OSNews

You would, of course, have a plausible suggestion as to how this would make a difference? The one open source phone os I can think of that is actually used is Android, and even if you knew how to change the code to prevent this in Android, you would have to:
1. Download the source, fix it, and rebuild it for your exact device. This entails installing all of the cross-compilation tools that are needed, as well as carefully considering whether your phone might be using proprietary drivers that you would lose. If so, you will have to live with whatever limitations that might be.
2. Flash the re-built Android on to your phone. The last time I heard, most phone manufacturers didn't exactly make this easy save for HTC. We'll see what happens with Sony/Ericsen.
3. Continue to roll your own updates from that point on.
From the end-user's perspective, this wouldn't help. They don't know what source code is, they don't know how to rebuild it let alone change it, and they won't want to roll their own updates. So, in practice, they can wait for Apple to fix it, wait for Google to fix it, or wait for their phone manufacturer to fix it. Either way, for most, it involves waiting and open source doesn't even enter into the picture. Before we start shouting open source at the top of our lungs, we need to consider whether it would make a difference to the people to whom we're preaching. Open source is not the cure-all, despite what some here seem to believe.

Edited 2011-04-21 23:49 UTC

Or just have a community that looks at the code and fix such "problems" before you install it. Works for all the distros.

And anyways, IF the code would have been open it wouldn't have had this "feature" in the first place. Apple thought they could get away with it.

Is Android open in your opinion (serious question, opinions seem to vary on that)? It does exactly the same thing, only difference it is implemented sanely - it is limited to 50 fixes.

https://github.com/packetlss/android-locdump

It does not get wiped nor does it expire though (it will prune the data during updates, but not when nothing is happening), so you can use it to figure out he last 50 towers a phone contacted... Even if the phone has been off for an extended period of time.

My point is only that keeping track of stuff like this for the purposes of faster location fixing is not inherently evil - there is a valid reason to do it. It's just in Apple's case they either have a bug (it should be clearing out old data but it isn't) or they are doing it on purpose. Their eventual solution to the problem will make it clear which one it is.

Hanlon's Razor - "Never attribute to malice that which is adequately explained by stupidity"

Edited 2011-04-22 00:32 UTC

Android is not one singular thing. It can be open and fairly closed.

If you run a community build rom like Cyanogenmod on your phone you can be more sure that there are no hidden surprises like this.

Um... Cyanogenmod uses the same code to do location caching as Android proper... References to cache.cell and cache.wifi are all over the Cyanogenmod git repo. What was your point again?

I just wanted to point out that Android can be many things. I wasn't refering to the 50 locations. I don't think that saving such a limited numbers is any problem at all to be honest. At least you can be sure what Cyanogenmod is doing. That is a major bonus.

Oh. Sorry, fair enough.

Not only sanely, but as secure as possible. You need a rooted device to get to the data. I hope that iOS has some protection against leaking that data.

Yes, because Android phones are generally not rooted the day of release and pretty much sold with that notion ("their openeness") as a feature, or whatever.

I can't really think of a genuine reason why this geolocation data is useful as a local cache. Ever. Can one of you fanboi apologists for Google/Apple please provide a use case where it makes sense to keep track of previous locations at an OS level?

I could see where some applications might make use of last known locations for ease-of-use features but I'm pretty sure App Store and Android marketplaces would reject out of hand any app that stored this information without first securing the user's permission.

It can take a few seconds to get a gps fix... Until you do get a fix, you have no idea where you are, so any mapping app has to wait idly until the fix is done. Having coordinates of cell towers you recently communicated with let's you get an approximate fix instantly. This can dramatically improve the user experience, because you can instantly set an appropriate zoom level and center the map on the approximate location while waiting for a more accurate gps fix.

The point is gps is not instant - there is latency involved. There is also latency with the mapping API itself (downloading map tiles and such). This let's you hide both latencies.

Also, gps is not always available - especially when indoors. This offers a fallback. Not as accurate, but better than nothing.

You can't get tower location info on demand... You get it when it happens (when the cellular radio picks one up or switches between them). Therefore to actually use the information for this type of purpose you have to log it.

Btw, the geolocation Apis in both iOS and android do all of this stuff for you - it's built into them. Hence why the OS itself does the logging. Apps do not ever read these logs directly, the apis used to get position fixes do that for you (without telling you how the information was derived, it just returns coordinates and an accuracy indicator).


That explain it well enough?

Edited 2011-04-23 05:02 UTC

Nope. That explains the need to require the last known location. Not the last 100, 1000 etc, and again that would be an application use case not an OS one.

You are obviously without a clue how AGPS works on the CDMA/GSM networks. Go troll somewhere else.

Ask for a fanboi response, get one I suppose.

you need root to get to it on iOS as well... It's the whole backed-up-copy-on-the-computer that everyone is going gaga over. Android doesn't seem to have that particular issue.

Vanilla Android has the exact same issue. And just to be clear, iOS 3.x+ and Android since I dunno 1.6 are transmitting your location to their servers. Not just storing them on in the filesystem. iOS does it about once every 24 hours. Android is more frequent.

They are using their customer's location in order to put Skyhook out of business by mapping the MAC addresses of open wifi points around the world. Typical Google/Apple business practices at work. Enter some vertical market and destroy any value in it all to provide "better" ad networks in the future.

The justification remains burying a sentence or two in a EULA to justify user acceptance of the program.

Thom hexdumped his Iphone and Itunes and dissassembled all the code. Read it all and found no trace of it.

Only way to be sure, so that is what he has done.

I agree on principle... But if you are talking about the solution to this particular problem being informed consent I don't think that quite cuts it.

Apple in effect has software running at all times on you phone which is logging every cell tower you ever communicate with. And the log is kept for at least 10 months, probably longer

Asking if it is ok to do so is nice and all, but my question would be if that is really what they want to do, wtf is it for?

I willing to accept that this is all simply a mistake and their intent is not to do such long term logging. But if that is their intent, they better have a damn good explanation for what they need it for. Simply asking permission before recording a permanent history of my whereabouts in such a manner does not quite do it for me...

Cop-out, and you know it. Location data from GPS: ask permission on the device. Location data from cell towers: get permission buried deep in a text no one reads, a text of questionable legality in many European countries?

The discrepancy here is clear to anyone who isn't stuck deep up the RDF's ass. Expecting people to know the difference between the two techniques - or even that different techniques exist in the first place - is idiotic.

Edited 2011-04-22 00:49 UTC

I'm with you on the issue of burying the request for permission in walls of boring and hardly read text: It's despicable.

As for the law enforcement impact of this (nudge nudge), well our guys here in the US still have to get a warrant to search the phone's contents if you don't give them permission to, at least at the level of internal log files and such (there is a gray area regarding what is seen on the screen during a stop-and-frisk). Granted, I'm just a peon so take my word for what it's worth, but this has been the S.O.P. at both agencies I've worked at: One warrant to physically seize the device, and another to search its contents. It's a CYA move so the evidence isn't successfully challenged.

All that said, I can readily see three types of cases where such location data would be worth pursuing, and one isn't even criminal. First is a murder case where the suspect's phone would give clues to the path he took leading up to, during and after the murder. Another would be a drug enforcement investigation, where an accused dealer's phone records could corroborate an undercover agent's movement and activity reports. And finally, in a divorce case where one spouse wants to prove the other was unfaithful. I'm sure there are many other creative ways law enforcement can use this info against suspects, and plaintiffs can use it against defendants in civil court.

I also read this morning in an article on this subject that a company in New York has already assisted police with mining this data from phones and backup files, and has been doing so for a little while.

I personally am not affected as I doubt I'll own an iDevice in the foreseeable future; I loathe both Verizon and AT&T, and have no need or desire for an iPad, 3G or no. However, I am mildly alarmed at the implications, and I wonder how long it will take Apple to fix this issue.

"The California Supreme Court allowed police Monday to search arrestees' cell phones without a warrant, saying defendants lose their privacy rights for any items they're carrying when taken into custody.

Under U.S. Supreme Court precedents, "this loss of privacy allows police not only to seize anything of importance they find on the arrestee's body ... but also to open and examine what they find," the state court said in a 5-2 ruling."

source: http://bit.ly/dWqwni


"Alarmingly, in many cases, extracting data from a mobile device is possible even if the device password is not known. Such extraction techniques take advantage of widely known vulnerabilities that make it disturbingly simple to access data stored on a smartphone by merely plugging the device into a computer and running specialized forensics software. For instance, Android and iPhone devices are vulnerable to a range of exploits, some of which Ars documented in 2009."

source: http://bit.ly/eXxS6y (page2)

Wow, what a blow to the 4th Amendment! Thank you for posting that. It seems the "gray area" I referenced earlier is becoming much broader in scope.

The Michigan State Police have also been accused of using devices at roadside checkpoints to download people's cell phone data:

http://abcnews.go.com/Technology/michigan-police-cellphone-data-ext...

"well our guys here in the US still have to get a warrant to search the phone's contents if you don't give them permission to"

No. The federal judge ruled that TSA and border control do not need warrants to search your phones or computers.

That's true at the border and in airports, but not your average stop by local law enforcement. Though, as others have pointed out, that may be changing for the worst as well.

"Interesting" position for you take, given all of your past whining about how Android is insecure because there's no draconian app store approval process restricting what software can be installed on it.

From a comment you posted back in March:



So let's re-cap. A mobile device that puts you at risk of extra data charges due to your children/s use? UNACCEPTABLE!!! But a device that tracks & records all of their movements by GPS and potentially makes that information available to third parties? Meh, that's okay, as long it's mentioned somewhere in the 8,000 words of legalese that you "I Agree'd" to without reading.

Damn! Where do I nominate you for Parent Of The Year?



Yet we all know you'd be practically soiling yourself in delight if this story were about Android, you've already done so in the past (over significantly less-serious issues):



Could your fanboyism be *any* more transparent?

If it is, I don't know it. I think he's just referring to a game of Chinese whispers.

No, I just made it up.

No they ask your network provider with a court order. And they get your location data based on the cell tower triangulation every 5 minutes for your phone.

Ofcourse if you life in California (I think it was California, the video says which state), they don't need a courtorder. They just take your smartphone and investigate it. They have a law for that.

But location based information is one thing, how about all the data the apps have on your and where do they store/transmit this information ?:

http://www.youtube.com/watch?v=diAMOkGr1JY

What about this excerpt from the wsjournal article about Google/Android ?:

'Google previously has said that the Wi-Fi data it collects is anonymous and that it deletes the start and end points of every trip that it uses in its traffic maps. However, the data, provided to the Journal exclusively by Mr. Kamkar, contained a unique identifier tied to an individual's phone.

Mr. Kamkar, 25 years old, has a controversial past. In 2005, when he was 19, he created a computer worm that caused MySpace to crash. He pled guilty to a felony charge of computer hacking in Los Angeles Superior Court, and agreed to not use a computer for three years. Since 2008, he has been doing independent computer security research and consulting. Last year, he developed the "evercookie"—a type of tracking file that is difficult to be removed from computers—as a way to highlight the privacy vulnerabilities in Web-browsing software.

The Journal hired an independent consultant, Ashkan Soltani, to review Mr. Kamkar's findings regarding the Android device and its use of location data. Mr. Soltani confirmed Mr. Kamkar's conclusions.

Transmission of location data raises questions about who has access to what could be sensitive information about location and movement of a phone user.'

http://online.wsj.com/article/SB10001424052748703983704576277101723...

It is being sent to Apple. Every 24 hours a list is submitted off the phone to Apple servers since iOS 3.2. Android does it every few minutes since I think 1.6. Google servers appear to me to be receiving the 50 most recently connected cellsites and the MACs of the last few hundred broadcasted wifi SSID. Dunno about Apple, but the list in cosolidated.db seems to be retaining a year's worth.

They are using your hardware and your movements as the largest dynamic, for-profit illicit sensor network in history and both are using a 2 line sentence buried in a EULA to say they have user assent. The extent to which either Google or Apple are anonymising the data collected upstream is not known to me.

This is not a new effort for Google, they tried it earlier with their Google Street View fleet of vehicles. As they went out snapping images they also were intruding into any available wifi network and recording signal strength as they passed by in order to attempt "wifi triangulation". As interesting as it is unethical. They are trying to create landmarking indexes in order to sell or give it away as a service on their respective platforms for "located" directed advertising. Google earlier blamed an errant unnamed engineer and the investigation didn't even levy a single penalty (lol). Now I'm guessing they believe they are covered by some EULA so won't have to come up with a fall guy this time around.

Why is this being so misunderstood? Is it because a few fanboi "tech sites" that have no engineers on staff say it isn't?

Why do you think Apple has not said one word in response about this? I'm guessing because the lawyers know they are in bad, bad place and especially in Europe where privacy laws are actually enforced. Al Franken will hopefully put Jobs or Cook in front of a committee panel with subpoena power and ask him directly but I doubt anything more than the letter already sent will happen. I think in Europe the real issue will be whether or not Apple has transferred or sold the data collected to another corporate entity in violation of consumer rights.

Borderline absurd. What's it going to take? Packet captures that fanboi journalists can't understand anyway? Even days after it has been shown to be the case the headline for this dedicated os news site still says, "not being sent to Apple". Tech journalism is absurdly bad anymore. Seems pretty much limited to rewording press releases and covering paper launches of products with lip gloss "reviews".

It is not without humor that what appears to have most (probably male) iOS users concerned is not the loss of privacy without compensation to corporate interests but the fact that a divorce lawyer with a subpoena could get the information rather easily, let alone a tech-savy spouse/partner since the file resides on a probably shared, easily accessible filesystem.

I would also add:

Apple ultimately comes out of this stronger, better. They are already in a position where their data-collection techniques (off of the owners' devices) is more stringent than other platforms, ad networks, and app developers... and enforce even stricter enforcement of ad networks and developers on their platform.

Even on the device side, they probably want to argue that accessing the data violates the EULA (most certainly), violates the privacy of the user legally in a way that precedes weak technological protection, and possibly violates the DMCA which they could enforce on behalf of their users. (Again, no value judgment; just an observation.)

So they get forced to testify a few times, maybe some fines in some more surly countries, and make a few modifications to something that was done in haste without much thought. And then in a few months, they can point to someone doing far worse for sleazy purposes, rather than just sloppily or stupidly, and say they care about you.

A week of silence is nothing. Apple can be quiet until WWDC if they can at least announce changes then.

Edited 2011-04-26 00:33 UTC