Apple has finally released a statement regarding the discovery of a file on iPhones that contain’s location information. The key points of the statement are:
1. The file that was discovered is a database of WiFi hotspots and cell phone towers in the vicinity of the iPhone, and it is used to help the GPS quickly find satellites to display your location in navigation and other location-based apps.
2. Apple is not tracking the location of the iPhone.
3. Apple says they cannot locate people using information in the file.
4. The amount of data in the file, which has shown to be up to several year’s worth of data, is due to a bug for which Apple will release a fix to shortly. (Actually, in a later interview an Apple executive makes this sound more like a design decision rather than a bug.)
5. The continued downloading of data to the iPhone with the location information after a user turns off location services is a bug, for which Apple will release a fix to shortly.
Apple goes on to point out that they are collecting anonymous traffic data to build a crowd-sourced traffic database to be used for a future navigation service. I believe that this means Apple is building an alternate to Google Maps, which provides traffic information today using a similar crowd sourcing technique. Apple also admits to providing anonymous information such as app crash logs to third parties. Location information is also used by Apple’s iAd advertising system.
While Apple’s statement today is consistent with what I expected is going on, it feels to me to be a bit like word parsing. True, information in the file is not the iPhone’s precise location, but it is clearly close enough that when the data is plotted on a map people recognize it as showing where they had traveled, and I think this is enough to cause people to be rightly concerned. Apple will be releasing an update that fixes the bugs listed above, but they will not be encrypting the file until a later upgrade to iOS, which means that if you don’t want someone to be able to access the information in the file you need to turn off location services after the bug fixes are released.
There is evidence that some people knew about the collection of this data well before it was announced last week, which causes me to doubt that the bugs Apple cites where just discovered. If you do a search on iphone+forensics, you will see that there is a whole industry built up around collecting personal information off iPhones. While I think it is good that Apple is now going to release fixes for these bugs, I want to know how long Apple really knew about them, and if they knew about them before last week, why weren’t they fixed earlier? The amount of data found in the file suggests the bugs have existed for years and not just introduced in iOS 4.