Jerame Davis

This Is Nonsense: Your iPhone Is Not Tracking You

Filed By Jerame Davis | April 21, 2011 7:00 PM | comments

Filed in: Gay Geeks, Living
Tags: conspiracy theories, iphone, stupid

After reading the repeatediphonegrindr.jpg breathless reports about how our iPhones are spying on us all, I couldn't help but roll my eyes - then I got annoyed. Seriously folks, this is a non-issue.

Yes, iPhones collect general location data that is stored in an unencrypted, easy-to-read file on your iPhone. Yes, this file is transferred to your computer when you sync your iPhone. Yes, anyone who knows how to find this file could read it and determine your historical location data. These things are all true.

What's ridiculous is the hand-wringing and howling from the blogosphere about Apple "spying" on its customers and giving whack-jobs, jealous husbands, or creepy Grindr tricks the ability to track your every move.

This is just stupid.

If you read an article anywhere that says anything like this, leave. They're wrong. They're lying. Or they're just too much of an idiot to know what they're talking about. In any case, here's the real scoop.

How It Works

Your iPhone uses cell tower triangulation along with WiFi hotspot location data to track your phone's efficiency based on location. Mind you, this is not GPS accurate data. In some cases, this location data is off by miles. Did any of you have an original iPhone before they put GPS into them? If so, you know how inaccurate the location information can be. Same thing here.

This data is kept in a file called consolidated.db. Apple uses this data to track tower locations and compare that to phone performance. This data is collected anonymously and you agree to this collection when you click through the terms of service when you activate your phone. No, it wasn't explicitly "disclosed" but the terms of service clearly state they will collect this information.

Also, this is not new. The existence and location of this file has been known for months now. It has only been recently, when the researchers who found it developed a program that will read it and plot the points on a map, that it got any publicity.

The problem lies in that consolidated.db is a plain text file that anyone can read if they have access.

And there's the first key - access. The only way to get your hands on this file is to have access to the actual iPhone or the computer you sync the iPhone to. Let's start with the iPhone.

If someone already has physical access to your iPhone, you're far more screwed by the other information they have than what's stored in this file. They now have your email, your calendar and access to all your notes and the data stored in all the apps on your phone. Hell, they even have your naked pics from your Grindr profile.

With access to all that info, who the hell is going to spend time trying to download a hidden file off the phone? The gold isn't in your historical location data - it's in your other info.

Now let's look at the computer. The simplest way to prevent this file from falling into the wrong hands is to simply click the checkbox in iTunes that encrypts your iPhone backups. Once encrypted, no one can read this file or access the data therein.

But even if it isn't encrypted, again, the data is of little use to anyone other than a jealous lover or a micro-managing boss. Remember - it's historical data. So, it's only as up-to-date and accurate as your latest sync. Myself, I rarely sync my phone and my computer - maybe once a month, sometimes less often.

So, unless I've been lying about where I've been for a long time, again, what use is this information? Instead, once again, if they have access to your computer, you've got far worse problems than this little file that tells people you were at the amusement park that day you called in sick.

Phone Fearmongering

Please, everyone, stop with the over-the-top ridiculous fear statements. Another great example is this supposed device the Michigan police have that can download everything off your phone in 90 seconds and will even break passwords.

Bullshit.

They may have a device and it may pull data off your SIM card or something else. But there is no such thing as a universal device that will plug into any smart phone and pull off all your data in 90 seconds. This is science fiction fantasy tripe.

As I said previously, if you're reading this breathless, hair-on-fire reporting elsewhere, they're just not credible. They're either lying and distorting or they don't understand the underlying science and technology. In either case, they are making fools of themselves and shouldn't be trusted.

Yes, it's scary to think someone could be tracking you using your iPhone, but that's not happening. If this scares you, then you should seriously consider never using your debit/credit card again. You're giving far more information to far less scrupulous people every time you swipe.

If you're interested in reading up on the real story, Andy Ihnatko does an excellent breakdown of the whole thing on his blog. You can also download the app and see what the security researchers have to say on their website too. Just don't go believing this tripe that Apple, AT&T and Big Brother are out to get you. It's beneath you.


Recent Entries Filed under Gay Geeks:

Leave a comment

We want to know your opinion on this issue! While arguing about an opinion or idea is encouraged, personal attacks will not be tolerated. Please be respectful of others.

The editorial team will delete a comment that is off-topic, abusive, exceptionally incoherent, includes a slur or is soliciting and/or advertising. Repeated violations of the policy will result in revocation of your user account. Please keep in mind that this is our online home; ill-mannered house guests will be shown the door.


Lonnie Lopez | April 21, 2011 7:29 PM

"Trust us. It's for your own good."

Obama Sides With Bush in Spy Case
By David Kravets January 22, 2009 | 1:32 pm | Categories: Surveillance

The Obama administration fell in line with the Bush administration Thursday when it urged a federal judge to set aside a ruling in a closely watched spy case weighing whether a U.S. president may bypass Congress and establish a program of eavesdropping on Americans without warrants.

In a filing in San Francisco federal court, President Barack Obama adopted the same position as his predecessor. With just hours left in office, President George W. Bush late Monday asked U.S. District Judge Vaughn Walker to stay enforcement of an important Jan. 5 ruling admitting key evidence into the case.

Thursday’s filing by the Obama administration marked the first time it officially lodged a court document in the lawsuit asking the courts to rule on the constitutionality of the Bush administration’s warrantless-eavesdropping program. The former president approved the wiretaps in the aftermath of the Sept. 11, 2001, terror attacks.

"The Government’s position remains that this case should be stayed," the Obama administration wrote (.pdf) in a filing that for the first time made clear the new president was on board with the Bush administration’s reasoning in this case.

The government wants to appeal Walker’s decision to the 9th U.S. Circuit Court of Appeals in San Francisco, a legal maneuver requiring Judge Walker’s approval. A hearing in Walker’s courtroom is set for Friday.

The legal brouhaha concerns Walker’s decision to admit as evidence a classified document allegedly showing that two American lawyers for a now-defunct Saudi charity were electronically eavesdropped on without warrants by the Bush administration in 2004.

The lawyers — Wendell Belew and Asim Ghafoo — sued the Bush administration after the U.S. Treasury Department accidentally released the Top Secret memo to them. At one point, the courts had ordered the document, which has never been made public, returned and removed from the case.

The document’s admission to the case is central for the two former lawyers of the Al-Haramain Islamic Foundation charity to acquire legal standing so they may challenge the constitutionality of the warrantless-eavesdropping program Bush publicly acknowledged in 2005.

The Friday hearing is needed, because disputes with pretrial decisions generally require the trial judge to permit an appeal.

The Obama administration is also siding with the former administration in its legal defense of July legislation that immunizes the nation’s telecommunications companies from lawsuits accusing them of complicitity in Bush’s eavesdropping program, according to testimony last week by incoming Attorney General Eric Holder.

That immunity legislation, which Obama voted for when he was a U.S. senator from Illinois, was included in a broader spy package that granted the government wide-ranging, warrantless eavesdropping powers on Americans’ electronic communications.

A decision on the constitutionality of the immunity legislation is pending before Judge Walker in a separate case brought by the Electronic Frontier Foundation.

While I understand what you're saying (I'm an app developer, very technically savy), I think there are a few key points your missing here.

Yes, people *could* encrypt their iTunes backups, if they know how to set that option. Most don't, because it's not the default. Also, just because *you* don't sync often, doesn't mean nobody does. In fact, many people set iTunes to auto-sync whenever the device is in the cradle, and many use the cradle to charge their phone.

And to even think that it's "safe" on the phone is bogus. We're talking about a device that's so insecure, it can be rooted by loading web page! Never mind that apps can get access to this, or that with a single command to a bot-net someone could scoop thousands of these files quickly.

In the end it boils down to:
>So, unless I've been lying about where I've been for a long time, again, what use is this information?

Well, let's see. One could determine where you work, and where you live. Data they *may* not be able to get from your calendar or your contact list. They can also determine when you're home, and when you're away. If you go to PetSmart (eg do you have a dog), all usefull information to a wide variety of criminals.

Do you have a favorite bar or coffee shop? Is there a place you go where you typically stay out late some nights? Is there a place they could easily wait for you to assault you? Or snap photos of you to black mail you with later?

What about if you live in a country that's actively persecuting gay people? Even if you've been careful about keeping gay contact names out of your address book, now your movements for months is available to see.

Huh... Guess you're right. That data would be totally useless, wouldn't it?

I'm glad it's beneath me to care that people could have this data used against them. I'm sure you wouldn't mind publishing your file then, right? Since it's not important at all? No? Didn't think so.

Do not question the Will of Jobs, heretic! Worship the glorious genius of Jobs by purchasing every single iProduct on the day of its holy release!

Woody I think you were a little snarky in your reply.

I activated the find your iphone thing the other night and was like whoa there I am. I also then thought about the fact that we leave trails fifty thousand ways everyday. Sure it freaks me out that my iphone knows where I am and what I am doing. At the end of the day the stories are just kind of funny though.

In a fight I think Jerame could beat you up Woody. Just saying.

I strongly object to the argument that "It's okay to spy on you because you don't always exercise your right to privacy anyway."

I agree with you, but there's no spying going on here. The data is used anonymously. Anyone who's "spying" is committing a crime because they are accessing this data against your will and probably committing several other crimes in order to gain that access.

Still, we cede a lot of our right to privacy every day in so many ways. This is has a very small chance of actually exposing information compared to things we do every day.

I think Bruce's point is the same as mine - this is an overreaction of epic proportions when compared to things we do mindlessly every single day.

No data is used anonymously. They have a unique identifier for every phone. They can correlate that with you if they want to.

I hear what you're saying, but you're just the flip side of the dichotomy. Most of the people who are paranoid are delusional. Most of the people who are not, are ignorant and naive.

The real issue is not asking explicit permission, and then not letting people opt out. Every other app does this.

The real danger is not posed by jealous one night tricks. The real danger is posed by corporations hording data that can be data mined at any point in the future. Thing about insurance companies optimizing risk analysis algorithms to determine whether to give you health insurance or not. We've seen people be fired for politics under Bush, and the K street program. What if you are fired, or denied services of some kind? Think I'm crazy? MIT did a study where they could do a simple social network analysis of people you're connected to on Facebook and with a very high accuracy, guess whether you are gay or not. This data and services for mining it will become common place in the future. Potential employers will easily be able to do background checks. This is only the beginning. Yeah, it seems harmless now, but in a country where a lot of people don't believe that everyone should get healthcare, and that not everyone should have equal rights, or protections to keep their jobs, etc. I think it's pretty freakin' valid to have these concerns.

I happen to be not only an app developer, but a Ph.D. in computer science, and I am an R&D contractor for the DoD. Currently I'm specifically working on a cyber security project. The real danger isn't from Big Brother, it's from corporations.

Brandigirl | April 21, 2011 9:59 PM

Thank you Woody I couldn't have said it better and if I may add lets say you lose your iphone something that happens daily people lose phones all the time. Anyone who finds it could open and read this file...and god forbid this person is a stalker it be a gold mine.

That's not true. It's not exactly simple to get this file off an iPhone. Just because you have physical access to the phone, you STILL have to have some tools to pull it off. It's not a matter of the file just lying there waiting to be read or something. That's silly.

Whos spreading FUD? All you need to get this off an iPhone is a sync cable and iTunes, a free download at Apple's site. There are other options as well, but for most the simple act of installing iTunes and docking it is enough to enable syncing.

Let's at least be honest about the facts, can we?

I'd happily publish my file. This is a silly argument since others have done so as well. My address is easily known, everyone who reads this blog knows where I work. I do not feel insecure in the least - especially since the accuracy of these measurements is +/- yards to miles.

Your assumptions are pretty far fetched, honestly. If someone has access to your phone or your computer, your information is far more compromised by other means than by the existence and knowledge of this file. I'm sorry, but you cannot dismiss this so easily.

Yes, there are instances where this information could be used against other people - I don't deny that - I just think the notion that there are a great number of these cases and that a realistic exploit will be created is far-fetched.

Regardless of that, cell phone companies have this data on file too in many cases. Many phones track this kind of information and send it back to the phone companies and the manufacturers. Apple didn't invent this - they just screwed up the implementation. Phone companies also keep records of which towers you're closest to - they just don't go the extra step and triangulate your position by default. Still, that's just some math.

The real problem with what Apple is doing is that this file should be culled regularly and cleared. It shouldn't have historical data that's over a year old - I agree with that and I"m sure it will be fixed. But Android tracks this exact same information in a non-encrypted way too. The difference is that on Android, the data is culled and it's only recent entries.

The fact is, there is no practical, zero-day, realistic exploit of this file or its data that isn't easily remedied by clicking a checkbox and making sure you have a password on your computer. The likelihood of an exploit on the iPhone itself is almost laughable. Possible, yes. Probable, not so much.

>I'm sorry, but you cannot dismiss this so easily.

It's that exactly what YOU are doing here? Dismissing the fact that a device is actually recording location information in a way that IS rather easily accessible, and NOT documented, NOR controllable?

Yes, you can store your home address in the phone. Yes, you can store your whole schedule in the phone. Yes, you can record every place you visit with a geo-cacheing app. And then you can leave it unlocked and lose it, and yup, nothing new in that file.

But you have to ACTIVELY put that information in. If you're someone that doesn't put every detail of your life in though, this file supplies a minimal baseline of information.

As for "needing tools" to get to this file? You need to install iTunes, or use one of many file browsing apps available, since this file is in the USER area. It actually existed before iOS4.0, but was in the hidden system area, where it was much safer from all but deep forensic tools.

No, I'm not dismissing the fact that it's doing it. I'm dismissing the idea that this is an easily exploitable thing. I'm disputing that there is a reason to freak out.

I'm also disputing the notion that Apple is the only one doing it. http://arstechnica.com/gadgets/news/2011/04/android-phones-keep-location-cache-too-but-its-harder-to-access.ars

The researchers who "discovered" it (how you discover something that's been known to exist in previous versions in different locations is a whole different story) state there is no evidence the file is ever sent to Apple. Yet, if you read the article at that link, Google admits they grab your location data - along with a unique identifier!! - every few minutes and feed it into the Google data matrix. You wanna flip out over something, how about that?

I'm not dismissing the possibility, I'm dismissing the small probability of this being used in a real world situation.

It's not being a "fanboy" to be realistic about the "threat level" of this file. It's not a threat to 99.9% of iPhone users and probably only rises to "concern" for most of the other 0.1%.

Your insistence that there IS an exploit is not true no matter how many times you say it. There is an open source program that does what you say - yes...But only on your own computer when you run it on your own computer. It doesn't help you steal the file, gain access to the computer, locate the correct file (I'll point out that when I used it, it found an old data file from my iPad and there was no way to tell it to use my current iPhone profile.)

Yes, someone can run it on your computer, but there are other problems even at that point - like knowing it's selected the right file, like I pointed out above, the level of accuracy of the locations (they'll cluster around somewhere, but they are not GPS accurate), etc.

Yes, being open-source, that means someone can modify the program to do some of this - but again, there is the access problem in the first place, which is a pretty major barrier.

What's more - and like I said before - the quick and easy remedy is to 1) delete all your current iOS backups and 2) enable encryption on your backups. That completely nullifies the ability to exploit that copy without cracking 1024 bit encryption - which you won't do in time measured in seconds or minutes or even hours - like days.

As for the "webpage can root it" yes, that was a bug that was in an image library that was patched long ago. Every OS has flaws, no one denies that. It's just as easy to root Android as iOS as anything else. A currently patched iPhone has to be jailbroken via modifying the OS file before it's uploaded to the device. Again, if someone has that sort of access to your phone - you've got WAY bigger problems that the existence of this file.

So, other phone OSes do the same thing, albeit in different ways (less saved data, more violations of your privacy with unique ID and regular transmissions) and this has been a known thing for a very long time. Seriously, why make a big deal now? Because someone made an app that can read the file?

OK, it looks scary - but looks can be deceiving. This data is not easily obtainable or exploitable. It's not GPS accurate. It's just doesn't rise to the level of "big deal". It's a problem, it's something Apple needs to fix. But it's not something that's worth this kind of hand-wringing and FUD.

No, Apple isn't the only one that does this. But they are the only one that has an unlimited history of it ON the device in a user-accessible area. Android (if you read the article you linked) collects the data, but then REMOVES IT FROM THE DEVICE. They do so on a pretty regular basis. End result: If I crack someone's Android device, which IS hard to do, and get that data, I get a few hours to a days worth of info. The iPhone? 6+ months.

And the researchers never claimed to "discover" this. They claimed they were the first to write a program that automates creating a graphical representation of location based on the data and triangulation software. As I said, the fact that the file existed was not "new". It existed before iOS4 in another location even. The difference is that as of iOS4 it's easier to get to, and with this tools it's now trivial to USE.

As for your assertion that "Apple will fix it", why haven't they already? This was pointed out to them in October of last year. There's been 4 releases since then (7 if you're on CDMA), with no fix to this issue. I'm sure it will be in the next drop, but it took this media black-eye for them to pay attention to it.

And again, access isn't an issue for an abusive spouse. Access isn't an issue if your phone is lost or stolen. This isn't about "spying" on your without your knowledge. It's not about if the data is accurate enough that I can compute your gait. It's about the information being available in an easily accessible place in the first place. I'd hardly call it FUD when, albeit for a small percentage of people, it can be literally LIFE THREATENING.

Oh, and as for laughing off the possibility of an exploit for the phone itself? This just shows what a fanboy you are. Despite Apple saying it's got a tight lock on the app store, there have been dozens of reported cases of spyware and malware in apps in the app store.

Also: One of the "jail break" solutions was a browser based attack. If a WEB PAGE can break into your phone to give you ROOT ACCESS, that same mechanism can be used to carry another payload. Yes, Apple fixed that hole, but it WAS there. And the fact that people can *still* jailbreak their phone shows there's *still* a way to get around Apple's "air tight" security. If there weren't, there would be no jailbreak for the iPhone.

Please try to use common sense some time. People *know* this file is out there, and there *is* an exploit, in the form of open-source, freely shared tools to extract this data and make a KML overlay of it. That's the reason it *wasn't* in the news in October when it was first "discovered", but *is* in the news NOW. Because THERE IS AN EXPLOIT to use that data.

The other thing I'd say:

I'm not saying there's nothing wrong with how they've implemented this or that it doesn't need fixed. I'm saying it's being blown WAY out of proportion and there is no realistic means of exploiting this at this time.

It looks scary because these researchers wanted attention and built and app that showed the data could be used by others for nefarious purposes - but even they admit a lot of ducks have to line up to make it possible to obtain and use this data.

It's something Apple needs to fix, it's not a fucking plot between AT&T, Apple and the Government as some idiots have suggested.

In short:

It's not a bug. It's a feature!

No, in short, it's a bug (or bad implementation, at least) and it will certainly be fixed.

Considering Apple's track record of handling major design flaws in their products, your confidence that it will "certainly" be fixed seems entirely unjustifiable.

Yeah, Apple is outpacing the market in every category and they're selling bunk products with major design flaws. Yep, that's how it works. Everyone gets rich by selling shitty products, don't they?

Either your definition of "major design flaw" is warped, or you're talking out your ass - I'm not sure which.

Apple understands the same thing Nintendo did: aggressive marketing and cutthroat business tactics can easily win out over a superior product. To be fair, most of Apple's products aren't as utterly shitty as the Nintendo Entertainment System was, but nothing they've produced was world-class on its actual merits. It's just "good enough" while being very, very slickly packaged and marketed.

I don't even have a cell phone, but I'd be more worried about the Michigan police's other devices (night stick, taser, tear gas, gun) than I would be about one that could pick up iphone info.

Don Sherfick Don Sherfick | April 22, 2011 12:29 PM

Erame, I think all of this demonstrates that people who are predisposed to believe something, generally because if ideological/religious reasons, will simply do so despite the evidence. And the phenomenon knows neither right, left, or anywhere in between.

Your well-written item has convinced me that no I-phone is following me around.....and won't be.

On the other hand, can you tell me why my Droid insists on staring at me from my bedside table and taking notes? It's really beginning to spook me badly.

I'm with you, Don ... my Droid stares at me all night, too ... you see, it knows I have sleep apnea and it's waiting for me to stop breathing. Then it will call the bank and clean out my accounts (not that there's all that much there). ... But who cares, I'll be dead by then.

(I do wonder how the Droid will cash in the few gold coins I have.)

As a queer domestic violence advocate, I'm really disturbed by your dismissal of a "jealous lover" as though that's just about someone who has something unreasonable to hide.

I'm not one for tech fear-mongering. I get how this works, am tech savvy, won't be getting rid of my iPhone, and I don't believe that my iPhone is spying on me.

However, I do think that it is a real concern for survivors who are - every day - planning for their own safety and well being. When I talk to survivors about their relationships, and how they are navigating being in, getting out of, or having left relationships with abusive partners, a *HUGE* piece of the equation is whether or not their abusers can find them.

I know that this information will impact how I safety plan with survivors, how I help them strategize for their own survival and safety.

I hope that, in your haste to allay overblown fear mongering, you can refrain from dismissing reactions that are rooted in concern for the safety of survivors as being either petty or inconsequential.

I don't think I'm dismissing the possibility, just the probability that this information could be obtained and used easily. I realize that, because the file exists it is a safety concern for some folks and that concern is real.

What I am saying and have been saying is that the circumstances necessary to exploit this are a pretty high bar to cross when it's all said and done. For most people, simply clicking the encrypt backup option is more than enough to prevent this info from being used.

I don't think the concerns are petty or inconsequential, but I do want folks to be realistic about the probability or likelihood that someone could a) obtain and b) exploit this data.

The outright paranoia that many have reacted with over this has been absurd. My point was to make sure folks knew that, in general, they're safe, no one can easily access this data and there are pretty easy and basic steps you can take to make yourself safer, if you feel the need.

Nonsense? Read this, Apple fanboy:
http://on.wsj.com/ec6n2P

This article says nothing new or that I didn't know when I wrote this piece. It's still nonsense to think Apple, AT&T or the government is tracking you. It's still nonsense to freak out about this issue (unless you have some very particular circumstances, but even then, it's not life or death.)

It seems to me that you either a) don't understand the situation or the technology behind it or b) you just have a desire to leave derisive comments calling someone a "fanboi" even though you've never met them or know anything about them.

Either way, it says more about you than me.

Whether or not the recently uncovered plaintext location file is involved, Apple explicitly confirmed last year that they explicitly reserve the right to track any Apple mobile device user at will.

http://www.ibtimes.com/articles/137432/20110423/apple-we-must-have-comprehensive-user-location-data-on-you.htm

All I want to know is this... How many of the people freaking out over this use Foursquare of Facebook Places to check in and broadcast their location the entire web? One of the things the file does on your iPhone (and surprise surprise as recently revealed on your Android phone) is help your phone quickly determine where you are so you can tell the entire world where you are on Foursquare.

Jerame is right. Just the simple act of having this information on your phone and computer isn't a big deal. Someone gaining access to your phone's information could be more damning than just your historical location data.

I haven't read all of the comments to see if this was addressed, but if someone has your access to your computer you're more screwed than if they have access to your phone. I don't care historically where someone has been, but if I had access to someone's computer and wanted to cause them harm... Well... How many of you have unencrypted copies of last year's tax return on your hard drive? Imagine what someone could do with that information.

There's a big difference though between using 4Square and this. Using 4Square is a *voluntary* activity, one you have to actively partake in. And even with that, let's assume someone does use it. They log that they were at a train station, then a convenience store, then a concert. Did they log that trip to the clinic to get tested? Did they log that stop at the local drug house to get something before the concert? Did they log that late night creep to visit a DL friend? Nope, but their phone did...

And yes, the topic of access has been addressed (read above). But access is sometimes not something you can control directly. An abusive partner has access. A criminal who broke into your house or just swiped your phone while you were ogling the barista has access. If you sync with your work PC, maybe you have an IT stalker? Or a boss or co-worker for that matter.

The fact that the data is logged, locally, and in a location that anyone who has access to the device can get at it is problematic. Yes, for most this won't matter. But for the few that it does matter to, having this there, without knowing it? It can matter a lot.

Suppose you had a bad breakup with someone. Suppose you an one point charged with that person's computer, or did a sync to "share" some of your music with them. Now suppose they went a little loopy, and you broke up with them, but they're still being stalkerish. Thank goodness they don't know where you live, right? They could now go look up that old data file, and even though it's old, can find out about other places you've been. Where your home is (roughly), patterns that you had and may have returned to now that you're single again... And there's nothing you can do about it. Checking a box to secure your backups on your home PC won't matter to that old backup file.

David Johnson | April 23, 2011 11:50 PM

I do like it that you seem to have calmed down Jerame- always a good idea when being the author of an apologetics ... you want to "win" hearts and minds. You recommend Andy Ihnatko and describe his post on the subject, using the word "excellent" to describe it.

Here's how Andy closes his post:

Apple should treat this like a serious problem. I’ll be very, very pleased if I or anybody else can get a statement from them explaining what this file is for, and how the next iOS update will secure it.

I have to agree with you Jerame- it is an excellent conclusion.

Actually, it is exactly like a file laying there waiting to be read.

There is a plethora of information about extracting complete backup data from the phone, regardless of operating system. For example, syncing it with a computer that has "encrypt backup" turned off, such as... the theif's computer... would work pretty easily. If that doesn't do it, there are handfulls of other tools available to point-and-click extract data from an iPhone, and most of them are completely free.

And yes, there exists a device that can read your phones quickly, albeit usually a little longer than 90 seconds, and only encrypted Blackberry users have any modicum of security from it. The creepier part of this is that it takes much less time to *install* malware to your devices and syphon off your data over time, and there are only 3 major smartphone OSs in use, so the probability of an intentionally-written malware to be able to infect all the platforms is high.

As a general rule, if you care about ongoing privacy and security, don't use any device that's been confiscated (unless you're analyzing changes... from within a SCIF). Wipe it, get rid of it, and get another one immediately.

Obviously these tactics don't matter against CASUAL USERS who do MINDLESS THINGS with their credit cards all day long, but they certainly *do* matter when applied to professional users who pay close attention to what sort of digital and physical crap they're leaving behind everywhere. People who actively work against tyrannistic governments, people doing investigative journalism, security workers, executives, et al, are all affected by this, and whether you know it or not, many are either directly or indirectly working to protect freedoms of the MINDLESS users.

So, rather than continue going round and round explaining this myself, here's Apple's explanation. Pretty much just like I said. These are the first 3 questions and answers in their 10 question FAQ about the issue.

1. Why is Apple tracking the location of my iPhone?
Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.

2. Then why is everyone so concerned about this?
Providing mobile users with fast and accurate location information while preserving their security and privacy has raised some very complex technical issues which are hard to communicate in a soundbite. Users are confused, partly because the creators of this new technology (including Apple) have not provided enough education about these issues to date.

3. Why is my iPhone logging my location?
The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

In the full FAQ they also say they'll be sending out an update that remove this data beyond 7 days, they'll be encrypting the file in the next major release of iOS, and they'll make sure the file is deleted every time you turn off location services on your iPhone.

They also state they will no longer backup this file to your computer, that the information cannot be used to determine your actual location and that the plot points are of cell towers and wifi hotspots in the vicinity of where you've been, not your actual locations. What's more, the location of these towers and devices can be more than 100 miles from you actual location.

Their explanations and description of the problem lines up with my understanding of how iOS works, why the data is being collected and essentially matches my article above pretty closely. What's that saying about mountains and molehills?

Now, can we tone down the hyperbole and hand-wringing?

So, in summary, Apple's known about this for 6 months, has released 5 revisions since it was pointed out to them, but now that it's a news story, they're going to fix it in the next release.

Apple now seems to think this data is so sensitive that they're going to limit it's history, encrypt it, and no longer put it in the user area. Yup... Clearly it's all hyperbole... So much so that they're basically doing nothing, see?

If it was all hyperbole, why make changes? Because most of it wasn't. There are valid privacy concerns, and because it finally got the attention of the media, Apple will finally address it, after months of ignoring it.

As for hand-wringing... I wasn't bothered. Mainly because I don't have an iPhone. But it's understandable from those that bought iPhones, since Apple wasn't exactly forthcoming about it, (and took days to address it). And before you ask, I have an open-source phone, where answers for questions like this are easily discoverable, discernible, and fixable without waiting months for a company to decide it's worth addressing.

That's just not quite right. Apple "knew" yes - they designed the damned thing that way. Of course they knew. They didn't consider it an issue because it's a database of cell towers, not your location.

They're taking action because people have raised concerns - some legitimate, others not - and they are putting in measures to make those people who are concerned feel more comfortable and secure.

You keep calling this the user area too - that's wrong. There's really no such thing as a "user area" on an iPhone. Every app has its own file space and cannot access the file space of other apps. It was in the system area of the iPhone and only accessible by root. When the file was copied to a computer during a backup it was then, technically, in the "user area" - but buried in directory after directory in that hierarchy.

As for encryption, they still think it's such a non-issue they're not rolling out an immediate fix and will roll that into the next major release of iOS. It's not like it takes any more time to roll out the encryption as it does the limiting of the cache size.

And while I have conceded many times there are legitimate concerns, most of them have been way overblown and there has indeed been much hyperbole.

Again, your assumptions here seem to be that Apple is evil and was trying to hide something and got caught. This bizarre language around "not being forthcoming" mischaracterizing the entire situation and doesn't help anyone really understand what's really going on. How is Apple supposed to be "forthcoming" with something they don't think is an issue to begin with?

And yeah - you have an open source OS (I assume Android) and someone can dig into the code and see if something nefarious is going on. Yet, Android is phoning home all the time telling Google where you are and what's around you. Google hasn't exactly been forthcoming about that either until it was pointed out when this Apple kookiness blew up.

And I do believe what Google is doing by collecting your location info and beaming it out to the mothership with a unique ID attached is most definitely something they should have been very forthcoming about. That's a hell of a lot more intrusive than a flat file just laying on the device that doesn't even have your actual location in it.

In the end, the truth is the truth. What Apple said squares with what the researchers found. Apple has agreed that some of these concerns are legitimate enough to make changes to make the system more secure and less intrusive.