Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Cellphones Businesses Privacy Apple

Is Apple Tracking iPhone Users Through IMEI? 218

ariefwn writes ""As I sit here applying a new layer of Reynolds tin foil to my international hat of conspiracy, its been proven that Apple tracks iPhone usage and tracks IMEI numbers of all their iPhones worldwide. Hidden in the code of the 'Stocks' and 'Weather' widgets is a string that sends the IMEI of your phone to a specialized URL that Apple collects. I wonder if there will be any implications to owners of hacked iPhones..."
This discussion has been archived. No new comments can be posted.

Is Apple Tracking iPhone Users Through IMEI?

Comments Filter:
  • by LiquidCoooled ( 634315 ) on Monday November 19, 2007 @10:57AM (#21407033) Homepage Journal
    You signed an agreement when you bought the device.

    When you interact with Apple, we may collect personal information relevant to the situation, such as your name, mailing address, phone number, email address, and contact preferences; your credit card information and information about the Apple products you own, such as their serial numbers and date of purchase; and information relating to a support or service issue.

    However people will expect this to be at manual support time and not all the time.
    • And if someone got it off eBay?
      • by wattrlz ( 1162603 ) on Monday November 19, 2007 @11:11AM (#21407257)

        And if someone got it off eBay?
        In that case they can probably afford to sue.
      • by Barny ( 103770 )
        Then sue the person who sold it to you, duh.

        Same sort of problem as if a computer OEM doesn't give you the Microsoft EULA to peruse before running the pc for the first time.

        Btw OEM can actually bypass all that and just present the box ready to roll, they just have to put a sticker with about 20 lines of legalese on the invoice and get you to sign it (stating that you will read the EULA prior to operation), but I am guessing said e-tailer didn't do anything remotely like this.

        *sigh* another reason to love my
        • Then sue the person who sold it to you, duh.
          If there is no clause in the contract between Apple and the guy who sold it to you on ebay that says he must notify subsequent users of the license, then there is nothing to sue that guy for. Second hand purchasers would not be a party to the contract that the first buyer agreed to. Thus, the second hand purchaser would be able to sue Apple for something they did illegal. I don't know if collecting this info is illegal though.
    • Well, the EULA I signed when I got Windows also says they'll monitor whatever information they want out of me. So, it's good to know that all of these companies monitoring all of my information is *completely* okay, and nothing to worry about!

      Of course, I dont use Windows anymore because of the EULAs. So Ill *also* continue not buying an iPhone, and everything will be fine.
    • Re: (Score:3, Insightful)

      by tha_mink ( 518151 )

      You signed an agreement when you bought the device.
      I don't think anyone signed an agreement to publish their stock watching habits to Apple though. Name? Sure...Email? No problem...All the stocks I'm watching? Um...no.
    • <evil>

      So we all can do a little hack to drench the URL in falsified information making the data completely invalidated.

      If you can't get them by doing A you can do it by doing B instead.


      Of course all mobile devices are identifiable, the IMEI is part of the GSM standard and identifies the handset, just dial *#06# on your phone. The IMSI is the ID stored on the SIM card.

    • Let's see. Get all the cookies off your computers, and "don't accept cookies" on your browser, and watch the functionality go down. Throw off all scripting languages, too, because they can be hacked. Don't connect to the Internet. Put on a tinfoil hat so the rays won't get you. And live in a Faraday cage. Safe!
  • by mattgreen ( 701203 ) on Monday November 19, 2007 @10:57AM (#21407051)
    I'm waiting for someone to respond with an eight page analysis of why this isn't really a big deal, complete with immaculate formatting and excellent grammar. Then everyone simply looks at the length of the post and says, "aha! see, it ISN'T a problem! Not that I read it all, but I'm with *this* guy!"

    Don't let me down.
    • Re: (Score:3, Insightful)

      by Sparr0 ( 451780 )
      Well, not 8 pages but...

      Has anyone verified that the IMEI is actually inserted into that field in the URL when the widget runs? The author says he tried to not send the IMEI, but maybe it just sends a placeholder value, or nothing at all, by default? I want to see traffic logs of the actual request including the IMEI before I get angry and [continue to] not buy an iPhone.
      • Re: (Score:3, Insightful)

        by ThirdPrize ( 938147 )
        It is probably just to make sure that only iPhones use that service. Or registered iPhones at least.
        • Sort of a "user-agent" field, if you will?

      • Re: (Score:2, Informative)

        by bolo1729 ( 759710 )

        Has anyone verified that the IMEI is actually inserted into that field in the URL when the widget runs?

        From the article: Any attempts to modify the URL to exclude the IMEI information will not allow you to retrieve any information in the "Stocks" and "Weather" apps.

        It seems that the author did...

      • by Twid ( 67847 )
        I'm off work this week, so I went ahead and did it.

        http://todd.dailey.info/archives/2007/11/19/the-iphone-imei-echo-chamber/ [dailey.info]

        In summary from that link:
        - The "imei" field being sent to Apple isn't your actual IMEI in plain text.
        - The weather and the stock widget both contain different values for the imei field, so there must be some sort of encoding or salt added to the actual IMEI value for each one.
        - At this point there's no empirical data that the imei field data being sent has anything to do with your act
        • by shmlco ( 594907 )
          And according to a German security site, the ID is the same for every phone that was tested. Conspiracy hats off. Case closed.

          Maybe now we can discuss if the Kindle knows which pages you're lingering over and transmits suspicous activity to the NSA...
    • daveschroeder is putting the finishing touches on his message. He'll post it shortly. : p
    • by ironwill96 ( 736883 ) on Monday November 19, 2007 @11:03AM (#21407157) Homepage Journal
      Ok here goes.









      I'm feeling better already, what about you?
    • by Huntr ( 951770 )
      You could just read all the comments [slashdot.org] about Blizzard's Warden program for WoW, as they will likely be strikingly similar.
    • by jdc180 ( 125863 )
      And it shall be called roughlydrafted.
    • Re: (Score:3, Informative)

      Sorry, the idea of what is essentially a hardware device serial number being used to "track" anything at all, other than perhaps the fact the device is actually an iPhone, was to stupid for even me to grace with a response. ;-)

      This post [slashdot.org] sums it up quite nicely, though.
    • Well, Apple does already know the IMEI numbers of all the phones that have been shipped to stores. And if they wanted to, they could make a pretty good estimate of which IMEI numbers have already gotten into consumer hands by looking at when those stores have re-ordered phones. And they presumably have access to information about which IMEI numbers have been activated with AT&T, though I'm not sure if they have that information in real time.

      So essentially all this does is confirm that yes, indeed, the
  • Well... (Score:5, Funny)

    by abaddononion ( 1004472 ) on Monday November 19, 2007 @10:58AM (#21407059)
    At least it's Apple tracking you, not AT&T?

    • I'd hope there are more people on here who know what an IMEI is, what its used for, when it is used on ANY GSM phone and how it relates to the IMSI...

      This is /., I expect the flamefest to be shorter...
    • Re: (Score:2, Funny)

      by Typoboy ( 61087 ) *
      Right, AT&T has no possible way of tracking you, where you are, which cell tower you are talking to, etc.. oh wait </sarcasm>
  • Tracking what? (Score:2, Insightful)

    by Anonymous Coward
    Exactly what are they tracking though? My location, my history, my music? What?!
    • Re:Tracking what? (Score:5, Informative)

      by tgd ( 2822 ) on Monday November 19, 2007 @11:17AM (#21407345)
      Nothing, its a device serial number... not associated with your SIM and therefore not with your account. It proves its an iPhone to the webservice. Not much more.

      Bet I get modded down for saying it though :)
      • Nothing, its a device serial number... not associated with your SIM and therefore not with your account.
        But what about the credit card policy [google.com]?
      • by dave420 ( 699308 )
        Well, they know who bought the handset, so they do know who owns the IMEI in question. And, unlike sim cards, you can't change your IMEI easily (or possibly at all - it's a crime to do so in some countries). So if they wanted to, they could trace pretty much everything you did. But then AT&T can do that (and much more), so people worrying about this when AT&T is poised to rape their data seems a bit silly :)
        • Re:Tracking what? (Score:5, Insightful)

          by DaggertipX ( 547165 ) on Monday November 19, 2007 @01:46PM (#21409649) Homepage
          This just in - every time you make a call, AT&T knows what iPhone that call came from. EVERY. SINGLE. TIME.

          Oh wait... that's normal. Tinfoil hats are jumping at peoples heads these days like headcrabs in Half Life.
      • Odd isn't it, how people oiver react to such trivial events.
        Mobile phones communicate with telco's. Satellite boxes communicate with satellite tv providers. PC's bought from pc manufacturers like Dell and HP routinely monitor the software that they installed on your machine and keep it updated.

        There will be many such connections, most innocent. People who install my software from download.com, if they don't deselect 'download source code' get that code downloaded from my own server, thus recording their dow
      • by jimicus ( 737525 )
        And you don't think they register which phone was sold to which customer at the point of purchase?
      • Even worse: I went to a Web site and it warned me that my iPhone was broadcasting its IP address to EVERYONE!
    • They are tracking how many times you check the weather. It's probably to gather data to test the viability of using iPhone to proactively provide mental health services. People who suddenly begin displaying obsessive compulsive tendencies by checking the weather over and over will be offered the new service.
  • iPod Touch (Score:5, Funny)

    by jolyonr ( 560227 ) on Monday November 19, 2007 @10:59AM (#21407073) Homepage
    Of course, if I happened to be running the Stocks and Weather applications on my iPod Touch it wouldn't have an IMEI number to send, would it? Not that I am running those applications on my ipod, because that of course isn't allowed.

    • Re: (Score:3, Funny)

      by rvw ( 755107 )

      Of course, if I happened to be running the Stocks and Weather applications on my iPod Touch it wouldn't have an IMEI number to send, would it? Not that I am running those applications on my ipod, because that of course isn't allowed.
      Well it could send the serial number instead of the IMEI.
    • Re: (Score:3, Funny)

      by sumdumass ( 711423 )
      I don't know if it is an IMEI but when you sort things like stocks you want to watch or personalized weather as well as weather local to your direct vicinity, it has to send something to identify who your are and likely the your location. So I guess the question is, does this information need to identify the person, is there any way around that and does apple in fact store it? If so for how long and why?

      I'm not even sure this is a bad thing. It all depends on the stuff we don't know yet. To some, anything i
      • The weather sites and Stock site preferences could easily be set in your phone's preferences, or your phone could request a "local weather" forecast by sending the local zipcode (perhaps gleaned from the Cell-towers). There is no reason why they would need to know "User XYZ is in denver, and wants to know what the weather looks like" or "User ABC is in Hawaii, and wants to know his current stocks".
        • But you see, there is no reason not to know if the information is being deleted after it serves it's purpose.

          It isn't preferable to do things this way but it isn't automatically bad or evil. There is too much information that is just unknown to make any determination at this point.
      • Re: (Score:3, Interesting)

        by jacksonj04 ( 800021 )
        Stocks and weather (Along with Maps) don't self-localise, you need to tell them what you want. In addition, it'd be far easier for the phone to send its base station number(s) as position info, since sending the IMEI involves the application server contacting the network provider to ask where the phone is, rather than just looking up the base station number in a local table.
  • Most closed devices (e.g. consoles that have online stores), or phones, or pay-per-view boxes would be quite within their rights to send a device identifier with the request. In the case of a phone, that would be the IMEI.

    The moral here, is perhaps not to buy songs from Apple in the first place if it bothers you. Amazon.com sells music in MP3 format and you can use it any way and in any device you please.

    • Or just don't by anything from Apple. Overpriced was always my opinion, and the whole TPM thing didn't seem to concern a lot of non-FSF people...but covert tracking? How many more things will Apple get away with before people stop acting like Apple is a perfect angel company?
  • AT&T could send Apple whatever they wanted to know about usage and location.

    What else is there to know about your iPhone? Oh yeah, software version, but that's trivial to find out.

    Just when I'm looking to replace T-Mobile as my GSM provider, I'm pretty well stuck with the competition that is eager to drop their shorts and give whatever is asked for to whoever asks for it. Except me, of course.

    Well, time to go 'negotiate' with T-Mobile. Bleagh.

  • That's iMEI !
    Like all others Apple iThings.
  • apple the broker? (Score:3, Interesting)

    by erikkemperman ( 252014 ) on Monday November 19, 2007 @11:09AM (#21407223)
    While I'm not an economist or stockbroker, it seems to me that if apple knows which shares iphoners are most interested in, at a given time, this is extremely valuable information, e.g. to spot trends. Can't be bothered to read the user-agreement (have no iphone) but curious to know whether it gives apple the right to sell this data on to large brokers or even act upon the intel themselves?
  • more benign? (Score:5, Interesting)

    by datapharmer ( 1099455 ) on Monday November 19, 2007 @11:11AM (#21407259) Homepage
    Ever think maybe there was a more benign reason for this? Like to perhaps help in the retrieval of a stolen phone? Granted, it is probably not great for privacy, but if explicitly disclosed a savvy phone stealer could just disable or modify the apps. *This by no means excuses apple's privacy violations.
    • Re: (Score:3, Insightful)

      by jdc180 ( 125863 )
      IIRC the carriers in the US could care less about retrieving a stolen phone. They could use GSM to lockout stolen phones, but don't. I'm sure apple doesn't either.
      • by jimicus ( 737525 )
        Maybe not in the US, but they certainly do in the UK. Stolen IMEIs are put on a blacklist and the blacklist is checked when the phone attempts to register with the network. The same blacklist is shared amongst all the network operators.

        There was talk about extending this blacklist to other countries, but I don't know how far it is down the line.
        • It's more than a blacklist.. it's a kill switch. If a phone receives a validated kill signal from the provider it bricks - if you're very lucky the phone will boot after that but for the most part unless you're into JTAG you have to throw the phone away.

          The providers worked out long ago that blacklists don't work - criminals don't care that it's illegal to change an IMEI.

          I can be a git if you find the phone after reporting it stolen - there's nothing anyone can do. It's 'un-stolen' but there's no signal o
      • My sister recently had her phone stolen. She called Verizon and had the phone marked as stolen so when the thief went to reactivate it they simply confiscated the phone and notified her.
  • So, should people start wrapping their iPhones in tinfoil?
  • After all, they do share the same code base. So it won't shock me if Apple is doing something similar there via the MAC address of the WiFi chipset.
  • by LWATCDR ( 28044 ) on Monday November 19, 2007 @11:16AM (#21407337) Homepage Journal
    "As I sit here applying a new layer of Reynolds tin foil to my international hat of conspiracy,"
    Reynolds doesn't make tin foil. They make aluminum foil! There is a big difference between Tin and Aluminum!
    • So THAT is why I am dreaming about alien world domination!
    • [quote]Reynolds doesn't make tin foil. They make aluminum foil! There is a big difference between Tin and Aluminum![/quote]
      Yeah, and I'm sure the moon landing was faked, too.

      You conspiracy theorists sicken me.
  • This is more likely explained by a variant of Hanlon's Razor, to wit "never attribute to malice what could be explained by laziness".

    Since they know there's only one instance of the browser running on the phone, this is an easier way to maintain session information than using cookies. It's cheap, cheesy, and lazy.

    On to the solution: it shouldn't be hard to create a Mach/Cocoa overrider (using any of the various tricks to patch running apps, like APE does) to change the IMEI seen by widgets if you really wan
  • Sure the conspiracy theorists will have a field day, but there is a basic conflict between providing localized services and privacy of location. I don't know what Apple really use this information for, but I'm sure that (like just about everyone else) Apple would like to provide locally-relevant information to you as you travel. Weather is an obvious one - the nicest simplest to use UI would obviously want to be able to tell you what the weather will be tomorrow wherever you happen to be today.

    Of course

    • This is not really a question of what Apple does with the information, Apple is not out to harm its customers. It is more a question of what someone who is out to get you might be able to do with that sort of data. The FBI has been known to send agents to meetings of anti-war groups, who attempt to get group members to talk about actively fighting to government (e.g., with explosives); information about how members of such a group are using their cell phone could aide the FBI in this sort of activity. If
  • Tracking? (Score:5, Informative)

    by nickovs ( 115935 ) on Monday November 19, 2007 @11:29AM (#21407515)
    There's a substantial difference between receiving information and tracking people. Do the land-line phone companies "track" the calls you make? Sure, they use it to send you a bill, but most people don't seem to think it's a privacy violation. The author does not, as he claims, have "proof" that Apple track iPhone users, simply that they have the wherewithal to collate information about the services used by people if they could be bothered.

    The IMEI number is there to facilitate identifying mobile devices to the Public Land Mobile Network (PLMN) for the purpose of charging for services. Your IMEI goes out every time you connect to the EDGE network or any GPRS service anywhere in the world, and is (and always has been) logged by the phone company, irrespective of what brand of phone you have. It's always been possible for the phone company, or anyone with the right data sharing relationship with the phone company (e.g. Apple), or the police with a court order, or the CIA/FBI/KBG/MI6, to link this to the IP address assigned to the mobile device, and from there to server logs. People who worry about this shouldn't just be wearing tin-foil hats, they should be putting tin foil around their phones too.

    • Re:Tracking? (Score:5, Informative)

      by kybred ( 795293 ) on Monday November 19, 2007 @11:58AM (#21407949)

      The IMEI number is there to facilitate identifying mobile devices to the Public Land Mobile Network (PLMN) for the purpose of charging for services.

      No, that would be the IMSI [wikipedia.org]. The IMEI [wikipedia.org] just identifies what equipment you are using.

    • Problem here is that Apple doesn't need or deserve that info. It'd be like finding out that Motorola phones were, well, 'phoning' home to Motorola headquarters and not the service provider you have a service agreement with.
  • I just wrote some first impressions [slashdot.org] regarding my new iPhone. The inability to remove both the YouTube and Stocks icons is my biggest annoyance so far. Now I have even more reason to be rid of Stocks! Guess I'm going to have to void my warranty after all....
  • by eck011219 ( 851729 ) on Monday November 19, 2007 @11:33AM (#21407583)
    Just use your phone in a Faraday cage, and they can't track you at all.
  • Just change it... (Score:4, Interesting)

    by javab0y ( 708376 ) on Monday November 19, 2007 @11:40AM (#21407693)
    The Apple IMEI is TEA encrytped according to the phone's hardware ID and NOR ID. Both of these numbers can be found with a few tools found at iphone-elite.org. The IMEI lives at 0xA003FAB00 address. All you need to do is write out your seczone (0xA003FA000), TEA encrypt a nice Motorola RAZR IMEI number at offset 0xB00, and write it back to your NOR...and voila...your iPhone now looks like a Motorola RAZR.
    • Re:Just change it... (Score:5, Informative)

      by dave420 ( 699308 ) on Monday November 19, 2007 @11:55AM (#21407913)
      ... and go to jail! It's illegal to change your IMEI in the UK, fyi, so this isn't the best advice for anyone in the UK.
    • Re: (Score:2, Interesting)

      by kybred ( 795293 )

      All you need to do is write out your seczone (0xA003FA000), TEA encrypt a nice Motorola RAZR IMEI number at offset 0xB00, and write it back to your NOR...and voila...your iPhone now looks like a Motorola RAZR.

      Would you try that and let us know if your visual voicemail and widgets still work? Thanks!

      (That seems like a really bad idea. Maybe substitute a fake iPhone IMEI, but not a RAZR one).

      • Re: (Score:2, Informative)

        by javab0y ( 708376 )
        Yep...they work peachy. The service is off your SIM, not the IMEI. As for illegality...yep...I live in the USA...so no laws preventing it here. Yes...those who do this should probably examine their own countries' laws.
  • by Locutus ( 9039 ) on Monday November 19, 2007 @11:48AM (#21407811)
    Maybe they just mesh the IMEI number with location data provided by the GPS and/or AT&T to give you weather information based on where you are located at the time. Ever seen the ad where Google is used to find local eating joints? Don't know about you but I did not see any kind of location information getting entered and so some kind of location info is getting used.

    And you know that every ISP keeps records on what phones ping what cell towers and your ISP( AT&T ) already is known to have been very willing to hand out cell records.

    So get a pre-paid phone at Walmart if you want to limit your track-ability. After all, getting a "smart" phone from Apple with all the locked down and tied to Apple features isn't a clue that they just might track things? I hope you don't touch anything running Microsoft code.

  • the iphone *needs* to access the site http://iphone-wu.apple.com/ [apple.com] with your imei in order to update the weather.app. After i blocked the url in my proxy server, the weather app would no longer update.
    What is weird is that it either is sending a wrong imei number, or it is a hashed value...
  • The phone company pretty much has to track your phone 24x7. How else do they know how to route incoming phone calls. They have to know which cell tower you are nearest and they have to keep the information in a central place so they can quickly look it up when you get a call.

    I know they keep this information too. I lost my cell phone once and called Verison to ask them the last few locations they had. They were able to answer to within a few miles. Enough that I could figure out which place a left my p
  • heise Security did some research on this issue and actually captured the packets with the requests for stock prices. And while they did contain a number, it was certainly not the IMEI of the iphone. For what it is worth: the weather application even transmitted a different imei parameter. see: Controversial checks of stock prices with iPhone [heise-security.co.uk] bye, ju
  • Of companies that AREN'T tracking you.

    Have a credit card? Use a bank/credit union? Have utility bills? Ever buy anything without using cash? Wait wait, have a social security number (yes only applies to US citizens.) Ever fly on a commercial airline? Ever sign up for a "discount card" at a retail store? Ever leave the country? Let's not forget there is now even the possibility any international calls are being snooped on. AT&T is sending all your Internets to San Francisco!

    And yet THIS is the one people
  • Now that's brand marketing for you, Bill! (sucker!)

    Anyways, gimme the URL, I'd like to send them some stuff. (hehehe)

They are called computers simply because computation is the only significant job that has so far been given to them.