csvance.com/?p=39#comment-109

Maybe because of things like this?

>A US Department of Justice test of the CelleBrite UFED used by Michigan police found the device could grab all of the photos and video off of an iPhone within one-and-a-half minutes. The device works with 3000 different phone models and can even defeat password protections.

>"Complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags," a CelleBrite brochure explains regarding the device's capabilities. "The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps."

Do you have references for those claims?

There's a lot of marketing hype in here. There are a lot of mobile device collection tools and none of them fully collect every device out there.

Also, collecting a 64GB i<device> over USB will take at least 24 minutes. (You don't really just want the photos, do you.) That makes for a long traffic stop.

24 minutes is a long traffic stop? Have you never been pulled over for speeding? That's a positively snappy traffic stop...

Also, what the hell are you doing turning over your phone to police officers during traffic stops......

Yes, I have. And been on my way in less than 15 minutes.

There are several reasons that one might turn over one's phone, all well documented in the media. The primary two are:

1) Voluntary cooperation with a request 2) Search incident to arrest

(Obligatory WTF on downvoting: I point out reasonable information and a technical challenge with doing this in the field based on personal experience as a forensic examiner, and I get downvoted?)

1) Never volunteer your property to be searched. That's just common sense. 2) Well that's hardly a traffic stop anymore. They're pretty free to take their time at that point.

(I didn't downvote you)

and can even defeat password protections.

yes, with access to a plist file from iTunes

[credit to morganpyne http://news.ycombinator.com/item?id=2465752]

Whether or not this is true, Apple should add something like File Vault to iOS. Encrypting your backups is redundant if you're already encrypting your whole home directory, but none of that matters if they have access to your unencrypted phone. Check out the police downloader devices the ACLU is investigating: http://www.aclumich.org/issues/privacy-and-technology/2011-0...

Everything on the iPhone (from 3GS forward) is already encrypted afaik. That's how remote wipe works instantly (by just deleting the encryption keys)

This is incorrect. Device encryption on 3GS and later devices are only for 1) Apps that implement Apple's device encryption API (ie, stashPro now has this) 2) If you have a strong password set and 3) Unless you have a device released with iOS4.x, you will need to wipe, then restore it with the flag turned on


About 6 months ago, I left an ipad on a plane. Unsurprisingly, all my attempts to recover it led to dead ends. I didn't have the mobileme / findmyiphone app installed on it. I understand privacy concerns, but I'd actually like it if Apple did have a copy of this db, and they allowed me to proxy through them / law enforcement so that I could locate this lost device. I know someone has it b/c I can see they were using my Netflix account.

I think you're looking for something more like prey : http://preyproject.com/

Okay, but do the devices do this if 'Location Services' are turned off.

And I assume Cydia will now get an app that forces them off if the os ignores the setting.

Funny, I had to go to a location without internet access, but where I periodically have to "mark" where I am so I can reference it later. I was about to write my own app for this purpose when I saw this post. To boot, I had my iPhone on me the last few days anyway, so this will definitely come in handy.

Despite the utility I got out of this, I wish we would be told about it...

I can imagine a jealous spouse saying now to the other "i love you so much honey and from now on i will do your iphone backups. Just to make sure everything is safe for you" Then the jealous spouse downloads the iphone tracker visualization tool: "So honey, where were you last night? Really ? Dont you dare lie to me" :)

The simple solution is select encrypt backups in your iTunes options. If my computer or phone got stolen, I'd have more important things to worry about than whether the thief can find a list of locations I've been. It's fun/interesting to see it mapped out though.

You may not worry about this, but others might (and I can think of scenarios where this would be a very bad thing), and it certainly isn't apparent to most people that if your phone gets stolen, the thief has access to your location history.

Well, it probably wasn't apparent to many (or any) thieves either, but it is now.

Anyway, of course I'd agree it's worth fixing on Apple's part. In the meantime... hold onto your phones, I guess?

Yes, good point. Note to self: don't accidentally lose phone.

Encrypting backups won't encrypt the original file on your phone.

I thought they added something in iOS 3 that did encrypt the phone and that's why the erase is so fast now?

I also assume that if you put a passcode on with the 'erase after 10 incorrect attempts' setting that this would be permanently erased if they get your passcode wrong 10 times...?

How will encrypting my backup prevent someone with access to my phone from getting this information?

Someone with access to your phone can also access your emails, text messages, contacts, photos and more... I guess to some people location data is more sensitive than those things, but not to me.

Does no one else agree with me that this is awesome? I love being able to visualize my comings and goings. It's the story of the last year or so of my life, in colored dots.

I hope Apple doesn't respond to the "outrage" by no longer collecting this data. To a first order approximation, I am with Scott McNealy over in the "Privacy?! Get over it" camp:


As an aside, can real outrage even exist anymore in this age of the easy forum post or re-tweet or tumblr entry or Facebook post? And if it does, how do you identify it? And if you can identify it, what does it mean?

if the feature was opt-in it might, conceivably, be called awesome. But not being told that my iDevice will log my every move and leave this data open to the next johnny-come-lately to get his hands on my device? Terribly uncool. Logging should be a setting, or better, an app. Not a hidden, no opt-out feature imposed on over a hundred million iDevice owners.

Set up a passcode, now they can't access the data on your phone unless they have the passcode, or your iTunes plist file ...

Sex is pretty awesome, too, unless you don't get any say in the matter.

Wow, you're making a rape analogy. Glad you decided to stay classy and not make your post an instance of Godwin's Law.

The comparison is very apt. Consent often changes how we view things. Rape and privacy violations are not the same but when it comes to consent very similar.

So you think it's defensible to say that Apple is raping its users? Let's get some people who have been victims of rape in here and ask them how they feel about this over-the-top analogy.

For comparisons to be useful, you don't have to take everything literally. As far as the question of consent is concerned, the comparison is apt.

But why make the comparison if not to inflame? That's the point, isn't it? Comparing data collection to sex in the context of consent—as if the concept of consent applies in the same way, which is on its face a bold assertion—isn't about a logical argument, it's about trying to win a war over people's sentiments. And I think the sentiment that's being fought for here is irresponsible and simplistic.

If you chose to be inflamed ...

It's simple really, many people believe that privacy relevant data shouldn't be collected without the users consent. There is nothing at all wrong with collecting location data if the user has agreed to it, that changes if said consent is missing. Just as with sex.

I found the comparison was very apropos to the context and useful. Call me simplistic, but I'm glad it was cast and totally not inflamed (save for my original inflammation towards Apple).

It's not apropos. Can you be raped by your vibrator or your blow up doll? This is about a device passively logging data, not a moral agent doing something to you.

Show me the person that Apple has hurt. The only people I've been reading about here taking actions are law enforcement officials, people in black helicopters, and betrayed lovers.

What you view as a device passively logging data, others may view as a company actively designing a device that logs data.

"Can you be raped by your vibrator or your blow up doll?"

If either of those has sex with me without my consent, then yes. I would call that rape. Who in their right mind wouldn't?

Exactly. Count me as one feeling Apple's rep is severely damaged. The notion that this device stores gigs of personal data (without my prior knowledge) and has been transmitting it back to Apple, somehow this is okay with you? Not I guy, not I.

More people should know.

I love being able to visualize my comings and goings.

Then use something like Latitude. There are options for you if you want to see this data other than having Apple collect data from all users whether they like it or not.

I think you are confused: you say that "Apple collect[s] data." Apple's software is collecting data, but is it the case that Apple has access to this data? I don't think so. There are issues of agency here: in my interpretation of things, my phone is collecting and storing the data, Apple isn't.

I guess I have some sort of perverse desire to see my karma auger into the x axis thanks to this issue, because people seem to be whiny hysterics on it. Computers log data. A phone is a computer. The history of the phone's location is conceivably useful—it's like a geospatial stack trace—and even if this data is going to the Apple mothership, I don't care as long as the data gets Tivo-ified.

I said "Apple collects data" as a shorthand for "Apple's software collects data and stores it on your phone" because the distinction you're making seems to be meaningless to most people. I can see your point though.

Still, I don't see why this is better than an optional, third party application for this data. I also think that people should be upset at their phone keeping this data without their knowledge. You say it could be useful, but useful to whom? Advertisers, stalkers, "The Government"? I can't see how this useful to most users at all.

computers log data, A phone is a computer.

I think most people view their phone somewhat more intimately than their computer. Notice the uproar any time privacy issues like these are raised about a phone. Furthermore, tracking someone's location is just about the creepiest thing you could do for most people. It's just ripe for abuse, and as I stated earlier, I can't see much in the way of positive use.

"the distinction you're making seems to be meaningless to most people"

No, the distinction is critical to most people. Apple's iPhone software records all the calls I make, the phone numbers I call and the duration. That's fine.

I'd be pretty peeved if that information was harvested by Apple Inc.

Can you please put it somewhere on the Internet. I'd love to look at it.

Thank you in advance.

Great follow through. I kind of agree with you. I'm not sure what I'd use the data for, but I sure did enjoy looking back on where I was.

My amusement outweighs my outrage.

I think he asked for the full database dump, not a meaningless country-level zoomed screenshot. But I give you props for revealing even this much; I would have certainly not done so.

I was going to do so, if only to prove that I don't give a shit, but after glancing at the instructions, I'm not going to do it unless someone provides me with a shell script. It's too much of a pain in the ass.

But if any of you are pathetic and creepy enough to want to know where I was on any particular day, feel free to send me e-mail at edw@poseur.com and I'll let you know.

Do you use Mac? It seems writing a script would be easier for Mac. I can try to cook one up. I will post it here if I succeed.

From what I understand, at least with google, this data (the data sent anonymously) is used amoung other things, for the maps traffic feature. If a fair number of phones are traveling below the speed limit on a road, it can be assumed that the traffic is bad on that road. Not sure if the apple data is used for that, or if they get the traffic data from google, but it is one legitimate use.

When I read this I simply had to try it out for myself and quickly plot the data. It's a nice reminder of the places I have been over the past year.

I don't mind that Apple have saved the information on the device, what I mind is that they haven't given us an option to clear the logs or to actually visualise the data directly from the phone.

Not news at all to someone in the digital forensic community: https://alexlevinson.wordpress.com/2011/04/21/3-major-issues...

I assume Apple collects this data to pass back to skyhook so they can update their database of wifi-to-geolocation data. Must be nice to have millions of sensors roaming around collecting data for you.

Other way around. It's a cache for CoreLocation, and the location data comes from Skyhook.

Interesting - Apple's filing says they dropped skyhook in 3.2 and switched to their own database... using this data.


Apple license agreement covering the collection of location data - http://pastebin.com/EdFJr6iU

This has been happening for a long time, has it not?

If you have a 3G device the cell towers already know this and the data is already tracked. So what is new here?

The data is in an unencrypted file on your device and synced computer, instead of in a database at AT&T.

Jailbreak + cron + rm

Best be cronning every minute or so, because unfortunately you can't rm on Apple's servers.

Apple has been known to collect this information for a while now [1] but storing all this information in a database should not be required for this.

If you tuink about how much information you have on your phone, if somebody has access to it or to your backups, I think your locstion history is the least of your problems. But I do agree that it should not store this information, encrypted or not...

[1] http://news.cnet.com/8301-31021_3-20010948-260.html

If the man really wants your location, he can just ask the phone company.

'the man' could always get that info, sure. but now, anyone with access to your phone or computer can.

Including anyone that hacks into either, and they wouldn't even have to install anything suspicious to do location tracking or even have compromised your phone during the period they were interested in.

I'm not so much worried about the man, (I've given up on that battle) as much as I'm worried about the people out there who like to stick it to the man by whatever neferaous means of looting and pilliging they see fit.

All of this from a device which prevents you from ever removing its battery.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact