Recent news emerged around the alleged AntiSec hacking of an FBI computer that leaked a revealing 1 million Apple product IDs and the threat of another 11 million on deck. The FBI has apparently denied this has even happened, and yet a pretty stark element is being largely overlooked in all the reaction to this unfolding story. That is that up until recently, there was a significant amount of tracking being done on Apple devices, including a wealth of personal information – all without user consent.
Apple has chimed in with a denial of any sharing of information with the FBI or any organization. They also state in a report on AllThingsD that a ban of UDID usage will be emerging with the new iOS 6 release and replaced with a set of APIs. A welcome change- but on the surface, still does not completely dismiss privacy concerns as the ban only addresses deliberate third party application usage and can only act going forward. It will be telling to review emerging policies in the near future.
The UDID has made the devices targets for tracking- every IOS device has one. For some time, third parties have been collecting stockpiles of information on what is being done with your Apple device. Earlier in the year, there was a significant amount of congressional scrutiny on application privacy, focused on what was being collected and what policies were in place. Apple has apparently taken this inquiry seriously by banning the use of UDID in future applications. The response from Apple is telling that they want to discourage any notion of sharing of information they have.
Along with AntiSec’s very detailed PasteBin release they state:
“FBI will, as usual, deny or ignore this uncomfortable thingie and everybody will forget the whole thing at amazing speed.”
There are fears that the repudiation of AntiSec’s source may ultimately end up with the further release the rest of the 12 million Apple UDIDs and associated information. Time will tell, but in the meantime, the plain truth exists that this data is out in the wild, with much more yet uncovered. More questions will continue to emerge about where it came from, and perhaps may never be answered given all this denial. The bottom line is smartphone usage is a privacy threat and it makes sense that the industry is trying to alleviate concerns in this space.
If we are to follow AntiSec’s story and analyze it, the likelihood of an unencrypted csv file, sitting in storage on an FBI laptop, by any estimation should be extraordinarily low. However, stranger things have happened and it is not implausible. If the vector by which this file was acquired was indeed through an FBI asset, then this is a direct strike at the heart of privacy fears – what would the FBI be doing with such a trove of information on private citizens? – 12 MILLION. Deny. Deny. Deny. It is hardly comforting isn’t it? Well privacy hawks will have plenty to observe it seems.