Software Bug to Blame for Unauthorized Tracking, Says Apple
Apple’s iPhone devices don’t track their users and a software bug is responsible for storing location logs even after users turn off their iPhone’s location services, the company said in a “Q&A” statement Wednesday. Apple said it plans to issue an iOS software update in the next few weeks that will fix the bugs and “reduce the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone.” Meanwhile, Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., added his voice to growing congressional outcry over mobile privacy concerns.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Apple acknowledged that its devices do maintain a database cache of Wi-Fi hotspots and cell tower locations to help the device “rapidly and accurately calculate its location when requested,” Apple said. But the company explicitly said its iPhone devices do not log the exact locations of its customers. “Apple has never done so and has no plans to ever do so,” the company wrote.
Apple said it can take “several minutes” to pinpoint location simply relying on GPS satellite data. When GPS isn’t available, such as in basements, the phone can find its location via triangulation using just hotspot and tower information, Apple said. By using the crowd-sourced database of hotspot and tower data from millions of iPhones sending geotagged locations “in an anonymous and encrypted form to Apple,” it can quickly give users their location. Only an “appropriate subset” of the database is downloaded to any given iPhone, Apple said. The file gets backed up to iTunes whenever a user backs up an iPhone, and whether it’s encrypted depends on a user’s iTunes settings. Apple said it can’t identify the source of any given data sent to it, so it’s not locating individual users. But it acknowledged that the storage of up to a year’s worth of hotspot and tower data on iPhones was a “bug” that Apple will soon fix: “We don’t think the iPhone needs to store more than seven days of this data.” The continual updating of hotspot and tower data on iPhones that have location services turned off is also a “bug” that Apple will fix, it said.
The company said it’s also collecting anonymous “traffic” data to build a “crowd-sourced traffic database” to provide better traffic service “in the next couple of years,” though the company didn’t clarify whether it meant Internet or transportation traffic. It said it only shares location data with advertisers through the iAd system when users “explicitly” approve that action. In addition to deleting the cache file when users turn off location services, the iOS update will reduce the size of the cache file and stop backing it up. The next “major” iOS release will add encryption to the cache, Apple said. It took the blame for the uproar, saying the company has “not provided enough education about these issues to date."
Apple’s Q&A doesn’t mention any devices other than iPhones, though the researchers who discovered the location file said it’s present on all devices running iOS 4, including iPads and iPod touches. We couldn’t reach Apple for comment.
Apple’s response comes less than a week after two researchers, Alasdair Allen and Pete Warden, reported that they discovered that the cache file could be used to determine users’ location history (CD April 22 p6). Allen and Warden said they were relieved Apple offered an explanation and a software fix for the problem but Apple didn’t address their claim that the database reveals sensitive information about each user’s travels, they said in a article published by the O'Reilly Radar blog Wednesday.
House Bi-Partisan Privacy Caucus Co-Chairman Ed Markey, D-Mass., responded favorably to Apple’s letter but pressed the company on its location-based advertising policies, he said in a letter Wednesday: “The Apple Q&A raises questions about the use of location information for targeted advertising to iPhone users and I will be following up with Apple to get clarification on this issue. Location information is extremely sensitive and must be safeguarded.” Markey has actively denounced the tracking policies of mobile device manufacturers since the revelation last week.
Sen. Leahy was particularly troubled by the reports that Apple’s iPhones continued to collect and store user location information even when the location service is disabled, he wrote in a letter to Apple CEO Steve Jobs Wednesday. He urged both Apple and Google to testify along with representatives from the Department of Justice and the FTC at a Senate Privacy Subcommittee hearing next month. Senate Judiciary Subcommittee on Privacy Chairman Al Franken, D-Minn., will chair the hearing May 10 at 10 a.m. in room 226 of the Dirksen Senate Office Building. “American consumers deserve to know the potential risks that these new technologies pose to their privacy and security,” wrote Leahy in his letters to Apple and Google. Leahy is an author of the Electronic Communications Privacy Act and mentioned in his letters that Congress is considering an update of the 25-year-old law. Google responded to Leahy’s request Wednesday and agreed to testify at the hearing. Apple had not agreed to participate in the hearing by our deadline.
On Tuesday, Republican leaders of the House Commerce Committee also penned letters to the CEOs at Apple, Google, Microsoft, Research in Motion, Nokia and HP, asking the companies to explain what location data their mobile operating systems “track, use, store or share,” and why.