Sophos Cloud Optix
Apple has released an iOS update for the iPhone and iPad, addressing concerns that the devices were tracking users’ locations.
As was widely reported last month, a bug in Apple’s software meant that iPhones and iPads were collecting location-related data and were archiving it on users’ computers.
It was found that location information stored on your computer could pinpoint your iPhone’s whereabouts for up to a year afterwards – something which caused a storm of protest from those concerned about their privacy.
And you can see their point. After all, someone with access to your PC might find the backup file in your iTunes and determine places that you regularly visit. And you had no idea that that information was being stored.
At the time of the revelation I think my biggest concern was the sheer amount of data that was being backed up to PCs. I couldn’t see a legitimate reason for up to a year’s worth of location data to be held.
Apple responded to the media interest, and admitted that devices were collecting information about cell towers and WiFi hotspots around users’ current location, even when users had specifically turned off Location Services.
Apple says that the newly-released iOS 4.3.3 update will no longer back up location data cached on iPhones and iPads to users’ computers, and fixes the Location Services bug.
If you install the update, the location data stored on your iPhone or iPad will reportedly only stretch back seven days, and the cache will be deleted in its entirety if you disable Location Services.
It would still be nice, of course, if the cache of location data was also encrypted – to prevent snooping eyes. Apple says that they plan to encrypt the data in the next major iOS software release (iOS 5.0?).
It wasn't a bug.
The data was restored to a new phone when you migrated from one device to another, they were keeping the data with the user and not necessarily the device itself.
That pretty much seals the deal in that it was intentional that Apple was tracking their users specifically.
This was tower and hotspot caching data, not user location data, and was backed up along with the rest of the directory it was in, to be restored with that backup identity. It could be argued that this file actually improved your privacy, as the data was only stored locally, instead of continually being sent back to a central server like other devices do. This meant that when using location services, the location service only had to access the cache to find your location instead of calling home.
Despite the conspiracy theories, it was likely that Apple just failed to properly vet the file during development. After all, it was stored locally, not transferred back to Apple, so they probably didn't see a privacy concern.
Now, the fact that they didn't connect the dots and realize that tower and hotspot location data can still be used to virtually find your location at a limited number of times in the past, and failed to encrypt the cache on the phone and during backup by default as a response, is a larger issue. Hopefully Apple will respond to this backlash by improving their privacy testing during the development process, and not just patch issues as customers complain.
You might want to take a peek at this patent (http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220110051665%22.PGNR.&OS=DN/20110051665&RS=DN/20110051665) that Apple filed for back in Sept of 2009.
The bug fix is for the fact that said data collection continued to occur despite the fact that the user optional location aware service had been disabled, and that's what Apple is having to answer for in the congressional inquiry.
Amazing!!! Sophos is so quick to pile on Microsoft, Google and other companies which you should given you are a security company. However, when it comes to Apple I rarely hear anything bad and when a privacy issues comes up then it must have been a mistake and Apple in no way was trying to track a customer. Give me a break. I guess advertisers will buy iAds on faith with no demographics.
Glad to see that Apple has fixed this privacy concern!
Is the update compatible with the older 3 and 3GS models…?
Looks like it's for iPhone 4 and iPhone 3GS. iPhone 3G owners are left in the cold.. but that's usual for Apple updates these days. See http://nakedsecurity.sophos.com/2011/03/10/update…