iPhone tracking: much ado about bugger all

Well, we’ve all had a jolly good time getting hysterical about the alleged ‘tracking’ of our movements by our iPhones. Even the revelation that Android devices do a similar thing hasn’t stopped the Apple-bashing.

Nor was the hysteria dampened all that much by Apple’s somewhat tardy explanation, in which it admits that some of the data collection is due to bugs that will be fixed soon.

What exactly is the problem? If you listened to the mainstream (ie, technologically challenged) press, and even some of the tech websites, you’d come away believing that the iPhone is tracking your every move and reporting back to Apple. The data is gathered by your iPhone, downloaded to your computer when you sync the device and then squirrelled away by covert channels to the dark dungeons of Apple’s global surveillance operations. Or something.

Well, of course, it’s nothing of the sort. The iPhone is keeping a cache of cellphone towers and wifi access points somewhere in the vicinity of the places you’ve been. It’s doing that in order to provide geolocation services more rapidly when you ask for them. Although GPS is the principle method of obtaining location data, it can be slow. If your phone has been sleeping, or you’ve been out of sight of the satellites, re-acquiring those satellites can take a while. And all that time you’re tapping your toes impatiently, frustrated that you can’t get information on the nearest Domino’s pizza emporium.

Apple (and others) use crowdsourced data about the locations of cell towers and wifi hotspots as an additional triangulation method. Your iPhone provides this data to Apple anonymously — ie, they don’t know who has recently been strolling through the red light district of Amsterdam, only that someone has.

So, no Big Brother looking over your shoulder, but there are other threats, right?

I’m a big fan of privacy. For example, I have my Facebook settings screwed down so tight that people sometimes have trouble finding me, which is fine. So I was rather worried about the implications of all this tracking data being on both my phone and my laptop.

If someone were to steal my kit, they’d have a nice little database of my movements. I’m not entirely sure what a thief would do with this data. In fact, compared with the potential goldmine of information they’d have in my emails, the geolocation data seems pretty meagre. So the risk there seems very low to me.

And it’s precisely because my emails and other files contain data that I take precautions with my laptop — with strong passwords and encrypted disks. Those precautions pretty much secure against the iPhone location data issue too, as much as you ever can be secure. And it any case, when it comes to the backup file on the laptop, Apple supplied a solution long ago. In iTunes there’s the option to ‘Encrypt iPhone backup’. Just give that a nice secure password and problem solved. And you know what ‘secure password’ means, right? If not, you’ve got bigger problems than geolocation data on your iPhone.

As for the phone itself, few (if any) thieves are going to have the technical smarts to extract the data from it. But that may not be true of others who might desire it.

I’m thinking, of course, of the authorities. It has been mooted by privacy advocates (praise be upon them) that the phone would be a treasure trove for law enforcement officers and spooks investigating suspects. Some reports suggest that law enforcement in the US regularly mines this data. But I have serious doubts about how much value they derive from it.

For one thing, the data is far from accurate when it comes to your movements. I checked mine with iPhoneTracker (having temporarily switched off encryption in order to do so), and although it was vaguely correct in displaying the general areas I’d visited, some of the data points were wildly off track. Apple, in its explanation, says that the data points may include cell towers scores of miles from where you’ve been.

The map above shows some of my data in iPhoneTracker. I’ve never even heard of a lot of those place, let alone been there. And although it shows a couple of the places I’ve been, you could have got that information from reading my blogs and Facebook and Twitter updates. This stuff is not classified.

Also, the data only shows where the phone has been. The authorities would still face the challenge of proving that you were the one carrying the phone at the time. So although it might be of some limited value to them, compared to other data they might find on your machine, it doesn’t seem worth worrying about all that much.

Apple says one of the errors it made is in retaining this data for too long. In my own case, there were data entries going back a year. The firm says a week should be enough, and it’s about to make that fix.

The positive part of all this is that the excitement this issue generated would seem to demonstrate a laudable awareness of the importance of personal data. Data privacy is an issue that should concern us. But as with all areas of information security, it’s a matter of balancing benefits and risk.

The risk here is extremely low. And I’d put the threat posed by this information much, much lower than that of the geolocation data people regularly make available via, say, Twitter and Flickr (where such information is often embedded in images). Those two services combined with a tool like Cree.py should have far more people worried.