Was the iPhone location logging put in by quiet law-enforcement / intelligence agency request?

You all have heard about the iPhone / iPad 3G forever location logging by now. The phone writes locations obtained from cell towers and WiFi hotspots to an eternal database, including a timestamp of the last visit on each location.* The “feature” has been known to forensics experts for quite some time and is even published in the relevant book on iPhone forensics and incorporated into a number of forensic data extraction tools in common use by law enforcement and intelligence agencies. Since the first mentions of the problem that was already present in the previous OS version iOS 3 Apple has issued quite a few security and feature updates, none of them fixed the problem. Even more, in iOS 4, it was just moved to a different file name and structure.

This does not sound like an innocent “bug” to me, but a intentional omission. Which often happens because someone in law enforcement or intelligence quietly asks the company (or even sometimes an individual programmer) to help them out. I will explain the logic why I think Apple followed such a quiet request below. (Remark: I have spent a number of years working on and designing location based services myself, so I know the tech, biz and logic behind these services.) For normal location based services you don´t need a “forever log” under any circumstances. There are exceptions, like fitness trackers, that intentionally log locations for periods of times, but this is done at the users discretion in an application, which is an entirely different case.

So why would you as a phone manufacturer normally store locations on a phone? You always want to store the last known good location (either obtained from GPS or from cell tower or WLAN SSID) in the phones flash to speed up the time to fix when the GPS is switched on. If the GPS has a rough idea about the location, the “time to fix” is much faster then if it has no idea where on the world it may be.

Also Assisted GPS uses the rough location obtained from cell towers to get from a network service an almanach with the correct satellite data for its position, saving the time to wait till the almanch updates have been received from the satellites. You can observe that if you have switched GPS off on your phone for a while, move to a different place and then switch it on in an area with no cell or data coverage. GPS will take much longer to get a fix than in an area with cell or data coverage, as it needs to wait to receive the necessary satellite orbit positions through the very slow GPS data channel. If it has network connectivity, this data is there in seconds and you get a fix. (There are more precision and speedup tricks in Assisted GPS, but you get the relevant point).

You also want to have a place where the last rough location is made available to all the apps on the phone that have a right to access it, for instance for local search, automatically selecting the right city in a public transport schedule lookup etc. This is what this consolidated.db was meant to be, apparently. But there is no valid reason to store a year or more of historic cell tower location data in it. The popular theory with Apple believers is now that this was an innocent programming error, someone just forgot to delete the last stored positions and his holy Steveness will humbly announce that there has been a honest mistake and it will be fixed soon. I find that implausible, especially as Apple has kept silent even under an serious onslaught of press requests.

Apple had ample of time to change the logging behaviour. The company has security people who follow the discussions and also know the relevant forensics literature. They must have known for a long time. Not changing the logging behaviour but even continuing it in a different file and format even through the transition to iOS 4 is in my view clearly indicative of intent. And since there is no apparent business reason, lets see if there might be a law enforcement reason.

To police or intelligence, reading the data from a captured phone of a suspect has become routine. It violates all kind of basic constitutional rights, as phones contain meanwhile large chunks of our digital lives and should be protected from government snooping. But it is done anyway, in some US states even more then in Europe. So what interest would police or intelligence have in seeing where a suspect roughly has been?

In many criminal cases, digital evidence is used to either support or contradict claims of a suspect about his behaviour. So the simple case is a suspect says he has been with his girlfriend quietly at home but his phone says he was somewhere else. In the more interesting cases, especially intelligence ones, getting a fast overview on where a suspect usually moves around provides a very strong view into his live. (See Malte Spitz visualization of his call data retention files over at Zeit Online for perspective what you can see from location data over time) .

Of course police can obtain location data from the operators as well. But, and this is big but, for that they often need a judge approval or (depending on country) warrant, it takes time and effort and is costly. And the operator may not even have the data anymore. Or the suspect has been in a foreign country, where the data is difficult to obtain anyway. Reading the data from the phone with a forensics tool is quite simple (there are phones readers on the market that are designed for use in normal poilce cruisers on the street), not effectively protected against in most jurisdictions and has a high evidence-value in court. So there is ample of motivation for law enforcement and intelligence to quietly encourage phone manufacturers (yes, I am looking on your direction too, Google) to leave logging activated, as it provides them with easy obtainable evidence.

So why then not ask the manufacturer to log precise GPS coordinates? Two reasons. One is that GPS eats lots of battery which would degrade the device performance if activated permanently, something that no phone manufacturer would do. The second reason is that all Apple had to do to do the agencies a favor was to just not delete the cell tower location data it was storing anyway. No special feature needed to be designed, not many people had to be involved, just two lines of code not written. And now it all looks conveniently like a programming error. This is btw. also the way that backdoors are built into all kind of products, so called “bug-doors”. In case the whole scheme blows up, the manufacturer always has the plausible deniability of claiming that this is just a bug.

Update: Several sources now confirm that the location logging is continued even when you have disabled location services in the iPhone. A reason to keep the last rough position present would be to make restarting the location service faster, when switched on again. But in essence, it is just another level of user betrayal, as people righfully expect that no location is calculated or logged when they disable location services. It confirms my suspicion that the “forever log” has been put in / left in by quiet law enforcement / intelligence request. And still Apple has not said a word.

Update2: Apple now has released a statement in the form of a Q&A, that tries to convince us that the data was indeed (as I described above) needed for faster location fixes. It claims that the forever-logging and the logging despite location services switched off were bugs (also as predicted above). The statement is not entirely plausible. It does not explain why a complete timestamp of last visit is attached to each celltower and WiFi station logged, instead of a sorting index for the last seen stations. Apple also states that the data should now be limited to a week, without explaining any technical reason for this. The way the location fixing works, the last handfull of location anchors (cell towers, WiFi stations) should be entirely sufficient to provide a quick re-fix. If you moved large distances with the phone switched off, the system needs to fetch the lookups anyway fresh from the network, so a week of logging will not help much. Third, Apple plans to encrypt the location log at some point. While it is a very good idea to encrypt as much sensitive stuff on phones as possible (I happen to work in the field), it will also make it more difficult to independently verify what Apple is actually storing then for a week. All in all not exactly a stellar response. While it is by its very nature very difficult to disprove my theory from above, Apples response has not really provided even a bit of relief.

* sentence updated with description of precise database contents

flattr this!

Leave a Reply