The country has been abuzz (or perhaps a twitter) with the story that broke a couple of days ago about a location tracking file that is stored on Apple iPhones and iPads. The file keeps a record – albeit an incomplete one – of where you have been. And for each place stored, the file also contains a "timestamp" indicating the most recent time when you were there. If you carry your iPhone to a new city, for example, it will store a pretty complete record of where you go in the city. The file can have location information covering at least a year of time, and it is backed up to your home computer's hard drive so that it will remain on your iPhone even if you buy a new iPhone as an upgrade. To many, this sounds spooky, even though the file itself normally never leaves your devices.
Apple has yet to make an official statement about why the file is being kept, but a range of theories have been posted in the last couple of days. The one that strikes me as the most plausible – a battery saving feature – is made by security and privacy researcher Christopher Soghoian in the introduction of this blog post, tucked into a parenthetical phrase:
The motivation for this data collection appears to be in order to create a large database of WiFi access points and their associated location, which can then be used by mobile devices to determine the user's approximate location information (doing so via WiFi uses far less battery power than using the GPS chip).
This explanation makes sense to me, and is consistent with the data that you see in the file itself. At the end of the day, I don't believe there is any sinister motive for the file. But whatever the engineering explanation for this, and no matter how well intentioned Apple was in creating the file and storing it on your iPhone (and your PC), this episode still highlights some serious privacy concerns – concerns that we hope will lead Apple and other Internet companies to make some changes to their technology development process.
To understand why this file exists, you need to understand how Apple iPhones (as well as smartphones with Google's Android operating system) figure out their own location. The phones have a GPS chip that can provide precise location info, but GPS is slow, it eats up battery life, and it does not work indoors. So instead of relying on GPS all the time for all functions requiring location, the phone will typically do a quick look to see (a) what cell phone towers can it communicate with, and (b) what WiFi access points it can "see." The phone then sends the identifiers for those towers and access points over the Internet to an Apple database to learn where those cell towers and Wifi devices are located. The database (Apple has one, as does Google, as well as a company named Skyhook that provides services to Apple and others) sends latitude and longitude coordinates for the towers or access points back to the phone. Once armed with this information, the phone is able to tell the user where they are.
To make this location determination faster – and to reduce the battery drain from having to send queries over the Internet – Apple designed the iPhone to store a record of the cell tower/location pairs (and the wifi/location pairs) in a local file on the iPhone. So the next time that the iPhone "sees" a particular cell tower, it can look in the local file for the tower's location (rather than having to send an Internet query to re-ask for that information). As published reports suggest, this reduces battery drain (although it remains to be seen how much battery life it saves).
'Privacy By Design' Needed
So the creation of such a file appears benign in its intent. But even so, that is just the beginning of the privacy analysis because elements of the file and the way it is processed seem to provide a textbook example of how to violate the principles of "Privacy by Design."
The theory of Privacy by Design is straightforward: when developing a new technology, feature or database, you should build in privacy from the very beginning of the design process. Privacy by Design offers a roadmap to integrate privacy principles into business models, product development cycle, and new technologies. Championed by Ontario's Information and Privacy Commissioner Anne Cavoukian, Privacy by Design guides innovation in a manner that is consistent with Fair Information Practices (FIPs), the globally accepted framework of privacy principles.
It probably is true that the location file is intended to benefit users by reducing battery drain. But had Apple been following the principles of Privacy by Design, I think it would have found a much more privacy-protecting way to build this benefit into iPhones. At a minimum, I think that Apple should have asked itself the following questions:
- Does Apple really need to keep a precise time record of when a user was in a given location? I can see how keeping the latitude/longitude coordinates of recent locations can save battery life, but I cannot see why that file must include a timestamp recording exactly when the user was previously at a given location. Even if a software designer might think that the time stamp is convenient to have, it certainly is not essential to the goal of saving battery life or making location look ups faster.
- Does Apple really need to store the location information for a year or more? My guess is that storing locations for a much shorter period of time would in most cases provide most of the battery life benefit, while being much more privacy protective.
- If Apple is going to have this highly sensitive file in the first place, what possible reason could there be to store the file in plain text on the user's home computer through the iTunes backup system? It would seem that a file of this kind should be encrypted if it is ever copied off of the iPhone itself.
- And finally Privacy by Design also extends to the policies a company adopts with respect to new technologies. Location is particularly sensitive and this location history file is something that Apple should have specifically informed its users about, and given them a choice to decide whether a small amount of extra battery life is worth the potential privacy problems. Moreover, the user should certainly have the option to clear out this location history, just like browser makers (including Apple) give users an easy way to clear out browsing history.
The issues here are certainly not limited to Apple. Google's Android system also collects and stores location data in a similar way. But Android keeps the info for a much shorter period of time (as my point 2 above would suggest).
But the real problem is that most of the time technology designers simply don't recognize that privacy must be a foundational goal of any consumer product, especially one involving such sensitive information as location. Just as I am sure that Apple has told its engineers that extending battery life is a very important goal to pursue, it is critical that Apple also tell its engineers that respecting and protecting users' privacy is a very important goal to pursue, from day one of the design process.