U.S. Senator Al Franken and Congressman Ed Markey have sent letters to Apple CEO Steve Jobs expressing concern over recent reports that Apple's iOS 4 maintains a database with detailed location information, while several European officials are planning investigations into the practice.
Security researchers sounded an alarm earlier this week over a database file in iOS 4 regularly logs the location of both the iPhone and 3G iPad. According to the researchers, the current version of the log began with the launch of iOS 4 last year, resulting in as many as "tens of thousands of data points" collected over the past year.
"What makes this issue worse is that the file is unencrypted and unprotected, and it's on any machine you've synched with your iOS device," wrote one researcher. "It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you've been over the last year, since iOS 4 was released."
The researchers did note, however, that they had yet to find evidence that the location data had been sent to anyone.
Senator Franken sent an open letter to Jobs on Tuesday, noting that the stored location information "raises serious privacy concerns."
"I read with concern a recent report by security researchers that Apple's iOS 4 operating system is secretly compiling its customers' location data in a file stored on iPhones, 3G iPads, and every computer that users used to "sync" their devices," Franken wrote.
Franken found the fact that the file is stored in an "unencrypted format" to be "even more worrisome."
"Anyone who finds a lost or stolen iPhone or iPad or who has access to any computer used to sync one of these devices could easily download and map out a customer's precise movements for months at a time," he continued. "It is entirely conceivable that malicious persons may create viruses to access this data from customers' iPhones, iPads, and desktop and laptop computers."
iPhone location data plotted | Source: O'Reilly Radar
Franken took particular issue with the possibility that underage users could be at risk, citing an analytics report that found 13 percent of iPhone users to be under the age of 18.
The senator concluded his letter with a series of questions for Apple. "Why does apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?"
Franken also queried Apple on how the data is generated, why Apple chose not to encrypt it, whether the practice had been outlined in Apple's privacy policy and to whom the data had been disclosed.
Rep. Markey's letter closely resembles Franken's and includes a list of questions that Apple is to respond to by May 12. "I am concerned about this report and the consequences of this feature for individuals' privacy," he wrote.
According to The New York Times, the Italian Data Protection Authority has opened an investigation into Apple's data collection. CNIL, the French data protection authority, is currently in the process of verifying the location tracking practice and may also initiate an investigation.
Given the involvement of elected representatives, this week's privacy incident has taken on echoes of a controversy from last year. Last summer, two U.S. congressmen, including Rep. Markey, sent a letter to Apple after an erroneous and alarmist report claimed that Apple had changed its privacy policy to begin "collecting, sharing iPhone users' precise locations."
In fact, Apple had not changed its policy and was simply restating the privacy policy in its EULAs. Apple allows users to opt-out of location services on a system wide level or within specific apps. Those wishing to prevent iAd, the Apple-developed ad network, from accessing location data can visit an "Opt Out" URL from their device.
Apple general counsel Bruce Sewell responded to the congressmen with detailed explanations of Apple's privacy policy for location services. In the letter, Sewell noted that Apple keeps location data for six months to improve its iAd network. âThese databases must be updated continuously,â Apple wrote.
However, recent findings from security researchers would appear to dispute that fact, since the database they discovered had location records that dated back almost a year.
The location file is nothing new, according to researcher Alex Levinson, who claims to have discovered the log months ago. Prior to iOS 4, the location data was stored in a /root/Library/caches/locationd folder, Levinson said.
John Gruber of Daring Fireball noted on Thursday that the tracking log appears to be an error. "My little-birdie-informed understanding is that consolidated.db acts as a cache for location data, and that historical data should be getting culled but isn't, either due to a bug or, more likely, an oversight," Gruber wrote.