Sam Biddle — This is a map of everywhere I’ve been for nearly the last year. Everywhere. I didn’t carry around a special tracking device. The FBI isn’t sending goons in unmarked vans to track me. All I did was use an iPhone. And if you have an iPhone, you’re being tracked right now, too, whether you like it or not.
It turns out that all our iPhones are keeping a record of everywhere you’ve been since June. This data is stored on your phone (or iPad) and computer, easily available to anyone who gets their hands on it. Updated: 5:50 PM EST
And now, we’re wondering whether the same goes for our other smartphones. The opt-in wording of phone location service agreements is pretty nebulous (as agreements tend to be). When starting up a fresh Android, you’re prompted to agree to the following: “Allow Google’s location service to collect anonymous data. Collection will occur even when no applications are running.” We asked Google what exactly this meant, and they refused to answer on the record whether this “anonymous” location data is logged persistently, a la iPhone (The UK security duos says they haven’t uncovered an file so far). But, importantly, unlike the iPhone, it appears to be totally opt-in for users. Microsoft told us the only locational data stored on your Windows Phone 7 device is your last known location, for use with the Find My Phone feature. We’ve also reached out to Apple and BlackBerry-maker RIM for similar clarifications on data collection, but haven’t gotten a response yet.
We know that AT&T and other cellphone providers can always store this data, for any cellphone. And law enforcement can get to it when they need to. But I don’t want this information bouncing around on my computer and in pocket, too, for no good reason, with no way to opt out. That’s just not right.
The privacy startle, apparently enabled by this summer’s iOS 4 release, was discovered by two security researchers, one of whom claims he was an Apple employee for five years. They’re equally puzzled and disturbed by the location collection: “By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements,” they explain. All it would take to crack the information out of your iOS device is an easy jailbreak. On your computer, the information can be opened as easily as JPEG using the mapping software that the security experts have made for download—Try it yourself.
For now, there is no fix. The only way to remove it from your computer is to wipe your back up files from your computer. But then you have no back ups to restore your phone in case you lose it. And every time you sync your computer, though, it’ll create a new file. And if you do lose your phone, all your tracking data goes with it, right into the hands of whoever found it. And if you upgrade your phone to the next iPhone, the location tracking history goes with it. For now, the best to keep your location data safe is to encrypt your backup files—but that still leaves the roaming device itself vulnerable.
Update 1, 12:48 PM EST: Security expert Kevin Mitnick says he’s “Quite shocked and disturbed” by the revelation, noting that the logged data could be of great interest to a variety of entities—prying spouses, private investigators, and, he reckons, the government. He speculates that the existence of the log itself “could have been at the request of the government,” as such data “can’t be used for advertisements. It seems to me more to be a governmental request.” He added, “I like to know what my device is doing.” And, that the phone’s logging of data was in this case like “carrying around a bug and a tracker at the same time.”
Update 2, 3:37 PM EST: Google has declined to comment on the record as to the exact nature of their locational data collection.
Update 3, 5:32 PM EST: Microsoft tells us the only locational data they’re storing on your Windows Phone 7 device is your last known location—a single data point that’s erased as soon as it stores a new one.
Update 4, 5:50 PM EST: IT security expert Jonathan James has poked around inside the iPhone location database file in question and discovered tables labeled “Harvest” and “HarvestCounts,” although their use is still unknown.