Forgot your password?
typodupeerror
IOS Privacy Upgrades Apple Your Rights Online

iOS 8 Strikes an Unexpected Blow Against Location Tracking 323

Posted by Unknown Lamer
from the waiting-for-obvious-patents dept.
schwit1 (797399) writes 'It wasn't touted onstage, but a new iOS 8 feature is set to cause havoc for location trackers, and score a major win for privacy.As spotted by Frederic Jacobs, the changes have to do with the MAC address used to identify devices within networks. When iOS 8 devices look for a connection, they randomize the MAC address, effectively disguising any trace of the real device until it decides to connect to a network.'
This discussion has been archived. No new comments can be posted.

iOS 8 Strikes an Unexpected Blow Against Location Tracking

Comments Filter:
  • by Anonymous Coward on Tuesday June 10, 2014 @02:55AM (#47200741)

    Generally, I've found this to be true. Their business model does not depend on a lack of customer privacy like Google.

    • by Anonymous Coward on Tuesday June 10, 2014 @03:00AM (#47200757)

      Apple allready knows who you are and what you are doing and where you are and where you have been ...

      • by sonamchauhan (587356) <[moc.liamg] [ta] [cmanos]> on Tuesday June 10, 2014 @03:44AM (#47200957) Journal

        Correct. The only difference is that they don't like to share...

        • by Anonymous Coward on Tuesday June 10, 2014 @04:00AM (#47200987)

          The only difference is that they don't like to share..

          Yes they do, they even say so in their privacy policy: “[Apple will] make certain personal information available to strategic partners that work with Apple to provide products and services, or that help Apple market to customers.”

          In fact, if you read their privacy policy, you'd realize Apple gathers up about as much personal information on users as any other big tech company. The main difference is they say they don't connect the dots.In fact, they've been and are being sued for sharing too much user data...

          Personal user data big part of any technology company's business model these days. Even Apple.

          http://motherboard.vice.com/bl... [vice.com]

          • by sonamchauhan (587356) <[moc.liamg] [ta] [cmanos]> on Tuesday June 10, 2014 @04:14AM (#47201017) Journal

            Thanks - I suspected that this was the case, but wasn't sure.

            Location tracking stays turned off in my iOS device. A nuisance when you want a quick look at the streetmap of the area you're in.

            I suspect this entire ploy is so that iBeacons can be marketed more effectively.

            • by Tom (822) on Tuesday June 10, 2014 @04:46AM (#47201111) Homepage Journal

              Location tracking stays turned off in my iOS device. A nuisance when you want a quick look at the streetmap of the area you're in.

              You know you can turn it on and off selectively, yes? Allowing certain apps to use it, but others not?

              • That's GPS based location tracking carried out by your phone. TFA is referring to nasties like this - http://www.telegraph.co.uk/tec... [telegraph.co.uk] - where wifi enabled devices are tracked by wifi hotspots using their mac address.
            • by mcgrew (92797) *

              When I first saw this I thought "finally Apple has given folks a good reason to shell out the extra cash. Now if they were only waterproof and shock resistant like my cheap Kyocera..."

              I keep location services shut off as well, but on my phone turning it on or off is just a swipe and a touch. And it's extremely annoying that apps with no real use except stalking me keep nagging me to turn it on. It's why I refuse to upgrade my TuneIn app, the upgrade wants my address book! WTF? Stupid developers writing stup

          • by pmontra (738736) on Tuesday June 10, 2014 @05:24AM (#47201229) Homepage

            They don't connect the dots for everybody for free. Become a strategic partner (that is: find a way to bring them more money) and they'll be happy do connect the dots for you. So don't be naive: Apple cares about its customers only when it can turn that care into profit.

            BTW, this app [google.com] does the same on a rooted Android device.

            • BTW, this app [google.com] does the same on a rooted Android device.

              Thank you, thank you, thank you! Mod this up!

              • BTW, this app [google.com] does the same on a rooted Android device.

                Thank you, thank you, thank you! Mod this up!

                Replying to my own post. This app is also available on the 1Mobile Market.

            • Apple doesn't care as much about profit after the fact because they got 45% off of you as soon as you bought their phone.

              Even if you turn off every function on your phone--including the phone--and kept it in airplane mode the whole time like some sort of absurdly expensive iPod, Apple already made a profit.

              Apple cares about your privacy insofar as it allows them to put a bullet-point on the box that they can use to distinguish themselves from Google's model. Google needs information to make a profit. They make virtually no money off of Android itself; that's why buying a Nexus is so cheap.

              Essentially, Apple can afford to be stingy with information, and can afford for YOU to be stingy with YOUR information. Google can't.

              I'm sure Apple will turn your information into profit if it can, don't get me wrong. But it's not their primary business model. As long as the phone costs a lot of money, you can count on them being less interested in what you have to offer after the sale.

          • by jedrek (79264) on Tuesday June 10, 2014 @07:08AM (#47201503) Homepage

            Apple's falling out with Google over Maps was about GOOG wanting more data and Apple not wanting them to gather it.

            • by tomhath (637240)
              ...and Apple not wanting to share it with Google.
            • by stenvar (2789879)

              Apple's falling out with Google over Maps was about GOOG wanting more data and Apple not wanting them to gather it.

              Apple is fine with gathering the data, and sharing it, they just want to sell it themselves.

          • by Plumpaquatsch (2701653) on Tuesday June 10, 2014 @11:09AM (#47203101) Journal
            https://www.apple.com/legal/privacy/en-ww/ [apple.com]

            Privacy Policy

            Your privacy is important to Apple. So we’ve developed a Privacy Policy that covers how we collect, use, disclose, transfer, and store your information. Please take a moment to familiarize yourself with our privacy practices and let us know if you have any questions.

            ...

            Disclosure to Third Parties

            At times Apple may make certain personal information available to strategic partners that work with Apple to provide products and services, or that help Apple market to customers. For example, when you purchase and activate your iPhone, you authorize Apple and your carrier to exchange the information you provide during the activation process to carry out service. If you are approved for service, your account will be governed by Apple and your carrier’s respective privacy policies. Personal information will only be shared by Apple to provide or improve our products, services and advertising; it will not be shared with third parties for their marketing purposes.

            Service Providers

            Apple shares personal information with companies who provide services such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys. These companies are obligated to protect your information and may be located wherever Apple operates.

            Others

            It may be necessary by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence for Apple to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.

            We may also disclose information about you if we determine that disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party.

        • by DrXym (126579)
          I doubt Google does either. Or Facebook. Or LinkedIn. Or Microsoft/Bing. Or any other service which specialises in gathering all your precious information in order to monetize it. They want it all to themselves because it's to their commercial advantage to do so.
        • by stenvar (2789879)

          They like to share with people who shove enough money into their hands. It's the same as with the rest of their OS, which is a hodgepodge of features designed to funnel business to specific partners. Apple "cares about your privacy" in the same sense that a pimp cares about the virginity of his ladies: their customers should be able to enjoy the illusion of it.

    • by Anonymous Coward on Tuesday June 10, 2014 @03:03AM (#47200773)

      Generally, I've found this to be true. Their business model does not depend on a lack of customer privacy like Google.

      No, this is about 3rd parties tracking you - it means your iPhone does not provide its MAC address to the network(s) it has found. This never had anything to do with Apple tracking you nor does not stop Apple from keeping tabs on what networks you have identified while looking for a connection.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        True. But I think the point is that Google's business plan depends on 3rd parties. It's not exactly a good comparison, but this is one more example of Apple's positive protection of customer's privacy againsts Google's equal number of negative examples.

      • by mwvdlee (775178) on Tuesday June 10, 2014 @03:40AM (#47200943) Homepage

        More specifically this is about 3rd parties tracking you, without paying Apple.
        All this does is close up the tracking options that compete with Apple's tracking options.
        As for Google, I suspect we'll see this happening on Android phones soon enough as MAC tracking competes with Google as well.

        • What Apple tracking options? iBeacon I suppose could be used for that but users have the option to enable or not.
          • by stenvar (2789879)

            iBeacons is just one small part of what they do. Apple's devices (like everybody else's) constantly determine your location, and unless you're very careful about disabling it, transmit it. Whether this bothers you or whether it should bother you is another question, but it is happening.

            • Re: (Score:2, Informative)

              by Anonymous Coward

              They actually don't. CoreLocation does not operate unless an app has requested it. If it does operate, it doesn't send anything to apple unless you specifically opted in. If you did specifically opt in, it sends anonymised, randomised data, rather than actually tracking you.

            • by thoromyr (673646) on Tuesday June 10, 2014 @09:48AM (#47202365)

              really? I know they were roundly accused of this with no evidence ever provided other than a bug which caused excessive *local* retention of location data. Interestingly, it came out at about the same time that *google* was in fact shipping the location data back to the mothership (something Apple doesn't do) with no retention limits evident.

              As a company, Google *depends* on eliminating privacy -- it is the source of their revenue. Apple depends on hardware sales. So while they make some money by selling aggregated data (and try to foist obnoxious things like itunes radio on their users) that is not actually their core business nor a significant part of their revenue stream. When Apple advertised an earlier incarnation of icloud as being better privacy they didn't call out Google specifically -- they didn't need to. The people who cared already knew who they are talking about.

              But somehow Apple is the anti-privacy company and google is okay. I never understand the fanboys.

              If you want to bust on Apple, great, I'm all for it. Just bust them on things they are actually guilty of and don't try to misrepresent them. They've definitely done some bad things, but strangely they don't seem to get beat up for things they've really done (or the issue is misrepresented).

              What I'm saying is that while it may be fun to trot out things like the "640K should be enough for everyone" to bust on Bill Gates that is an urban myth and he never said it. Instead, bust on him for things that he *did* do (like hire someone else to pirate CPM). Same for Apple and Jobs (I just have a somewhat better memory for the Microsoft end of things, hence using MS-centric example).

            • Apple's devices (like everybody else's) constantly determine your location, and unless you're very careful about disabling it, transmit it.

              Source please. Otherwise this is just FUD.

              iOS devices determine your location if you agreed to at least one app using that information. The device also doesn't transmit this information. An app might if you opted in to location tracking. For something like "find my friends" that's kind of the point, you know.

              (Of course, *every* active cell phone can be tracked by the cell phone network. But I don't think that's what you were referring to.)

      • by SuricouRaven (1897204) on Tuesday June 10, 2014 @04:51AM (#47201123)

        No, it still provides your MAC to the network. Doing otherwise would break things - static DHCP reservations for one. It means the iPhone won't provide its MAC address *until* it finds a recognised network to connect to - it won't be broadcasting it constantly while you are out traveling or shopping.

        • Umm, no (Score:4, Informative)

          by Viol8 (599362) on Tuesday June 10, 2014 @06:56AM (#47201467)

          It actually randomised the MAC address. Its been a long time since MACs were burnt into ROM and couldn't be changed. On Linux you can do it using ifconfig or one ioctl() in C.

          • Re:Umm, no (Score:4, Informative)

            by gmack (197796) <gmack@NOsPAM.innerfire.net> on Tuesday June 10, 2014 @07:59AM (#47201685) Homepage Journal

            RTFA, It only randomizes on scan and goes back to the original MAC address when it connects.. You are correct that it is easy to change the MAC address, but that doesn't change the fact that randomizing the mac address on connect would break things like DHCP reservations or MAC based white lists.

          • by Megol (3135005)

            But trying to sidestep the fundamentals of the network design isn't a wise choice. Using a random MAC when scanning doesn't matter except for someone tracking devices by their MAC identifier. Using a random one when _connecting_ to a network could lead to problems...

            • by Viol8 (599362)

              "Using a random one when _connecting_ to a network could lead to problems..."

              Never caused me any problems. I have a script that randomizes the wlan0 MAC address on my netbook for when I'm staying in hotels. Stops them tracking me between different locations.

    • by fuzzyfuzzyfungus (1223518) on Tuesday June 10, 2014 @03:13AM (#47200833) Journal

      Generally, I've found this to be true. Their business model does not depend on a lack of customer privacy like Google.

      I would be more optimistic if it weren't for the fact that Apple went and deliberately developed "iBeacon [wikipedia.org]", more or less deliberately designed for every sort of horrid 'location based service' and 'relevant offer' crap in the book.

      Architecturally, hunting for wifi networks with a spoofed MAC is a good idea; but it sure does look like Apple is cutting an attempt to track their phones the non-blessed way off at the knees, even as they actively provide a blessed way of doing it.

      In the same way, they cracked down on apps that used phone serial numbers, IMEIs and similar; but then built an "advertising identifier" right into their OS.

      They want to be sure that you find the experience of being sold tasteful and unobtrusive; but they aren't actually your friends, nor do they consider your hardware purchase to be sufficient to exempt you from being the product.

      • by Anonymous Coward on Tuesday June 10, 2014 @03:21AM (#47200863)

        You make a good point. However, iirc, a user can completely diasable their iPhone's from repsonding to iBeacons. So even under the "blessed" way, a customer's privacy is still within their personal control.

        • well, to do so means turning off Bluetooth, which sucks because I hate using corded headphones.

          And iBeacon hardware can trivially also work the same way as wifi tracking, by just tracking the bluetooth id your phone is emitting all the time instead. it's unique to your phone and can be used to pin down the phones location quite precisely.

          while iBeacon itself is quite benign if you just don't download/authorize the stores app to get the iBeacon messages, I'm sure larger stores will spring the extra couple o

      • Re: (Score:3, Informative)

        Big difference iBeacon needs to be enabled per app, the user has control! Here the user was scanned without their consent, this new privacy feature is awesome.
        • Big difference iBeacon needs to be enabled per app, the user has control! Here the user was scanned without their consent, this new privacy feature is awesome.

          It's better than that. For every set of iBeacons, you have to specifically download, install and run an app that reacts to that iBeacon, or nothing will happen at all. The beacons themselves have no hardware to receive any data from the device. On stackoverflow.com you will find people asking all the time how to receive data from _any_ beacon, and are surprised when they are told there is no API for that.

      • by Tom (822) on Tuesday June 10, 2014 @04:41AM (#47201087) Homepage Journal

        Apple went and deliberately developed "iBeacon"

        Which works by Bluetooth, not WiFi, and it's basically a Bluetooth broadcaster. Also, it is opt-in.

        In the same way, they cracked down on apps that used phone serial numbers, IMEIs and similar; but then built an "advertising identifier" right into their OS.

        That you can opt out of [osxdaily.com].

        • by tepples (727027)
          Then the application could require the user to create a unique screen name and password in case the user has the "Show Me Irrelevant Ads" options turned on. Or what in the App Store Review Guidelines document prohibits that?
      • Per the Wikipedia page on iBeacon [wikipedia.org] you linked: "The only role of the iBeacon is to advertise to the phones of its own existence at the physical location. iBeacon do not actively push out notifications (other than the iBeacon advertisement frames) nor does iBeacon actively track nearby users."
    • by Tom (822) on Tuesday June 10, 2014 @04:30AM (#47201055) Homepage Journal

      It is true.

      The reason is that for Apple, you are the customer. For Google, you are the product, because its customers are the advertisers.

      • by dave420 (699308)
        Oh it must be true, as a pithy one-liner describes it so. Or not. Yes, Google gets the majority of its money from advertising. You fail to notice that Google users are the ones who buy the advertising, and are the ones who click on adverts. This also ignores the many non-ad-based services Google offers, but I guess that's not as cool as your one-liner, even if it is far more accurate, so you will keep spouting that nonsense.
        • by Tom (822)

          I refer to my reply to the other guy. Sure, one-liners always simplify facts, but in this case, it's pretty clear cut.

      • When I buy a Google/ASUS co-branded Nexus 7 tablet from Google Play Store, how am I not the customer? Or am I strictly only ASUS's customer and Google's product? When my boss buys a Google Apps subscription for his company, how is he not the customer?
        • by Tom (822) on Tuesday June 10, 2014 @09:49AM (#47202369) Homepage Journal

          When I buy a Google/ASUS co-branded Nexus 7 tablet from Google Play Store, how am I not the customer?

          Google mades a bit over $14 billion revenue. Just under $13 billion of that is from advertisement.

          Apple makes the vast majority of its $54 billion revenue on hardware, a small part ($4 billion) on software and iTunes sales and its advertisement revenue is so small it vanishes somewhere under "services" and I couldn't quickly find a number for it.

          Ask yourself which company is more likely to sell out your data to advertisers. The one that makes 90% of its money from them and 10% from you, or the one that makes 98% of its profits from you and 2% from them.

        • by Ksevio (865461)
          Because it's IMPOSSIBLE for a company to have customers other than its primary revenue stream. Even if you sell products to your other products and provide support to your products and ask your products for feedback to make your products better for your other products. Or something like that.
    • by gl4ss (559668)

      they care about hiding potential profits from it from other people.

      while breaking standards.

      they'll still keep a list of where you've been on the phone..

      • by grub (11606)

        they'll still keep a list of where you've been on the phone..

        Settings -> Privacy -> Location Services -> System Services -> Frequent Locations -> Off
        There are several good privacy related options in there.
    • They don't really care about your privacy, they care about knowing more about you than their competitors do.

  • by Anonymous Coward on Tuesday June 10, 2014 @02:59AM (#47200753)

    At least according to the prosecutors who went after Aaron Swartz. His laptop got locked out of a network so he changed the MAC address with the built-in MacOS GUI utility and they said that was like filing the serial number off a car. Now all iphones are going to change it randomly during network scan? OMG, that's like a car that files off its own serial number every time you go around the block! Alert the authorities!!!!! Sigh.

    • by jklovanc (1603149)

      Most laws, except negligence statuettes, have an intent clause. In Schwartz's case it would have been easy to show that his intent was to circumvent being kicked off the network. Randomizing during search can easily be shown as an intent to remain anonymous.

    • Lack of intent (Score:5, Insightful)

      by Camael (1048726) on Tuesday June 10, 2014 @03:25AM (#47200887)

      In your example, the prosecutors were able to argue that deliberately using a utility to intentionally change your MAC address was akin to taking steps to file off the serial numbers of a car. This is because Aaron intended to change his MAC address and deliberately took steps to effect the change.

      If future iPhones automatically change their MAC address, on their own, without any intervention by their user, where is the crucial element of acting with intent or deliberation?

      It is far too soon to cry wolf.

      • by jklovanc (1603149)

        You are close but the intent issue is not in the act but in what the act was intended to do. It was not the fact that he used a utility to intentionally change his address but that he changed his Mac address with the intent of getting around his being kicked off the network. For example I could draw a dollar bill and use it to buy something as long as I am clear that it is a drawing and not a real bill. I do not "intend" to pass the bill as real money. This is why Boggs [wikipedia.org] has never been convicted of counterfe

        • by bytesex (112972)

          It's not about intent at all - a MAC address is simply meaningless! A car's serial number is something that is officially alotted, and has all sorts of codified repercussions. A MAC address is simply a number. Prosecutors arguing that changing your MAC address is akin to filing off a car's serial number, are like those that argued that etoy.com had a .com address and therefore was meant to be using in the US only: a complete fabrication intended to pull the wool over the judge's eyes!

    • but changing MAC is like filing serial# off a car! At least according to the prosecutors...

      Not any more. The Bluetooth Sig just spent four years in heavy sessions to plug the privacy leak from the MAC address tagging every packet with a device "serial number". This was rolled out in Bluetooth 4.0, especially in the Bluetooth Low energy addition.

      If the option is turned on, the "MAC address" that labels the packets is pseudo-randomly chosen and constantly mutating. If the other device trying to communic

    • At least according to the prosecutors who went after Aaron Swartz. His laptop got locked out of a network so he changed the MAC address with the built-in MacOS GUI utility and they said that was like filing the serial number off a car. Now all iphones are going to change it randomly during network scan? OMG, that's like a car that files off its own serial number every time you go around the block! Alert the authorities!!!!! Sigh.

      Sad that you don't understand enough about how WiFi works. There are two phases: In the first phase your device detects routers around it. In that phase, it must give out an MAC address so that the router can respond, but the MAC address is completely irrelevant. And no WiFi router will block out anyone during that discovery phase. The second phase is the connect phase, and in the connect phase, the device does indeed give its own MAC address.

      In other words, what you are saying is complete bullshit.

  • Good.
  • When it connects it uses the real MAC address so MAC filtering will work.

    • Unless your access point is hidden and doesn't respond to MAC's it doesn't know about. The iPhone will never find the network it's looking for.

      • by neoform (551705)

        Why would you be scanning for a hidden network? If you know where the network is, no scanning is needed.

    • Re:Security (Score:4, Insightful)

      by fnj (64210) on Tuesday June 10, 2014 @03:33AM (#47200927)

      Uh, yeah. MAC filtering will work as well as it ever works, which is to say providing no more than the illusion of security.

      What this does accomplish, though, is a real measure of somewhat increased privacy.

      • Not true. MAC filtering is easily subverted if there is a device nearby already connected, and if the attacker is willing to spend some minutes looking over dumps. It's pathetic security, but it's still better than none at all, as the extra time taken can hold of opportunistic hackers. There's still no good reason to use it, though.

  • Apparently Nordstroms is logging all phones that enter into their stores. Then they can know how many times you've entered, how long you stayed, when you left. I wasn't aware they were starting to do that.
  • Lets suppose a malfunctioning device is crashing my enterprise wifi system. Tell me again, how in earth will I block it, and much less detect it? This is so wrong in many levels from the technical point of view...
    • by Tom (822)

      Say thank you to the advertisers who make such crap necessary.

      Yes, technologically, it would be much better if we didn't have to do things like this. Spam filters and RBLs and greylisting make debugging e-mail delivery problems hell as well. But you can't have working e-mail without them, because if you try, you get flooded by spam.

      Same thing. Yes I agree technologically it would be better to not have to do this. Unfortunately, we have to.

    • by hobarrera (2008506) on Tuesday June 10, 2014 @05:03AM (#47201163) Homepage

      Your enterprise networks gets crashed by a [broken?] device that scans for availabe wireless networks?
      Looks like your enterprise network has some very serious issues you'll want to look into asap!

    • by aaarrrgggh (9205)

      If your network can be crashed by a device not connected to it, but broadcasting packets with its MAC address spoofed for the purposes of compliance with 802.11 specifications then you have a real problem.

      Once the device authenticates with and connects to your network, it broadcasts it's real MAC address.

      The only thing I can see this messing up other than user tracking is using net stumbler to see who/what is in your area. Hopefully they don't use MAC addresses outside of their legitimate manufacturer IDs

      • They will use locally administered MAC addresses (you know, those with the 7th bit set to 1 instead of the traditional 0) which are not assigned to any manufacturer. (source: image in the twit)

  • The adoption of measures protecting privacy depends on user demand. Online commerce has been considered safe enough for years yet exchanging an email or having any online activity is completely unprotected. I was always surprised by lack of interest from users. Maybe the younger users, if they are not yet addicted to making all their life public on facebook et al would put some pressure for simple technical solutions that guarantee a basic level of privacy. Obviously, I don't expect complete protection agai

  • Stores and malls that want to track you still have options - perhaps the most obvious one is to offer free wifi to their customers. Which is probably a win-win situation, although most users probably won't realise that part of the price of the "free" wifi is that they get tracked until they tell their device to forget the network again. There might be some subtle biases introduced into the data captured by this method if some kinds of customer are more likely to accept the offer of free wifi than others,

  • The randomized MAC addresses might not be all that random. Apple might be able to reverse engineer the fake mac address to find the true mac address. That algorithm might be licensed to "business partners" for a fee. Apple is just interested in preventing third parties from tracking you without paying the due share to Apple.
  • by Squidlips (1206004) on Tuesday June 10, 2014 @08:32AM (#47201825)
    The NSA wants to know
  • Apple probably uses a logic to generate the random mac address depending on time of day, etc. Unfortunately, while advertisers may not be able to track the owner of the phone that easy anymore, I'm sure the law enforcement has a copy of the logic to reverse engineer to find the owner of the phone. Having said that though, I'm sure the law enforcement has other tools at their disposal to track one down. I think the better solution is to use TASKER to disable automatically when leaving the home/workplace a

An age is called Dark not because the light fails to shine, but because people refuse to see it. -- James Michener, "Space"

Working...