Your iPhone "Location Diary" and Apple's Inadequate Response

Apr 27, 2011
By:
ACLU of Northern California

Page Media

ACLU of Northern CA

Jay Stanley
ACLU National Office

Apple has finally responded to the revelation that iPhone and iPads keep records of their users' whereabouts. We're glad that Apple has promised to change this practice. At the same time, nobody should think of this dust-up as some overblown quirk or mere bug, as Apple has portrayed it. This incident should be a wakeup call to Americans that we need to demand greater transparency and accountability from the companies that collect and use our personal information.

It would have been better if Apple had frankly admitted that this was a mistake, rather than trying to minimize the problem. In its Q&A statement issued in response to the scandal, Apple says that "The iPhone is not logging your location. Rather, it's maintaining a database of WiFi hotspots and cell towers around your current location." That seems like a bit of a precious distinction for Apple to be building its defense around, since WiFi and cell tower information can be used to determine your location with increasing accuracy (which is why law enforcement frequently demands cell tower information from carriers).

The existence of these location-records files in the iPhones naturally raised suspicion and alarm over the possible uses of those files. Now Apple has offered an explanation: these files were intended to be used in conjunction with a "crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple."

But the fuss over the iPhone location tracking never centered around Apple itself directly tracking or watching users and storing their whereabouts in some giant, ironic Big Brother database. The issue is the fact that this location log is being created in the first place — that it stores a full year's worth of data, and does so without customers' permission or knowledge. Think about how potentially revealing a year's worth of location records can be for many people. It could reveal not only where you live, work and play, but your religion, your political activities, medical problems, your friends and lovers, how often you drive to the liquor store, or bars, or sexually oriented establishments of various kinds, what other cities and towns you visit and where you go there, and how you get there. None of this anybody's business.

If you put all that stuff in a diary, you would probably want to keep that diary private. Yet here Apple programmed its devices to create that diary for you, without your knowledge or permission, and in unencrypted form, and copy it to your computer. Just by bringing such a document into existence and letting it float around people's computing ecosystems, it has created a significant privacy and security vulnerability for its customers.

It's easy to imagine everyone from criminals to divorce lawyers and other civil litigants to the police wanting to get their hands on these logs. The ACLU of Michigan recently raised questions over how the police were using special readers that can instantly give them a copy of everything on your cell phone. CNet has reported that companies selling data extraction devices to government agencies already knew about the iPhone location diaries. Meanwhile, the government asserts that cell phones don't enjoy full constitutional privacy protections, and claims that it can examine phones (along with laptops) whenever you cross the U.S. border from another country.

That was the problem with storing a location diary on iPhones and iPads. Apple should have acknowledged that in its statement, rather than trying to explain away the error as a result of software bugs, "confused" users and tech companies not having "provided enough education about these issues."

The problem is not users who are confused and uneducated. To the contrary, the users who are up in arms over the iPhone movement diary appear to be quite clear over the privacy implications of such a document. Clearer, apparently, than Apple.

When a household name like Apple does something like this, it should be a reminder to everyone that as computing power expands, and devices shrink into our pockets and plug into location networks, we need better protections for our data.