Saturday, March 17, 2012

Should Apple map your travels? Should police seize your cell phone data?

Thanks to Kenny Ketner for pointing this Apple privacy invasion out to me. TalkingPointsMemo reports that Apple iPhones and iPads are tracking every move we make (if we own one). I would assume iPod Touches are also guilty. Sam Biddle, the author, has a map on the article showing everywhere he's been for the last six months.

At this point it looks like the information isn't transmitted to anyone, it's only gathered on the i-device and the computer it is tied to. But does that really matter? Why gather that much information on your customers? There is no reason if you don't intend to use it - or find a use for it. Which begs the question of whether or not Apple or any company has the right to be gathering the data in the first place. But even if you do have the right and you do have a use for it, gathering it could put your customers at risk in a number of ways. Which leads us into the second half of this post:

infosec island reports that Michigan state police are using data extraction devices to collect data from cell phones when they make a traffic stop, and have been for several years. According to the report the extraction devices used by the Michigan police are capable of breaking encryption if data collected is encrypted. According to a brochure for the UFED mobile data extraction device it can extract:

  • Call logs, including SIM deleted call history
  • Contacts
  • Phone details (IMEI / ESN, phone number)
  • ICCID and IMSI
  • Text messages (SMS), including SIM deleted messages
  • Photos
  • Videos
  • Audio files
  • SIM location information: TMSI, MCC, MNC, LAC
  • Image geotags

If that's not enough:

 

The UFED’s SIM ID cloning feature allows data extraction from PIN locked SIMs, phones with missing SIM cards, and phones without network service. The cloned SIM card also allows access phones without connecting to a network, preventing incoming calls and messages, while preserving the existing call and message history.

 

Now we have police downloading the data from cell phones of people who have done nothing more than be pulled over for speeding. Shouldn't that fall under the heading of unreasonable search and seizure? Today it's not unusual for someone to have more of their personal lives on their cell phones than in the filing cabinet in their home office. Maybe even more than is in their computer. To say that police can download that data without having to get a warrant or even have probable cause is a gross violation of privacy and civil liberties.

I can understand and to some extent agree with the "border" searches of laptops. Sort of. But the pseudo-justifications given for those searches and seizures do not apply to most, if not all, of the people giving up their cell phone data because an officer said they had to. If it was an iPhone, they've given their life history for the last 6 months. I can already see misuses and abuses for such information. Imagine if you happened to be in the area of an unsolved crime at the wrong time. It wouldn't be the first time limited circumstantial evidence has been hyped into a conviction.

The ACLU of Michigan has requested info on what types of data has been gathered and what is being done with it. The state has agreed - if the ACLU will cough up over $500,000 to pay for it. From here something smells rotten in the state of Michigan.

What data is gathered about us, how it is gathered and who gathers it should be something we have a lot more awareness of and say in. Apple's movement mapping and Michigan's data theft are two things that must be brought to a screeching halt.