Location Privacy: Apple iPhone / iPadOn April 20, 2011, Alasdair Allan and Pete Warden announced that they had discovered that the Apple iPhone and the Apple 3G iPad were regularly recording the devices' locations into a hidden file. The data gathering, they claimed, was "clearly intentional."
- Apple Announces New Privacy-Enhancing Techniques in iOS 8: Apple has announced new privacy-enhancing techniques that will limit the ability of third parties to track Apple mobile devicesi. Specifically, iOS8 will use "random, locally administered MAC addresses," instead of unique device IDs, to connect to the Internet. Mobile phones can now be tracked by law enforcement and private companies because of the unique MAC address associated with the device. In 2004 when the adoption of IPv6 raised privacy concerns, EPIC recommended that MAC addresses be randomized to avoid tracking. The change in the Apple iOS implements this proposal. For more information, see EPIC: Practical Privacy Tools and EPIC: Location Privacy. (Jun. 10, 2014)
- Massachusetts Court Upholds Privacy Protection for Location Records: In Commonwealth v. Augustine, the Massachusetts Supreme Judicial Court ruled that an individual has a reasonable expectation of privacy in cell phone location records held by a company. Article 14 of the Massachusetts Constitution, similar to the Fourth Amendment, provides that individuals should be free from "unreasonable searches, and seizures." The court held that obtaining two weeks of phone location records was a search, requiring a warrant. EPIC filed "friend of the court" briefs in Commonwealth v. Connolly, a similar case in Massachusetts concerning warrantless GPS tracking, and State v. Earls, a case in which the New Jersey Supreme Court held that location data is protected under the state constitution. EPIC also filed a brief in In re U.S. Application for Historical Cell Site Data, where an appeals court held that users have no reasonable expectation of privacy in location records under the Fourth Amendment. The Massachusetts Supreme Court considered all three cases. For more information, see EPIC: Location Privacy. (Feb. 20, 2014)
- New Jersey Court Issues Landmark Location Privacy Decision: Today the Supreme Court of New Jersey held that individuals have a reasonable expectation of privacy in their cell phone location data under the NJ state constitution. In State v. Earls, the New Jersey high court found that "cell-phone location information, which users must provide to receive service, can reveal a great deal of personal information about an individual." This decision is the first to establish a Constitutional right in location data since the U.S. Supreme Court decided United States v. Jones, a GPS tracking case in which several Justices expressed concern about the collection of location data. EPIC participated as amicus curiae in Earls. The New Jersey Supreme Court noted that "EPIC offered helpful details about the current state of cell-phone technology." For more information, see EPIC: State v. Earls and EPIC: Locational Privacy. (Jul. 18, 2013)
- EPIC Recommends Privacy Protections for Natural Disaster Survivors: In comments to the National Institutes of Health, an agency component of Health and Human Services, EPIC urged the agency to safeguard personally identifiable information following natural disasters. The agency proposes to use the PEOPLE LOCATOR system and related mobile app ReUnite™ to reunite "family and friends who are separated during a disaster." The PEOPLE LOCATOR system allows third parties to enter highly sensitive information about each missing or located individual, which in turn is accessed by the public. The system stores disaster survivor information including name, location, date of birth, race, religion, health status, address, and photographs. EPIC recommended that the agency: (1) limit its data collection to relevant information, (2) protect the security of the system by implementing data access control and establishing data quality standards; (3) define a record retention and disposal schedule; and (4) establish guidelines, which adhere to the Fair Information Practices, for disclosures to third parties like Google. For more information, see EPIC: Locational Privacy. (Jun. 20, 2013)
- Texas Bill to Require Warrants for E-mail Searches Awaits Governor's Signature: The Texas legislature has passed H.B. No. 2268, a bill that creates a warrant requirement for law enforcement access to stored electronic communications and customer data. The law, which was presented to Governor Rick Perry this week, is the first successful state effort to establish an across-the-board warrant requirement for stored communications. Congress is considering similar changes to the federal Electronic Communications Privacy Act. Others have proposed more sweeping privacy reforms, and there are bills in both the House and Senate that would establish location privacy protections. EPIC testified before the Texas Legislature on H.B. 1608, a location privacy companion to H.B. 2268. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (May. 29, 2013)
- House Subcommittee Considers Geolocation Privacy: The House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations today heard testimony today on proposed Geolocation Privacy safeguards for the collection and use of location data generated by cellphones and other devices. As EPIC recently noted in a letter to the House Judiciary committee, and testimony before the Maryland House of Delegates and Texas House of Representatives on similar bills, ECPA does not protect location records; courts are divided on whether such records are protected by the Fourth Amendment. For more information, see EPIC: Locational Privacy. (Apr. 26, 2013)
- EPIC Testifies in Austin on Texas Location Privacy Bill: EPIC's Appellate Advocacy Counsel Alan Butler testified before the Texas State Assembly on a privacy bill for telephone location data. The House bill, would establish a warrant requirement for location data and a comprehensive reporting requirement, similar to the federal wiretap reports. Mr. Butler discussed the need for clear rules governing location surveillance that satisfy Fourth Amendment standards, as well as the importance of public reporting and accountability. He also testified at a Senate Committee hearing on the proposal. EPIC recently submitted amicus briefs in State v. Earls and In re U.S. (5th Cir.) regarding location privacy. For more information, see EPIC: Locational Privacy. (Mar. 28, 2013)
- EPIC Highlights Need for Broad Reform of Federal Privacy Law: In response to a request from the House Judiciary Committee, EPIC has recommended a comprehensive review of the federal communications privacy law. Congress will begin hearings this week on ECPA Part 1: Lawful Access to Stored Content. EPIC's letter to the Committee noted the recent settlement by the state Attorneys General with Google in the Street View matter and the reluctance of federal officials to pursue a similar investigation. EPIC also noted growing confusion in the lower courts about the application of the federal privacy law. Finally, EPIC pointed out that the current law provides inadequate protection for private location records. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (Mar. 18, 2013)
- EPIC Testifies Before Maryland Legislature on Location Privacy: EPIC Appellate Advocacy Counsel Alan Butler testified before the Maryland House Judiciary Committee on H.B. 887, a location privacy bill that will establish a search warrant requirement for the collection of private location information. Mr. Butler discussed the current state of location tracking and privacy under the state and federal constitutions. The Maryland bill will require a warrant for location tracking and an annual report on electronic surveillance reports, similar to the federal wiretap reports. EPIC recently submitted amicus briefs in State v. Earls and In re US regarding location privacy. For more information, see EPIC: Locational Privacy and EPIC: State v. Earls. (Feb. 28, 2013)
On April 20, 2011, two data scientists, Alasdair Allan and Pete Warden, conducted a discussion at Where 2.0, an annual conference on location-aware technology and business. Allan and Warden announced that they had discovered that the Apple iPhone and the Apple 3G iPad were regularly recording the devices' locations into a hidden file, explaining how they made the discovery, what they thought the collection implied, and how users would be able to view their own data.
Following the announcement, several journalists and researchers delved further into an issue, and much speculation occurred about if the data was being transmitted to Apple and if the tracking was exclusive to the iPhone / iPad, or if it also was occurring on other smartphones, including android-based hardware.
Apple has made many statements in support of locational privacy in the past. With the release of OS4, on April 8, 2010, Scott Forstall, the Senior Vice President for iPhone Software, stated: "For all these location things, we take privacy very, very seriously. Ever since we added the first API's for location, we would put up a panel whenever an application wanted to use your location - and the user would have to approve this. We're taking privacy several steps further - in iPhone OS 4." In clarification, Forstall explained exactly what steps would be taken to protect location privacy:
- "First, we're adding an indicator right on the status bar to let you know if any application is asking for your location. Be it a foreground application or one of the background applications - so you could know if something is tracking your location."
- "Next - we're adding fine grain settings - so you could see all of the application that would like to use your location and the user can enable or disable location, per application."
- "And on top of all of this, if any application has asked for your location in the last 24 hours, we'll add an indicator right next to that app - so you could know that it's asked for your location."
- "So we're being completely transparent on the usage of location and we're letting user set, on an app-by-app basis, the ability for apps to use location."
In April 2010, Apple changed its Privacy Policies regarding locational data. At the time, Representative Edward Markey (D-Mass) and Representative Joe Barton (R-TX), sent a letter to Apple's Steve Jobs asking for an explanation for the change in policy and how the changes would effect compliance with the Telecommunications Act (47 U.S.C. § 222). In a lengthy response, Apple explained that the change was meant to address Apple's location-based services. Apple assured that customer's location-based GPS information that Apple collected from mobile devices would be "stored in a database accessible only by Apple."
- "[Apple] may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."
- "To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services."
On April 21, 2011, Representative Edward J. Markey (D-Mass), sent a letter to Steve Jobs, the CEO of Apple, Inc. Rep. Markey voiced concern for the "consequences of this feature for individuals' privacy," and proposed the following questions:
- Is it accurate that Apple iPhone keeps track of where iPhone users go, saving this information to a file on the device that is then copied to the owner's computer when the two are synchronized?
- Did Apple intentionally develop this functionality in order to log the locations of users?
- How does Apple collect this customer location information?
- Does Apple use this information for any purpose?
- Has Apple used this location information for any commercial purpose?
- Is it possible for customers to disable this feature?
- Given the widespread usage of iPhones and iPads by individuals under the age of 18, is Apple concerned that the wide array of precise location data logged by these devices can be used to track minors, exposing them to potential harm?
In a similar letter, sent on April 21, 2011, from Senator Franken (D-Minn), the following questions were proposed:
- Why does Apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?
- Does Apple collect and compile this location data for laptops?
- How is this data generated? (GPS, cell tower triangulation, WiFi triangulation, etc.)
- How frequently is a user's location recorded? What triggers the creation of a record of someone's location?
- How precise is this location data? Can it track a user's location to 50 meters, 100 meter, etc.?
- Why is this data not encrypted? What steps will Apple take to encrypt this data?
- Why were Apple consumers never affiamtely informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?
- To whom, if anyone, including Apple, has this data been disclosed. When and why were these disclosures made?
Sen. Franken stated that, "The existence of this information stored in an unencrypted format-raises serious privacy concerns."
On April 20, 2011 Representative Jay Inslee (D-WA) issued an official statement on the issue, indicating that he would press the company for answers and noting that "current law fails to ensure consumers are protected from privacy violations." On April 22, 2011, Rep. Inslee wrote to Chairman Leibowitz, chairman of the Federal Trade Commission, calling for the Commission's "prompt attention to this important matter."
As of April 22, 2011, the Italian Data Protection Authority has opened an investigation into the matter. In addition, the Bavarian Agency for the Supervision of Data Protection (Germany) and the French Data Protection Authority had stated an intent to look deeper into the matter. On April 26, 2011, South Korea's Communications Commission also questioned Apple about location data stored on iPhone and iPad devices.
On April 22, 2011, two individuals filed a class action lawsuit against Apple in the Middle District of Florida. Allegations include violations of the Computer Fraud and Abuse Act, Fraud, Misrepresentation, and several state claims, among others.
On April 25, 2011, the Illinois Attorney General asked for a meeting with Apple to discuss privacy concerns on mobile devices.
Apple finally responded to the allegations on April 27, 2011 in a carefully worded press release. Responding to pressure from privacy groups, Apple announced three changes to iOS4:
- Locational data storage will be limited to one week
- Locational data will no longer be transferred to a user's computer
- Users will be able to delete all locational data collection on the device
- All locational data stored on a the device will be encrypted
- EPIC: Locational Privacy, available at http://epic.org/privacy/location_privacy/default.html
- Got an iPhone or 3G iPad? Apple is recording your moves (Report from Alasdair Allan and Pete Warden), available at http://radar.oreilly.com/2011/04/apple-location-tracking.html (April 20, 2011)
- Apple: Apple Q&A on Location Data, available at http://www.apple.com/pr/library/2011/04/27location_qa.html (April 27, 2011)
- U.S. Patent & Trademark Office: Location Histories for Location Aware Devices (Filed by Apple, Inc., September 3, 2009), available at http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=134&f=G&l=50&d=PG01&s1=apple.AS.&p=3&OS=AN%2Fapple&RS=AN%2Fapple
- Letter to Apple from Sen. Franken, available at http://www.franken.senate.gov/files/letter/110420_Apple_Letter.pdf (April 21, 2011)
- Letter to Apple from Rep. Markey, available at http://markey.house.gov/docs/apple_ios_letter_04.21.11.pdf (April 21, 2011)
- Letter to Apple from Rep. Markey and Rep. Barton, available at http://markey.house.gov/docs/markeybartonapple.pdf (June 24, 2010)
- Letter to Rep. Markey and Rep. Barton from Apple, available at http://markey.house.gov/docs/applemarkeybarton7-12-10.pdf (July 12, 2010)
- Letter from Rep. Inslee to the Federal Trade Commission, available at http://epic.org/privacy/location_privacy/Rep_Inslee_FTC_Apple_Letter.pdf (April 22, 2011)
- TRUSTe: Program Requirements, available at http://www.truste.com/privacy-program-requirements/index.html
- Where 2.0 Conference, available at http://where2conf.com/where2011/
- United States Telecommunications Act, 47 U.S.C. § 222, available at http://www.law.cornell.edu/uscode/uscode47/usc_sec_47_00000222----000-.html
- Illinois Attorney General Press Release, "Attorney General Madigan Calls on Apple, Google to Address Mobile Device Privacy Concerns," available at http://illinoisattorneygeneral.gov/pressroom/2011_04/20110425.html
- Rep. Inslee Press Release, "Hidden Location Tracking Raises Concerns," available at http://epic.org/privacy/location_privacy/Rep_Inslee_iPhone_Release.pdf (April 20, 2011)
- Ajjampur v. Apple, Inc., Class Action Complaint, available at http://epic.org/privacy/location_privacy/iphone_classact-comp.pdf
- New York Times: Jobs Says Apple Made Mistakes with iPhone Data, available at http://www.nytimes.com/2011/04/28/technology/28apple.html?_r=1 (April 27, 2011)
- Kashmir Hill, Forbes: Apple Filed a Patent Application in 2009 for What It's Now Calling a 'Bug,' available at http://blogs.forbes.com/kashmirhill/2011/04/27/apple-filed-a-patent-application-in-2009-for-what-its-now-calling-a-bug/ (April 27, 2011)
- CSPAN, Washington Journal: Cell Phone Tracking and Privacy Issues (video), available at http://www.c-spanvideo.org/program/PhoneT (April 26, 2011)
- The Mac Observer: iPhone Location Tracking Leads to Privacy Lawsuit, available at http://www.macobserver.com/tmo/article/iphone_location_tracking_leads_to_privacy_lawsuit/ (April 26, 2011)
- Ars Technica: South Korea, Europe Start iPhone Tracking Investigations, available at http://arstechnica.com/apple/news/2011/04/south-korea-europe-start-iphone-location-tracking-investigations.ars (April 26, 2011)
- Bloomberg: Wired's Chen on Apple IPhone Privacy Issues (video), available at http://www.bloomberg.com/video/69007174/ (April 25, 2011)
- Chicago Sun-Times: iPhone, iPad Tracking Data Easily Accessible, available at http://www.suntimes.com/technology/4949980-478/iphone-ipad-tracking-data-easily-accessible.html (April 22, 2011)
- CNET: How Police Have Obtained iPhone, iPad Tracking Logs, available at http://news.cnet.com/8301-31921_3-20056344-281.html (April 21, 2011)
- New York Times: Inquiries Grow Over Apple's Data Collection Practices, available at http://www.nytimes.com/2011/04/22/technology/22data.html?_r=1&partner=rss&emc=rss (April 21, 2011)
- USA Today: Lawmakers Ask Apple to Explain iPhone's Tracking Function, available at http://content.usatoday.com/communities/ondeadline/post/2011/04/congress-wants-apple-to-explain-iphones-tracking-function/1 (April 21, 2011)
- The Guardian: iPhone Keeps Recrod of Everywhere You Go, available at http://www.guardian.co.uk/technology/2011/apr/20/iphone-tracking-prompts-privacy-fears (April 21, 2011)
- CNET: Lawmakers Demand Answers From Apple on iPhone Tracking, available at http://news.cnet.com/8301-30686_3-20056235-266.html (April 21, 2011)
- ABC News: Sen. Al Franken Questions Apple Over iPhone Tracking, available at http://abcnews.go.com/Technology/apple-pushed-congress-answers-iphone-tracking/story?id=13426917 (April 21, 2011)
- PCWorld: Apple's iOS Location-Tracking Headaches: 5 Questions, available at http://www.pcworld.com/article/226005/apples_ios_locationtracking_headaches_5_questions.html (April 21, 2011)
- New York Times: Tracking File Found in iPhones, available at http://www.nytimes.com/2011/04/21/business/21data.html (April 20, 2011)
- Daily Tech: Apple is Tracking iPhone, iPad Users' Location; Easily Mapped with OS X App, available at http://www.dailytech.com/Apple+is+Tracking+its+iPhone+iPad+Users+Every+Move/article21429.htm (April 20, 2011)
- Los Angeles Times: Apple collecting, sharing iPhone users' precise locations [Updated], available at http://latimesblogs.latimes.com/technology/2010/06/apple-location-privacy-iphone-ipad.html (June 21, 2010)
- PC World: Apple Location Data Collection Policies: What You Need to Know, available at http://www.pcworld.com/article/201486/apple_location_data_collection_policies_what_you_need_to_know.html?tk=rel_news (June 20, 2010)
- Apple Insider: Jobs: iPhone ad SDK Changes for User Privacy, Not Anti-Competitive, available at http://www.patentlyapple.com/patently-apple/2010/04/apples-iphone-os-4-will-provide-background-location-security.html (April 10, 2010)
- Engadget: Live from Apple's iPhone OS 4 event!, available at http://www.engadget.com/2010/04/08/live-from-apples-iphone-os-4-event/ (April 8, 2010)