About two weeks ago, two researchers poking around inside iOS came across a file entitled “consolidated.db” that seemed to be generated each time an iPhone was synced with the host computer. That file, once opened, showed a time-stamped record of the phone’s location (via cell tower triangulation) that spanned back several years. The two researchers, Pete Warden and Alasdair Allan, found a similar file on each machine of theirs that had been synced with an iPhone. If you have an iPhone, there’s a similar file on your machine right now. Unencrypted and unannounced, our iPhones have been storing information about our daily movements in plain sight on our computers and transmitted every 12 hours to Apple.
In all likelihood, their purpose is benign. The data itself comes from cell tower triangulation and some data points are off by dozens or hundreds of miles. I looked at my file, and it thinks Amherst College is in Boston every once in a while. Cell network providers have long reserved the right to collect (anonymous) information about users’ whereabouts to monitor and improve network coverage. John Gruber, known for his connections with insiders at Apple, has even speculated that the consolidated.db file is just a bug - a cache meant to store recent locations for which someone just forgot to write code to erase non-recent locations. But all of that doesn’t mean the file is not a problem.
The difference this time is just how accessible that file is. Consolidated.db is not a network providers’ collection of anonymous data points, detached from the user and removed from public perusal. Anyone with access to your computer for five minutes can pull up the file. It’s small, it’s not password-protected, and it can be emailed or whisked away via flash drive. A stolen laptop can tell a thief where its owner lives, where they work, where their children go to school.
And, as CNET points out, the Department of Homeland Security has asserted a right to copy all data from any electronic device transported over the border - “even if there’s no suspicion of or evidence for illegal activity,” - and the Ninth Circuit Court of Appeals has blessed the practice. Go to Canada for a week, and DHS can get a record of everywhere you’ve been since you got your iPhone.
There’s also no real opt-out. Since the file is generated with each backup, all you can do is stop backing up your iPhone - and that’s less than advisable. Data loss means re-acquiring all of your contacts (hello, Facebook event), all those apps you bought on your iPhone, and much more. That’s too much to ask, and Apple should speak up with a fix.
But Apple remains silent and unapologetic. Senator Al Franken (D-MN) and Rep. Ed Markey (D-MA) have sent letters to the folks at 1 Infinite Loop. They’ve expressed concerns: that a number of minors use the devices, that Apple has been reluctant to explain the rationale behind the data collection and that the collection could be in violation of Section 222 of the Telecommunications Act of 1996. Apple, however, has maintained a silence that seems just as stubborn as and even more inappropriate than its quiet during the AntennaGate controversy last summer. Even with Congress showing interest, Steven Jobs has refused to explain the reasons behind this data collection or how users might opt out of it.
But the most worrisome part is that, even as millions of consumers were kept in the dark about consolidated.db, forensics companies and law enforcement agencies have known since at least last year. Micro Systemation, a Swedish computer forensics firm, posted on its website that the researchers’ findings about consolidated.db “will come as a surprise to most iPhone users…but they are no surprise to the developers here at MSAB who have been recovering this data … for some considerable time.” It’s also worth noting that the U.S. federal government placed an order to Micro Systemation last year. It was the largest in the firm’s history.
Using the application available from Pete Warden and Alasdair Allen, I’ve taken a look inside my consolidated.db file. It shows every one of my recent trips: Thanksgiving, Interterm, weekend jaunts to New York and DC. I can see where I live, where I go to school and where I was for any week long period since my iPhone was first turned on. The free app provides an abbreviated visualization that shows weeks of data rather than days in order to preserve some measure of privacy. Make no mistake, though, a more malicious version that shows the whole record will likely be released in a matter of weeks by some guy in Anonymous.
The consolidated.db file is inexcusable. Sure, there’s a spot in the End User License Agreement (EULA) that seems to cover data collection of this sort - we’ve all signed off on it. Google and cell providers collect location data, and it’s all stored on massive servers where owners are dissociated from locations. But to store that file in plain sight so that anyone, whether it be a thief or the government, can copy it for later perusal is a grave intrusion that no EULA can excuse. Apple owes the industry, the government and its consumers an explanation. Why is it that my iPhone must track my every move? Can I opt out and, if so, how?
B.F. Skinner once observed that “the real problem is not whether machines think but whether men do.” If consolidated.db is the sort of consideration of privacy we can come to expect from the new titans of technological trade, then there is great cause for alarm as their gadgets continue to play an ever larger role in our everyday lives.