The popular media is reporting with great fervour (and it appears some surprise) that Apple has been tracking every iPhone 4 and iPad 3G sold since they were first turned on, without their owners’ knowledge. This alone isn’t very surprising given that for years experts have warned the public about the negative side of carrying a network enabled GPS with you at all times. However, what is surprising is how careless Apple is with the data. They store it in an open-text format where it’s easily found on any computer that syncs with a given iPhone. This means that companies that issue iPhones have an easily accessible, automatic log of their employees’ movements should they ever need it for an investigation for example, or if they’re ever just curious. Law enforcement agencies have already been using the file to learn the whereabouts of iPhone users.
Apple probably wants the data for less evil purposes like developing a database of WiFi hotspot coordinates. Google first came up with the idea for this years ago when they were mapping streetview. They had the foresight to arm their vehicles with WiFi detectors that generated a database of the locations of discovered WiFi routers as they drove down every street in the world. This was a brilliant idea. It meant that smartphones would be able to triangulate their positions simply by sniffing for hotspots and sending the results to Google who would return their probable location. With this rough fix a smartphone could feed the data to the phone’s GPS receiver to speed up the GPS fix by an order of magnitude. This was an amazingly creative use of WiFi signals that Google promptly got into hot water for. It turns out that Google was careless and accidentally collected data fragments that might have been transmitted on unsecured WiFi networks as they drove past. Some claimed that this turned Google’s streetview operation into an army of wardriving vehicles–a term used in the early WiFi days to describe the nefarious search for unsecured networks. This accusation was a red herring, but in October it was enough to make Google promise to stop sniffing WiFi hotspots with their streetview vehicles. Their promise was an empty one; Google had much bigger plans.
Distributed Wardriving
As part of the Android operating system, Google has been building and refining a robust database of the precise geographical location of WiFi routers. They have effectively turned every Android phone into a wardriving device. When an Android handset detects a wireless network, it beams its MAC address, signal strength, GPS coordinates, and the handset’s unique ID to Google servers. The result is a very complete and very up-to-date dataset of global WiFi router locations. Google has made this database freely accessible to the public and has said that it will only collect data from Android users who have explicitly given their consent.
The chances are that your home or work WiFi router is in the database, mine was (see image right).
Hacker Samy Kamkar (author of the Samy Worm) has developed a site that demonstrates just how comprehensive Google’s catalog is. Simply type in your WiFi router’s MAC address and there’s a good chance that it will return its location. This data is theoretically still anonymous since it’s simply a MAC address and not a person’s name.
If we start the thought process from this point, one quickly realizes that we no longer need a GPS in order to determine someone’s location. Wireless providers have been applying this principal for years. By analysing the signal strength between cell towers and Non-GPS-enabled handsets, wireless providers keep a rough position fix on their consumers. They aggregate this data and sell it for things like traffic congestion analysis and driving route planning. This might perk up the ears of privacy watchdogs, but at least this is a matter that is directly affected by law. This is a company selling data to another company, and it’s not in the wireless company’s interest to provide unique identifiers if the data is only to be used in aggregate. WiFi router tracking has no such limitations or restrictions. Chinese citizens living in Beijing are offered no such reassurances as their government has begun using WiFi trangulation to track its citizens under the guise of easing traffic congestion.
Online Behavioural Tracking
Another form of tracking is the more widely known techniques of cookie and IP-based tracking. This doesn’t have to do with physical location, but it has to do with uniquely identifying a computer and sometimes a unique individual and applying that data to better target that person for advertising and promotions. In mid-maturity, this kind of marketing is only getting better and more precise as marketers warm to it and become more comfortable with the granularity of the data available. For example, if I login to online banking at a major bank, that bank now knows that my site cookie is really me (since I just authenticated with the bank) and can draw on a number of techniques to further learn about my habits in detail. What if this could be mixed with location-based information? Could my bank’s new iPhone app (that innocently asks to use my geolocation to help me find the nearest bank machine) start matching mobile location with the same behaviour analysis information? The bank has my home address on file to match against my geolocation. It could easily build out a profile of movement and habit to better understand whether I was a home-body or a socialite. Another example of what can be done with such data is Skyhook. Skyhook is a company currently suing Google for patent infringement that offers a plethora of services based on massive geolocation and online activity data. From their website:
SpotRank predicts the density of people in predefined urban square-block areas worldwide at any hour, any day of the week. Developers and advertisers can use this groundbreaking behavioral intelligence data to serve location-based content and ads in cool new ways never envisioned before.
Apple and Google could go much further with the data at their disposal.
Putting it All Together
Let’s look at the data that Apple and Google each have at their disposal:
- Precise information on the when and where of the movement of their customers.
- A database of the location of WiFi routers by MAC address that is being constantly updated that they can use to connect wireless and wired behaviour.
- Network access data. Google knows what everyone searches for by IP and by cookie.
- Credit card data. As of March 2011, Apple has over 200 million active credit card numbers on file each attached to an apple ID, which you have to have associated with your iPhone in order to use the app store.
- Search history data (even via so-called Private Browsing).
- IP and geolocation account login data (either through Gmail or me.com in Apple’s case).
What could one do with all of this information if it was used together? A lot.
With the ability to track the movement of non-GPS devices the concern spreads to the profiling and tracking of laptops and other WiFi enabled devices. If I connect my Apple Macintosh or WiFi-only iPad to my home WiFi router, Apple is immediately able to match my router locale with my iTunes Apple ID which contains my credit card information including my mailing address. They instantly know that I’m at home. Using basic data analysis they could easily determine my likely place of employment. For example, if iPhone connects to my secure office WiFi router every day during business hours it’s probably a good guess that I’m at work. A better way would be to reverse this data analysis: get the AppleIDs of all users who connect to the same secure office WiFi router, analyse those Apple accounts and look for things in common. Using such methods Apple could learn about their customers down to the punch-clock detail of their work habits and the routines of their entire life profile.
Apple is already doing this and the public has agreed to it. The Apple iOS4 End User License Agreement (EULA) contains the following passage:
When you interact with Apple, we may collect personal information relevant to the situation, such as your name, mailing address, phone number, email address, and contact preferences; your credit card information and information about the Apple products you own, such as their serial numbers and date of purchase; and information relating to a support or service issue.
And
Apple may provide certain services through your iPhone that rely upon location information. To provide these services, Apple and its partners may collect, maintain, process and use your location data, including the real-time geographic location of your iPhone. By using or activating any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ collection, maintenance, processing and use of your location data to provide you with such services.
Google could do the same and more using Gmail accounts configured on iPhones, IPs and Android phones scanning at the network level. In Google’s case they wouldn’t only know where I was but they would be able to draw on the contents of my mail and by search history to get a better idea of who I was and what I was interested in. It only took one Android phone to geotag my home WiFi hotspot leaving every device that connects to it from now on susceptible to geotagging. Browsers like Safari and Chrome that have options to determine my location for better search results are able to report back additional data on web browsing activity including every google search, every Gmail login etc.
Now don’t get me wrong, I have very little faith that either Apple or Google are organized enough to use this data efficiently to create a digital Big Brother state. I joked at work that there should be an Onion article written: Foursquare Addict Outraged to Discover iPhone Tracking their Location. I’ve pointed out in previous articles that the public freely gives up more information about themselves now than ever before. The public would do well to stop and consider the creative ways that minds at Apple and Google can reassemble that data to reverse engineer their lives.
“Don’t be evil” is Google’s informal company mantra. Some may see their Android data collection policy as evil, but the public’s definition of evil is changing rapidly. Apple has no such mantra.
@benfeist on twitter