Location Privacy: Apple iPhone / iPadOn April 20, 2011, Alasdair Allan and Pete Warden announced that they had discovered that the Apple iPhone and the Apple 3G iPad were regularly recording the devices' locations into a hidden file. The data gathering, they claimed, was "clearly intentional."
- EPIC Backs Comments on Location Privacy: EPIC has joined a coalition of consumer privacy groups in comments to the Federal Communications Commission on the "Roadmap for Improving E911 Location Accuracy." EPIC and the groups explained that collecting location information without privacy protections puts customers at risk. EPIC filed similar comments with the FCC in 2007. EPIC urged the Commission to recognize that "(1) the FCC has an obligation to protect the privacy of consumer information generated by the provision of communication services; (2) current regulations do not adequately location-based information, (3) legal frameworks, notably in the European Union, provide safeguards for location data, and (4) the Commission should establish rules that limit the use of customer location-based information." EPIC has frequently advocated for express authorization prior to disclosure of "call location information." The "Roadmap" raises concerns that the location of telephone users will be routinely known to federal agencies, whether or not there is an emergency. EPIC has also filed amicus curiae briefs in the U.S. Supreme Court and the Supreme Court of New Jersey arguing that location tracking by the government is a search under the Fourth Amendment and should only be conducted with a judicial warrant. For more information, see EPIC: Locational Privacy. (Dec. 16, 2014)
- Senator Markey Asks Justice Department About Cell Phone Tracking Program: Senator Edward J. Markey (D-MA) has sent detailed questions to Attorney General Holder about recent reports that law enforcement agencies have deployed aircraft equipped with cell tower simulators to capture mobile phone communication. The devices, known as "IMSI catchers" or "Stingray," identify and track cell phone users. Senator Markey wrote "the sweeping nature of this program and likely collection of sensitive records...raise important questions about how the Department protects the privacy of Americans" with no connection to unlawful activities. EPIC successfully sued the FBI to obtain documents about the agency's use of Stingray devices. EPIC has also filed amicus curiae briefs in the U.S. Supreme Court and the Supreme Court of New Jersey arguing that location tracking is a search under the Fourth Amendment and should only be conducted with a judicial warrant. For more information, see EPIC: Locational Privacy and EPIC v. FBI (Stingray). (Nov. 17, 2014)
- Apple Announces New Privacy Enhancing Techniques: The most recent product announcement from Apple, includes several privacy enhancing techniques that EPIC has favored, including randomized MAC addresses, end-to-end encryption, robust screen lock, and implementation of secure electronic payment systems. Still, EPIC has raised questions about Health Kit, which enables the collection and transfer of sensitive medical information, and the enforcement of developer guidelines. For more information, see, EPIC: Practical Privacy Tools and EPIC: Location Privacy. (Sep. 23, 2014)
- Apple Announces New Privacy-Enhancing Techniques in iOS 8: Apple has announced new privacy-enhancing techniques that will limit the ability of third parties to track Apple mobile devicesi. Specifically, iOS8 will use "random, locally administered MAC addresses," instead of unique device IDs, to connect to the Internet. Mobile phones can now be tracked by law enforcement and private companies because of the unique MAC address associated with the device. In 2004 when the adoption of IPv6 raised privacy concerns, EPIC recommended that MAC addresses be randomized to avoid tracking. The change in the Apple iOS implements this proposal. For more information, see EPIC: Practical Privacy Tools and EPIC: Location Privacy. (Jun. 10, 2014)
- Massachusetts Court Upholds Privacy Protection for Location Records: In Commonwealth v. Augustine, the Massachusetts Supreme Judicial Court ruled that an individual has a reasonable expectation of privacy in cell phone location records held by a company. Article 14 of the Massachusetts Constitution, similar to the Fourth Amendment, provides that individuals should be free from "unreasonable searches, and seizures." The court held that obtaining two weeks of phone location records was a search, requiring a warrant. EPIC filed "friend of the court" briefs in Commonwealth v. Connolly, a similar case in Massachusetts concerning warrantless GPS tracking, and State v. Earls, a case in which the New Jersey Supreme Court held that location data is protected under the state constitution. EPIC also filed a brief in In re U.S. Application for Historical Cell Site Data, where an appeals court held that users have no reasonable expectation of privacy in location records under the Fourth Amendment. The Massachusetts Supreme Court considered all three cases. For more information, see EPIC: Location Privacy. (Feb. 20, 2014)
- New Jersey Court Issues Landmark Location Privacy Decision: Today the Supreme Court of New Jersey held that individuals have a reasonable expectation of privacy in their cell phone location data under the NJ state constitution. In State v. Earls, the New Jersey high court found that "cell-phone location information, which users must provide to receive service, can reveal a great deal of personal information about an individual." This decision is the first to establish a Constitutional right in location data since the U.S. Supreme Court decided United States v. Jones, a GPS tracking case in which several Justices expressed concern about the collection of location data. EPIC participated as amicus curiae in Earls. The New Jersey Supreme Court noted that "EPIC offered helpful details about the current state of cell-phone technology." For more information, see EPIC: State v. Earls and EPIC: Locational Privacy. (Jul. 18, 2013)
- EPIC Recommends Privacy Protections for Natural Disaster Survivors: In comments to the National Institutes of Health, an agency component of Health and Human Services, EPIC urged the agency to safeguard personally identifiable information following natural disasters. The agency proposes to use the PEOPLE LOCATOR system and related mobile app ReUnite™ to reunite "family and friends who are separated during a disaster." The PEOPLE LOCATOR system allows third parties to enter highly sensitive information about each missing or located individual, which in turn is accessed by the public. The system stores disaster survivor information including name, location, date of birth, race, religion, health status, address, and photographs. EPIC recommended that the agency: (1) limit its data collection to relevant information, (2) protect the security of the system by implementing data access control and establishing data quality standards; (3) define a record retention and disposal schedule; and (4) establish guidelines, which adhere to the Fair Information Practices, for disclosures to third parties like Google. For more information, see EPIC: Locational Privacy. (Jun. 20, 2013)
- Texas Bill to Require Warrants for E-mail Searches Awaits Governor's Signature: The Texas legislature has passed H.B. No. 2268, a bill that creates a warrant requirement for law enforcement access to stored electronic communications and customer data. The law, which was presented to Governor Rick Perry this week, is the first successful state effort to establish an across-the-board warrant requirement for stored communications. Congress is considering similar changes to the federal Electronic Communications Privacy Act. Others have proposed more sweeping privacy reforms, and there are bills in both the House and Senate that would establish location privacy protections. EPIC testified before the Texas Legislature on H.B. 1608, a location privacy companion to H.B. 2268. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (May. 29, 2013)
On April 20, 2011, two data scientists, Alasdair Allan and Pete Warden, conducted a discussion at Where 2.0, an annual conference on location-aware technology and business. Allan and Warden announced that they had discovered that the Apple iPhone and the Apple 3G iPad were regularly recording the devices' locations into a hidden file, explaining how they made the discovery, what they thought the collection implied, and how users would be able to view their own data.
Following the announcement, several journalists and researchers delved further into an issue, and much speculation occurred about if the data was being transmitted to Apple and if the tracking was exclusive to the iPhone / iPad, or if it also was occurring on other smartphones, including android-based hardware.
Apple has made many statements in support of locational privacy in the past. With the release of OS4, on April 8, 2010, Scott Forstall, the Senior Vice President for iPhone Software, stated: "For all these location things, we take privacy very, very seriously. Ever since we added the first API's for location, we would put up a panel whenever an application wanted to use your location - and the user would have to approve this. We're taking privacy several steps further - in iPhone OS 4." In clarification, Forstall explained exactly what steps would be taken to protect location privacy:
- "First, we're adding an indicator right on the status bar to let you know if any application is asking for your location. Be it a foreground application or one of the background applications - so you could know if something is tracking your location."
- "Next - we're adding fine grain settings - so you could see all of the application that would like to use your location and the user can enable or disable location, per application."
- "And on top of all of this, if any application has asked for your location in the last 24 hours, we'll add an indicator right next to that app - so you could know that it's asked for your location."
- "So we're being completely transparent on the usage of location and we're letting user set, on an app-by-app basis, the ability for apps to use location."
In April 2010, Apple changed its Privacy Policies regarding locational data. At the time, Representative Edward Markey (D-Mass) and Representative Joe Barton (R-TX), sent a letter to Apple's Steve Jobs asking for an explanation for the change in policy and how the changes would effect compliance with the Telecommunications Act (47 U.S.C. § 222). In a lengthy response, Apple explained that the change was meant to address Apple's location-based services. Apple assured that customer's location-based GPS information that Apple collected from mobile devices would be "stored in a database accessible only by Apple."
- "[Apple] may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."
- "To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services."
On April 21, 2011, Representative Edward J. Markey (D-Mass), sent a letter to Steve Jobs, the CEO of Apple, Inc. Rep. Markey voiced concern for the "consequences of this feature for individuals' privacy," and proposed the following questions:
- Is it accurate that Apple iPhone keeps track of where iPhone users go, saving this information to a file on the device that is then copied to the owner's computer when the two are synchronized?
- Did Apple intentionally develop this functionality in order to log the locations of users?
- How does Apple collect this customer location information?
- Does Apple use this information for any purpose?
- Has Apple used this location information for any commercial purpose?
- Is it possible for customers to disable this feature?
- Given the widespread usage of iPhones and iPads by individuals under the age of 18, is Apple concerned that the wide array of precise location data logged by these devices can be used to track minors, exposing them to potential harm?
In a similar letter, sent on April 21, 2011, from Senator Franken (D-Minn), the following questions were proposed:
- Why does Apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?
- Does Apple collect and compile this location data for laptops?
- How is this data generated? (GPS, cell tower triangulation, WiFi triangulation, etc.)
- How frequently is a user's location recorded? What triggers the creation of a record of someone's location?
- How precise is this location data? Can it track a user's location to 50 meters, 100 meter, etc.?
- Why is this data not encrypted? What steps will Apple take to encrypt this data?
- Why were Apple consumers never affiamtely informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?
- To whom, if anyone, including Apple, has this data been disclosed. When and why were these disclosures made?
Sen. Franken stated that, "The existence of this information stored in an unencrypted format-raises serious privacy concerns."
On April 20, 2011 Representative Jay Inslee (D-WA) issued an official statement on the issue, indicating that he would press the company for answers and noting that "current law fails to ensure consumers are protected from privacy violations." On April 22, 2011, Rep. Inslee wrote to Chairman Leibowitz, chairman of the Federal Trade Commission, calling for the Commission's "prompt attention to this important matter."
As of April 22, 2011, the Italian Data Protection Authority has opened an investigation into the matter. In addition, the Bavarian Agency for the Supervision of Data Protection (Germany) and the French Data Protection Authority had stated an intent to look deeper into the matter. On April 26, 2011, South Korea's Communications Commission also questioned Apple about location data stored on iPhone and iPad devices.
On April 22, 2011, two individuals filed a class action lawsuit against Apple in the Middle District of Florida. Allegations include violations of the Computer Fraud and Abuse Act, Fraud, Misrepresentation, and several state claims, among others.
On April 25, 2011, the Illinois Attorney General asked for a meeting with Apple to discuss privacy concerns on mobile devices.
Apple finally responded to the allegations on April 27, 2011 in a carefully worded press release. Responding to pressure from privacy groups, Apple announced three changes to iOS4:
- Locational data storage will be limited to one week
- Locational data will no longer be transferred to a user's computer
- Users will be able to delete all locational data collection on the device
- All locational data stored on a the device will be encrypted
- EPIC: Locational Privacy, available at http://epic.org/privacy/location_privacy/default.html
- Got an iPhone or 3G iPad? Apple is recording your moves (Report from Alasdair Allan and Pete Warden), available at http://radar.oreilly.com/2011/04/apple-location-tracking.html (April 20, 2011)
- Apple: Apple Q&A on Location Data, available at http://www.apple.com/pr/library/2011/04/27location_qa.html (April 27, 2011)
- U.S. Patent & Trademark Office: Location Histories for Location Aware Devices (Filed by Apple, Inc., September 3, 2009), available at http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=134&f=G&l=50&d=PG01&s1=apple.AS.&p=3&OS=AN%2Fapple&RS=AN%2Fapple
- Letter to Apple from Sen. Franken, available at http://www.franken.senate.gov/files/letter/110420_Apple_Letter.pdf (April 21, 2011)
- Letter to Apple from Rep. Markey, available at http://markey.house.gov/docs/apple_ios_letter_04.21.11.pdf (April 21, 2011)
- Letter to Apple from Rep. Markey and Rep. Barton, available at http://markey.house.gov/docs/markeybartonapple.pdf (June 24, 2010)
- Letter to Rep. Markey and Rep. Barton from Apple, available at http://markey.house.gov/docs/applemarkeybarton7-12-10.pdf (July 12, 2010)
- Letter from Rep. Inslee to the Federal Trade Commission, available at http://epic.org/privacy/location_privacy/Rep_Inslee_FTC_Apple_Letter.pdf (April 22, 2011)
- TRUSTe: Program Requirements, available at http://www.truste.com/privacy-program-requirements/index.html
- Where 2.0 Conference, available at http://where2conf.com/where2011/
- United States Telecommunications Act, 47 U.S.C. § 222, available at http://www.law.cornell.edu/uscode/uscode47/usc_sec_47_00000222----000-.html
- Illinois Attorney General Press Release, "Attorney General Madigan Calls on Apple, Google to Address Mobile Device Privacy Concerns," available at http://illinoisattorneygeneral.gov/pressroom/2011_04/20110425.html
- Rep. Inslee Press Release, "Hidden Location Tracking Raises Concerns," available at http://epic.org/privacy/location_privacy/Rep_Inslee_iPhone_Release.pdf (April 20, 2011)
- Ajjampur v. Apple, Inc., Class Action Complaint, available at http://epic.org/privacy/location_privacy/iphone_classact-comp.pdf
- New York Times: Jobs Says Apple Made Mistakes with iPhone Data, available at http://www.nytimes.com/2011/04/28/technology/28apple.html?_r=1 (April 27, 2011)
- Kashmir Hill, Forbes: Apple Filed a Patent Application in 2009 for What It's Now Calling a 'Bug,' available at http://blogs.forbes.com/kashmirhill/2011/04/27/apple-filed-a-patent-application-in-2009-for-what-its-now-calling-a-bug/ (April 27, 2011)
- CSPAN, Washington Journal: Cell Phone Tracking and Privacy Issues (video), available at http://www.c-spanvideo.org/program/PhoneT (April 26, 2011)
- The Mac Observer: iPhone Location Tracking Leads to Privacy Lawsuit, available at http://www.macobserver.com/tmo/article/iphone_location_tracking_leads_to_privacy_lawsuit/ (April 26, 2011)
- Ars Technica: South Korea, Europe Start iPhone Tracking Investigations, available at http://arstechnica.com/apple/news/2011/04/south-korea-europe-start-iphone-location-tracking-investigations.ars (April 26, 2011)
- Bloomberg: Wired's Chen on Apple IPhone Privacy Issues (video), available at http://www.bloomberg.com/video/69007174/ (April 25, 2011)
- Chicago Sun-Times: iPhone, iPad Tracking Data Easily Accessible, available at http://www.suntimes.com/technology/4949980-478/iphone-ipad-tracking-data-easily-accessible.html (April 22, 2011)
- CNET: How Police Have Obtained iPhone, iPad Tracking Logs, available at http://news.cnet.com/8301-31921_3-20056344-281.html (April 21, 2011)
- New York Times: Inquiries Grow Over Apple's Data Collection Practices, available at http://www.nytimes.com/2011/04/22/technology/22data.html?_r=1&partner=rss&emc=rss (April 21, 2011)
- USA Today: Lawmakers Ask Apple to Explain iPhone's Tracking Function, available at http://content.usatoday.com/communities/ondeadline/post/2011/04/congress-wants-apple-to-explain-iphones-tracking-function/1 (April 21, 2011)
- The Guardian: iPhone Keeps Recrod of Everywhere You Go, available at http://www.guardian.co.uk/technology/2011/apr/20/iphone-tracking-prompts-privacy-fears (April 21, 2011)
- CNET: Lawmakers Demand Answers From Apple on iPhone Tracking, available at http://news.cnet.com/8301-30686_3-20056235-266.html (April 21, 2011)
- ABC News: Sen. Al Franken Questions Apple Over iPhone Tracking, available at http://abcnews.go.com/Technology/apple-pushed-congress-answers-iphone-tracking/story?id=13426917 (April 21, 2011)
- PCWorld: Apple's iOS Location-Tracking Headaches: 5 Questions, available at http://www.pcworld.com/article/226005/apples_ios_locationtracking_headaches_5_questions.html (April 21, 2011)
- New York Times: Tracking File Found in iPhones, available at http://www.nytimes.com/2011/04/21/business/21data.html (April 20, 2011)
- Daily Tech: Apple is Tracking iPhone, iPad Users' Location; Easily Mapped with OS X App, available at http://www.dailytech.com/Apple+is+Tracking+its+iPhone+iPad+Users+Every+Move/article21429.htm (April 20, 2011)
- Los Angeles Times: Apple collecting, sharing iPhone users' precise locations [Updated], available at http://latimesblogs.latimes.com/technology/2010/06/apple-location-privacy-iphone-ipad.html (June 21, 2010)
- PC World: Apple Location Data Collection Policies: What You Need to Know, available at http://www.pcworld.com/article/201486/apple_location_data_collection_policies_what_you_need_to_know.html?tk=rel_news (June 20, 2010)
- Apple Insider: Jobs: iPhone ad SDK Changes for User Privacy, Not Anti-Competitive, available at http://www.patentlyapple.com/patently-apple/2010/04/apples-iphone-os-4-will-provide-background-location-security.html (April 10, 2010)
- Engadget: Live from Apple's iPhone OS 4 event!, available at http://www.engadget.com/2010/04/08/live-from-apples-iphone-os-4-event/ (April 8, 2010)
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.