Apple faces questions from Congress about iPhone tracking

Sen. Al Franken (D.-Minn.), who chairs a new privacy panel set up in February, yesterday asked Apple to explain why its iPhones are tracking users’ locations.

The Federal Communications Commission (FCC) is also reportedly looking into the matter, while a Congressman from Washington State has followed Franken’s lead, promising to ask questions of his own.

Franken’s letter to Apple CEO Steve Jobs came after a pair of British researchers reported Wednesday that iPhones and 3G iPads running iOS 4 logged up to 100 location entries daily.

The data is stored in an unencrypted SQLite file on the device, while a copy of the file is regularly backed up by Apple’s iTunes during synchronization, then saved on the device owner’s Windows PC or Mac.

Security experts have expressed concern that the data is unencrypted and easily readable by anyone with access to a smartphone or tablet — perhaps after one is lost or stolen — or to the synching computer.

Franken, who is on the Senate Judiciary Committee, was appointed chairman in February of the newly-created Senate Subcommittee on Privacy, Technology and the Law.

“Anyone who gains access to this single file could likely determine the location of a user’s home, the businesses he frequents, the doctors he visits, the schools his children attend, and the trips he has taken — over the past months or even a year,” said Franken in the letter to Jobs (download PDF).

Although Jobs is on indefinite medical leave, he remains the CEO of Apple. In his absence, COO Tim Cook is running the company.

Franked posed nine questions and asked for a “prompt response” from Apple.

“Why does Apple collect and compile this location data?” Franked asked. “Why did Apple choose to initiate tracking this data in the iOS 4 operating system?”

Franken also asked for answers to a range of other queries, including how the data was obtained, the location mapping precision, to whom the data is disclosed and whether Apple believes the tracking is covered by its privacy policy.

Additionally, the letter asked why the data was not encrypted and why Apple did “not seek affirmative consent” from users before logging the locations.

“There are numerous ways in which this information could be abused by criminals and bad actors,” said Franken in the letter. “Furthermore, there is no indication that this file is any different for underage iPhone and iPad users, meaning that the millions of children and teenagers who use the iPhone and iPad devices also risk having their location collected and compromised.”

Apple has not responded to questions about the iOS location tracking.

Rep. Jay Inslee (D-Wash.) also took a shot at Apple in a statement today, saying he was “deeply disturbed” by the news and promised to ask his own questions of the Cupertino, Calif. company.

“I intend to ask Apple and the federal agencies charged with oversight some very direct questions to understand the frequency and extent of this data collection and the use, protection and sharing of this sensitive information,” said Inslee in the statement. “This episode, and many others, illustrates the need for enhanced government oversight of data collection activities.”

Inslee, who is on the House Energy and Commerce Committee, represents Washington’s First District, which includes Redmond, Wash., the headquarters of Apple rival Microsoft.

Politico reported late Wednesday that the FCC was looking into Apple’s practice of tracking users’ locations. The FCC did not respond to Computerworld‘s request for comment.

Apple has drawn the attention of Congress because, well, it’s Apple, said Jim Harvey, a partner with the law firm of Alston & Bird. “One reason why Apple is being criticized in this hyper-charged environment is because of its incredible success,” said Harvey, who specializes in privacy issues and founded his firm’s privacy and security taskforce.

“Second, there’s now a much better understanding of the complex issues in digital privacy on the Hill,” Harvey added.

The data that iOS 4 logs isn’t precise, according to Christopher Vance, a digital forensics specialist with Marshall University’s Forensic Science Center, located in Huntington, W. Va.

“It seems to be taking the [location] points from local cell towers and Wi-Fi networks,” said Vance, not from the iPhone’s GPS.

Vance, who works with the West Virginia State Police and examines five to 10 iPhones each week for authorities, first uncovered the “consolidated.db” file last September when he started looking at iPhones running iOS 4. He published some findings on his blog then, and followed up earlier this year.

Because the location tracking relies on cell towers and Wi-Fi access points, it’s not precise, especially when the point is drawn from a tower, said Vance. The iPhone apparently logs all towers within range, not just the tower it’s currently connecting to, said Vance.

“It could show that a person of interest was in a particular area at the time, and could help to show if they crossed state lines, but it’s a very general view,” Vance said.

Last year, for example, Vance wiped an older iPhone, then installed iOS 4. The iPhone never left an area about 100 yards in diameter, but the “consolidated.db” file ultimately logged locations all across Huntington.

Vance’s theory is that the location logging is done by iOS to improve cellular and Wi-Fi performance, perhaps to locate and record strong signals.

Apple might soon have more than just Congress on its back, said Harvey.

“I wouldn’t be surprised if someone decided to sue Apple over this,” said Jim Harvey.

“The fundamental legal tenet is whether a company does what it said it would do,” said Harvey. “But in today’s world of complex services, complex ad delivery, complex telecommunications ecosystems, it’s very difficult to capture all that in a privacy policy. I suspect that reasonable minds will differ whether Apple sufficiently informed users in respect to this and its privacy policy.”

Apple privacy policy, which spells out location tracking, is available on its Web site.

It’s easy to imagine lawyers citing Inslee’s statement on Apple’s practices.

“I’m deeply disturbed by this report,” said Inslee today. “Consumers are often left to learn of these breaches of privacy from hackers and security experts because companies fail to disclose what data they are collecting and for what purpose.”

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg’s RSS feed . His e-mail address is gkeizer@computerworld.com.