Erstellt am: 22. 4. 2011 - 14:53 Uhr
Today's Webtip: consolidated.db
So you have heard that Apple is tracking your every move, saving it to your iPhone and your computer, and making it easy for any hacker with access to your devices (and maybe any other apps) to find out where you have been. No one knows why they are doing it, and Apple has refused to explain what it is for.
Everyone and their blog has been posting about this, and it has been a good excuse to learn about what your phone is doing, why it is doing it, some basics of computer security, and why you might want to encrypt your backups.
It's also been an interesting illustration of how the press works.
So let's break this story down.
First, the panic. "Iphones secretely track your every move" or some variation, was one of the favorite headline subjects. Rather than doing some basic research and THEN posting the article most of these sites and news orgs just dropped the story based solely on content provided by the O'Reily researchers themselves.
The problem is that those researchers were interested in promoting their own study, and failed to do some basic due dilligence and background research. Something that most of the other reporting also didn't do. In the meantime, many of these original posts have been updated with follow up information, but rather than posting new articles, they are just adding to the original posts. Something that won't help anyone who has already read the article (unless they have been compulsively following the story).
What were some of the problems with this story?
Well, to begin with, it wasn't really new.
The digital forensics community has been following this story for quite some time. One of the first to post about it, Alex Levinson, has posted his own take on the recent story, including lots of background information the O'Reily guys claimed they didn't have. Or, you can read a machine translation of the work of a French researcher, Paul Courbis who made an online tool available for examining the file. Last September.
A lot of other forensic types were curious about this file, and there are some very interesting forum threads available. Yes, there are indeed law enforcement people who really do want to find out where someone was:
This is a post from someone investigating a crime who was hoping to use consolidated.db to help with the investigation. Last November.
So back to some of the basic claims.
Is the iPhone tracking your location and storing it in a database on your phone and on your computer?
Yes. Sort of. The iPhone, and most other phones that offer location services, use something called assisted GPS. Normal GPS relies on satellites to find your position. Something that can take a while, and is completely useless if you happen to be indoors, in a tunnel, or anywhere else that doesn't have a clear view of the sky. Assisted GPS gets around this problem, and speeds up the location process, by computing information based on nearby cell towers and wlan routers.
Nokia, Android Phones, Windows Mobile and Apple all use variations of this system. All of them use a central online databank filled with the locations of cell towers and wlan routers, and they all use a local cache as well. You can find out about how Nokia does it here and here.
Google used to get this information from their Streetview cars, but now they apparently rely exclusively on Android phones.
It appears as though Google uses a small local cache, but dials in every time a location service is used.
Apple does something similar, but rather than accessing the central databank on every call, it does it at various intervals when the phone is connected to a wlan network. That would be one explanation of why the local databank is much larger than the Android version. An explanation that Apple itself provided to the U.S. government last summer. . In other words, yes, we know why Apple is doing it, they have explained it themselves, and it's information that was publicly available if the researchers had looked for it.
Of course, journalists covering the story could also have found that info. Like I did. By checking facts. It's part of the job description.
One of the problems that is worth examining is the fact that the file itself seems to be available to apps on the iPhone and anyone who has access to the computer it has been synced to.
The app situation is clear. With the introduction of iOS 4, Apple made it possible for non-system apps to get access to location services while running in the background. To make this possible they moved it's location (and changed the name of the file). Apple seems to have made the choice to rely on cell tower and wlan location rather than satellite based GPS out of energy saving considerations.
But they didn't tell us! Or ask permission!
Actually they did. Aside from the information provided to the U.S. Government, Apple announced a change to their privacy policy last summer, and they asked you for your ok and gave a very basic explanation in iTunes as well.
Apple
Of course, that doesn't go into specifics, but I have never seen a similar explanation or click license that does. And trying to explain the way things work inside of an onscreen dialog just aint gonna happen.
That's where the online community comes in. The fact of the matter is that most technology in use by people is so far beyond them, that it's pretty hard to get beyond the basic concepts involved. It's clear that end users with experience in completely different areas aren't going to know just what a message like that might mean. Computer researchers and tech journalists on the other hand...
Well, you would think they would at least be capable of digging a bit deeper and finding a way to explain things rather than relying on the Chicken Little school of journalism.
I could go into more detail here, but the fact of the matter is that many other people have been writing about the issue and I would rather link to their work.
From a Forensics type: blog.csvance.com
From a user perspective: www.willclarke.net
From a fanboi: www.iphoneblog.de
So is Apple evil or not?
Who knows. Right now, I don't think that question is a central issue. Even worse, it provides a false sense of security in creating the expectation that some other company is less evil. And it's one more reason the news coverage has been a bit irresponsible. Because you ARE being tracked. Sometimes with your (potentially uncomprehending) consent, and sometimes without. you do remember the webtip about the clever politican who found out just how much the telephone company knows right?
As I mentioned earlier, any phones using AGPS have some variation of this information, and are using it in different ways. You can take a look at the Andoid info using this tool: github.com and there was a very interesting presentation of just what can be done on that platform at the 27th Chaos Communications Congress.
You can see the videos of that presentation here:
nerdpower.net
But what can I do!!!
I have no idea.
You could stop using cell phones. Which is a bit tongue in cheek, but in the end it's probably the only real way to avoid being tracked right now. Of course, you should also avoid using ATM machines, credit cards, driving cars, flying, or being anywhere that might have a video camera.
I know that sounds terrible but right now technology requires some trade-offs. Important issues that you CAN try to influence are in the area of data privacy laws, government and corporate access issues, digital rights, corporate influence on legislation, and learning secure computing habits.
And maybe check out this guideline to mobile security:
blog.solutionary.com
And to riff off of one of my favorite 4chanisms:
read moar!