A week ago security researchers claimed they had found a hidden file on Apple’s iPhones and 3G iPads (photo, from nexus404.com) containing a record of everywhere the users had been. Some users were able to extract the data and plot it on maps.
Through an online question and answer document, Apple denied that the devices owners’ movements had been secretly recorded.
The document said: “The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested.”
Concerning the fact that some users discovered that data going back months and even years is being stored, Apple said : “It shouldn’t. This is a bug, which we plan to fix shortly.”
According to Ian Fogg, principal analyst at Forrester Research, the company is being uncharacteristically open about the functioning of its devices : “I do not think that the other [makers of mobile operating systems] have been as black and white about what they are doing with location data.”
But even though he believes Apple is trying to do the right thing, Mr Fogg said the company may have inadvertently created a security risk, because storing the location data file on users’ computers in an unencrypted form made it vulnerable to hackers.
He added that owners of Apple devices should go into their iTunes settings and select the option to encrypt their backups.
But not everyone was convinced by Apple’s explanation. For example it was judged “not plausible” by Ross Anderson, professor of security engineering at Cambridge University.
“The researchers’ report clearly shows that the phone was recording a location trace of its user,” he said.
“I’ll assume that their claim of a programming error may be an attempt to diminish culpability, and thus the fine they have to pay, in the event that they get prosecuted, whether by the FTC [Federal Trade Commission] in the USA or by one or more data protection authorities in Europe.”