Skip to content

Google, Apple - Unabashedly Reassembling Your Life

Updated: at 05:00 PM

The popular media is reporting with great fervor (and it appears some surprise) that Apple has been tracking every iPhone 4 and iPad 3G sold since they were first turned on, without their owners’ knowledge. This alone isn’t very surprising given that for years experts have warned the public about the negative side of carrying a network-enabled GPS with you at all times. However, what is surprising is how careless Apple is with the data. They store it in an open-text format where it’s easily found on any computer that syncs with a given iPhone. This means that companies that issue iPhones have an easily accessible, automatic log of their employees’ movements should they ever need it for an investigation, for example, or if they’re ever just curious. Law enforcement agencies have already been using the file to learn the whereabouts of iPhone users.

Apple’s location tracking illustration
Apple probably wants the data for less evil purposes like developing a database of WiFi hotspot coordinates.

Google first came up with the idea for this years ago when they were mapping Street View. They had the foresight to arm their vehicles with WiFi detectors that generated a database of the locations of discovered WiFi routers as they drove down every street in the world. This was a brilliant idea. It meant that smartphones would be able to triangulate their positions simply by sniffing for hotspots and sending the results to Google, who would return their probable location. With this rough fix, a smartphone could feed the data to the phone’s GPS receiver to speed up the GPS fix by an order of magnitude. This was an amazingly creative use of WiFi signals that Google promptly got into hot water for. It turns out that Google was careless and accidentally collected data fragments that might have been transmitted on unsecured WiFi networks as they drove past. Some claimed that this turned Google’s Street View operation into an army of wardriving vehicles—a term used in the early WiFi days to describe the nefarious search for unsecured networks. This accusation was a red herring, but in October it was enough to make Google promise to stop sniffing WiFi hotspots with their Street View vehicles. Their promise was an empty one; Google had much bigger plans.

Distributed Wardriving

As part of the Android operating system, Google has been building and refining a robust database of the precise geographical location of WiFi routers. They have effectively turned every Android phone into a wardriving device. When an Android handset detects a wireless network, it beams its MAC address, signal strength, GPS coordinates, and the handset’s unique ID to Google servers. The result is a very complete and very up-to-date dataset of global WiFi router locations. Google has made this database freely accessible to the public and has said that it will only collect data from Android users who have explicitly given their consent.

The chances are that your home or work WiFi router is in the database, mine was (see image below).

Google’s WiFi mapping system
Google’s system showing the location of WiFi routers.

Hacker Samy Kamkar (author of the Samy Worm) has developed a site that demonstrates just how comprehensive Google’s catalog is. Simply type in your WiFi router’s MAC address, and there’s a good chance that it will return its location. This data is theoretically still anonymous since it’s simply a MAC address and not a person’s name.

If we start the thought process from this point, one quickly realizes that we no longer need a GPS to determine someone’s location. Wireless providers have been applying this principle for years. By analyzing the signal strength between cell towers and non-GPS-enabled handsets, wireless providers keep a rough position fix on their consumers. They aggregate this data and sell it for things like traffic congestion analysis and driving route planning. This might perk up the ears of privacy watchdogs, but at least this is a matter that is directly affected by law. This is a company selling data to another company, and it’s not in the wireless company’s interest to provide unique identifiers if the data is only to be used in aggregate. WiFi router tracking has no such limitations or restrictions. Chinese citizens living in Beijing are offered no such reassurances as their government has begun using WiFi triangulation to track its citizens under the guise of easing traffic congestion.

Online Behavioural Tracking

Another form of tracking is the more widely known techniques of cookie and IP-based tracking. This doesn’t have to do with physical location, but it has to do with uniquely identifying a computer and sometimes a unique individual and applying that data to better target that person for advertising and promotions. In mid-maturity, this kind of marketing is only getting better and more precise as marketers warm to it and become more comfortable with the granularity of the data available.

For example, if I log in to online banking at a major bank, that bank now knows that my site cookie is really me (since I just authenticated with the bank) and can draw on a number of techniques to further learn about my habits in detail. What if this could be mixed with location-based information? Could my bank’s new iPhone app (that innocently asks to use my geolocation to help me find the nearest bank machine) start matching mobile location with the same behavior analysis information? The bank has my home address on file to match against my geolocation. It could easily build out a profile of movement and habit to better understand whether I was a homebody or a socialite.

Another example of what can be done with such data is Skyhook. Skyhook is a company currently suing Google for patent infringement that offers a plethora of services based on massive geolocation and online activity data. From their website:

SpotRank predicts the density of people in predefined urban square-block areas worldwide at any hour, any day of the week. Developers and advertisers can use this groundbreaking behavioral intelligence data to serve location-based content and ads in cool new ways never envisioned before.

Apple and Google could go much further with the data at their disposal.

*Apple and Google could go much further with the data at their disposal.*

Putting it All Together

Let’s look at the data that Apple and Google each have at their disposal:

What could one do with all of this information if it was used together? A lot.

With the ability to track the movement of non-GPS devices, the concern spreads to the profiling and tracking of laptops and other WiFi-enabled devices. If I connect my Apple Macintosh or WiFi-only iPad to my home WiFi router, Apple is immediately able to match my router locale with my iTunes Apple ID, which contains my credit card information including my mailing address. They instantly know that I’m at home. Using basic data analysis, they could easily determine my likely place of employment. For example, if my iPhone connects to my secure office WiFi router every day during business hours, it’s probably a good guess that I’m at work.

A better way would be to reverse this data analysis: get the Apple IDs of all users who connect to the same secure office WiFi router, analyze those Apple accounts, and look for things in common. Using such methods, Apple could learn about their customers down to the punch-clock detail of their work habits and the routines of their entire life profile.

Apple is already doing this, and the public has agreed to it. The Apple iOS4 End User License Agreement (EULA) contains the following passage:

When you interact with Apple, we may collect personal information relevant to the situation, such as your name, mailing address, phone number, email address, and contact preferences; your credit card information and information about the Apple products you own, such as their serial numbers and date of purchase; and information relating to a support or service issue.

And:

Apple may provide certain services through your iPhone that rely upon location information. To provide these services, Apple and its partners may collect, maintain, process, and use your location data, including the real-time geographic location of your iPhone. By using or activating any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ collection, maintenance, processing, and use of your location data to provide you with such services.

Google could do the same and more using Gmail accounts configured on iPhones, IPs, and Android phones scanning at the network level. In Google’s case, they wouldn’t only know where I was but would also be able to draw on the contents of my mail and search history to better understand who I was and what I was interested in. It only took one Android phone to geotag my home WiFi hotspot, leaving every device that connects to it from now on susceptible to geotagging. Browsers like Safari and Chrome, which have options to determine my location for better search results, are able to report back additional data on web browsing activity, including every Google search, every Gmail login, etc.

Now don’t get me wrong, I have very little faith that either Apple or Google are organized enough to use this data efficiently to create a digital Big Brother state. I joked at work that there should be an Onion article written: Foursquare Addict Outraged to Discover iPhone Tracking Their Location. I’ve pointed out in previous articles that the public freely gives up more information about themselves now than ever before. The public would do well to stop and consider the creative ways that minds at Apple and Google can reassemble that data to reverse-engineer their lives.

“Don’t be evil” is Google’s informal company mantra. Some may see their Android data collection policy as evil, but the public’s definition of evil is changing rapidly. Apple has no such mantra.


Previous Post
Digitizing Apollo 17 Part 1 – Discovering Apollo
Next Post
Phil Zimmermann at SxSW