The story so far: there’s a SQLite database on your iPhone called consolidated.db It contains geolocation records of the phone. A year’s worth. Now this isn’t new news. This has been known for a year or so. Apple even described its use of location information to Representatives Markey and Barton last July. (Page 4 is the beginning of location services information.)
So why is this not-new news, news again?
Two developers, Alasdair Allan and Pete Warden, created this simple elegant application, iPhoneTracker. It reads your consolidated.db file from your iPhone backups, pulls location data out of the file, overlays that data onto a map, and let’s you play back where your phone’s been for the last year.
To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.
Some location-based services offered by Apple, such as the MobileMe “Find My iPhone” feature, require your personal information for the feature to work.
This describes the “how” of collection, but little else.
There a plenty of reasons why devices makers like Apple would to generate and collect location data. I have no problem with that (so long as the data is properly handled, including anonymization). But with this ability to collect comes a duty to consistently protect. And this is where Apple has fallen down on the job. No doubt, Apple protects this kind of data in its data centers. But those protections ought to extend throughout the lifecycle of the data where they can protect it. This data can and should be better protected on the device itself and on the desktop. (BTW, if you turn on “Encrypt iPhone Backup,” iPhoneTracker won’t be able to read the consolidated.db.)
Of course, if this data wasn’t collected in the first place, there would be no commensurate need to protect it. Unfortunately, there is no way for the user of the phone to disable this location data from being generated and stored. The appropriate thing to do is provide iPhone customers meaningful choice and enable them to disable the collection of this data. This is what Apple does in OS X with its similar Location Services and it is what they ought to do on the iPhone.
To sum up:
- Generated data needs to be considered along with collected data. If I make a device and that device has a record of everywhere my customers go, even if I never collect that data, I have to think about it as if I collected it.
- Data collection demands consistent protection. If you protect it on the wire and you protect it in your data center, you still have to think about protecting at the generation/collection point.
- Meaningful choice is mandatory. A Hobson’s choice (don’t use our device) isn’t a choice at all
And lastly, for those of you who haven’t played with iPhoneTracker yet, here’s a picture from my consolidated.db.