How police have obtained iPhone, iPad tracking logs
Law enforcement agencies have known since at least last year that an iPhone or iPad surreptitiously records its owner's approximate location, and have used that geolocation data to aid criminal investigations.
Apple has never publicized the undocumented feature buried deep within the software that operates iPhones and iPads, which became the topic of criticism this week after a researcher at a conference in Santa Clara, Calif., described in detail how it works. Apple had acknowledged to Congress last year only that "cell tower and Wi-Fi access point information" is "intermittently" collected and "transmitted to Apple" every 12 hours.
At least some phones running Google's Android OS also store location information, Swedish programer Magnus Eriksson told CNET today. And research by another security analyst suggests that "virtually all Android devices" send some of those coordinates back to Google.
Among computer forensics specialists, those location logs--which record nearby cell tower coordinates and time stamps and cannot easily be disabled by someone who wants to use location services--are not merely an open secret. They've become a valuable sales pitch when targeting customers in police, military, and intelligence agencies.
The U.K-based company Forensic Telecommunications Services advertises its iXAM product as able to "extract GPS location fixes" from an iPhone 3GS including "latitude, longitude, altitude and time." Its literature boasts: "These are confirmed fixes--they prove that the device was definitely in that location at that time." Another mobile forensics company, Cellebrite, brags that its products can pluck out geographical locations derived from both "Wi-Fi and cell tower" signals, and a third lists Android devices as able to yield "historical location data" too.
Alex Levinson is the technical lead for a competing company called Katana Forensics, which sells Lantern 2 software that extracts location information from iOS devices.
"The information on the phone is useful in a forensics context," Levinson told CNET today. Customers for Lantern 2, he said, include "small-town local police all the way up to state and federal police, different agencies in the government that have forensics units."
Research by security analyst Samy Kamkar, a onetime hacker with a colorful past, indicates an HTC Android phone determined its location every few seconds and transmitted the data to Google at least a few times an hour, according to a report in The Wall Street Journal. It said that the Android phone also transmitted the name, location and signal strength of nearby Wi-Fi networks, as well as a unique identifier for the phone.
Apple did not respond to a request for comment. Google could not immediately be reached for comment.
Apple's iOS operating system does not appear to make geolocation logs readily available to applications, but storing records of an owner's physical meanderings raises novel security and privacy concerns. Not only is the log stored on the device itself (a lock code can easily be bypassed by forensics software), but it's typically backed up on the computer to which it's synchronized.
One concern is the circumstances under which law enforcement can gain access to location histories. Courts have been split on whether warrants are required to peruse files on gadgets after an arrest, with police typically arguing that the Fourth Amendment's prohibition on unusual searches doesn't apply. (The Justice Department under the Obama administration, in a series of prosecutions including one in Nebraska involving a crack cocaine dealer, has taken the same position.)
In addition, the U.S. Department of Homeland Security has publicly asserted the right to copy all data from anyone's electronic devices at the border--even if there's no suspicion of or evidence for illegal activity. The U.S. Ninth Circuit Court of Appeals has blessed the practice.
All of this has led to a spike in law enforcement interest in the topic. Micro Systemation, a Swedish firm that announced last year the U.S. government had placed the largest order in the company's history, offers a course on how to extract "GPS information" from the "Apple iPhone, iPod Touch and iPad devices." A now-deleted description of the course, retrieved from Google's cache, says students will "learn how to acquire data and retrieve GPS location" from iOS devices. O'Reilly Media, too, offers a two-day workshop on iPhone forensics for the princely sum of $3,500. (Police get a discount.)
Micro Systemation said in a post on its Web site that this week's news "will come as a surprise to most iPhone users, as their devices do not give any visual indication that such data is being recorded." But, the company said with some apparent glee, they're "no surprise to the developers here at MSAB who have been recovering this data... for some considerable time."
The U.S. Department of Justice has funded tests of which "mobile device acquisition tools" are most effective in forcibly extracting information from iPhones. Test results (PDF) for the iXAM software say it was able to "acquire SIM memory and review reported location related data." Another evaluation of a competing product called Mobilyze 1.1 (PDF) said "if the cellular forensic tool supports acquisition of GPS data, then the tool shall present the user with the longitude and latitude coordinates for all GPS-related data in a useable format," although neither report appears to have tested that feature. The U.S. Embassy in Bogota, Colombia, even pays for training for local counter-narcotics agents to learn about iPhone and BlackBerry forensics.
A book titled iOS Forensic Analysis ($59.99 list) published by Apress in December 2010 elaborates on how the information is stored. Here's an excerpt:
Cell tower data also has geospatial data. This data covers all cell towers that the iDevice comes into contact with. This list can be very extensive and can assist in investigations of placing a phone in a general area from a cell tower on a given date and time. These data points have changed file types over time...This property list appears to give not only the latitude and longitude from where the cell phone was in relation to the cell tower but also the compass heading from it. The compass heading is very important so you can get an azimuth from the cell tower to the iPhone. All these values--latitude, longitude, and azimuth--combined can give an approximate location of the iPhone. A date and time value is also given in the property list...This, on top of other artifacts on the device, adds up to giving you a complete picture of the travels of the iDevice and could place the phone in a general area in reference to a crime.
Rep. Ed Markey, the Massachusetts Democrat, today wrote a letter (PDF) to Apple CEO Steve Jobs posing a series of questions, including whether the company collects this information from iPhone users and whether the logs can be turned off. Markey also suggested the practice could violate federal privacy law, 47 USC 222, although the language only applies to "telecommunications carriers" and not handset makers. (See related article about Markey pressing wireless carriers for tracking details earlier this month.)
It's still not entirely clear when Apple added this extensive location logging to the iOS operating system, except that it did exist in an even less visible location before iOS 4.
An August 2008 analysis of the files suggested that the "cache.plist" file only included the most recent location. That's also what iPhone hacker-turned-author Jonathan Zdziarski wrote in his September 2008 book on iPhone forensics, saying it "contains the last coordinates fixed on by the GPS."
Levinson of Katana Forensics, who previously published information about the location logs, says the alterations in the database between iOS 3 to iOS 4 strongly suggests that Apple is intentionally storing the data.
"I don't buy the argument that Apple dropped the ball on the data being there, that the programmer forgot" to delete old locations, he says.