Is the FBI Tracking 12 Million Apple Users?
UPDATE 9/10/2012: Paul DeHart, CEO of the Blue Toad publishing company, told NBC News that its million-record database of UDIDs was stolen within the last 2 weeks and that there was a 98 percent correlation between its dataset and the one the hacker group Anonymous claims it stole from an FBI agent's laptop in March.
This week the hacker group known as AntiSec released a list of one million UDIDs—Unique Device Identifier numbers associated with Apple mobile devices—which it says came from a collection of 12 million UDIDs lifted from an FBI agent’s laptop.
The complete original file also contains user names, name of device, type of device, APNS tokens, ZIP codes, mobile phone numbers, addresses, and more. AntiSec’s release doesn’t include this personal information and the hacker group says it only wants the public to know that the FBI uses such information to spy on people.
Apple says it never gave the FBI any such information while the bureau itself issued a statement denying the data came from them. "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," it says, in a remarkably short and vague answer to a controversy of this magnitude.
Where did the List Come From?
An Apple spokesperson told the web site AllThingsD that “The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID.”
If that’s true and assuming the list wasn’t gleaned from some kind of hack into Apple or other company, the next most likely culprit is an app developer. Here’s why:
The UDID is an alpha-numeric string of characters that tells Apple and developers which device is yours so they can do things like push alerts to your phone, serve you ads and keep track of your preferences. Following privacy concerns Apple has cracked down on developers that track users via the UDID because it found that in addition to the identifier some developers were also garnering personal user data. That means any number of developers with more than 12 million users could have compiled the data the FBI agent supposedly had on his laptop.
Another clue the list is app-related was tweeted by AnonymousIRC (AntiSec is a subset of the loose hacking collective called Anonymous) and shown here.
Lots of people are trying to figure out which ones might be suspect. For instance, anyone who finds their device on AntiSec’s list can now help solve the mystery by completing an online survey that seeks to determine which apps are common to those listed.
Is Your Device on the List?
First, you need to determine the UDID of your Apple device. You can do that by connecting it to iTunes. From there, click on your device's name in the left-hand column and on the right you'll see system data, including your serial number. Click on it to show your UDID.
Alternately, you can use an app to figure it out. Just go to the iTunes Store and search for “UDID.” A slew of options are available for download.
The Next Web has posted a UDID checker. You can access the site anonymously by using a Web proxy like Anonymouse.org or HideMyAss.com. Of course your ID could be one of the 11 million that hasn't been released, so it would only confirm that you are on the list.
While it’s always risky to trust anything a hacker says, another expletive-ridden statement surfaced today supposedly from AntiSec that gives some cryptic clues to authenticate what it says it found on the FBI agent’s laptop. According to the post, the group is being careful with what information it releases because, basically, it doesn’t want to get caught. In the message, the person said more information will be forthcoming but it will be on the group’s timeline and no one else’s.
But the FBI’s denial leaves a lot to the imagination in terms of brevity and vagueness. Doesn’t it sort of sound like they’re saying “Prove it”? And even if any such stolen data didn’t technically come from an FBI-owned laptop, couldn’t it have been stored on an agent’s personal machine?
Why Would the FBI Want This Information?
That’s the most interesting question of all.
One security researcher pointed out to The New York Times that the F.B.I. could have received the file as part of a forensics investigation involving a separate data breach.
Then again, there is plenty of evidence the government wants to track people.
For example, legislation has been drafted by Congress that would make it easier for the government to spy on people. CISPA has already been passed in the House of Representatives and its Senate counterpart, SECURE IT, is in committee. While these bills aim to protect the U.S. from cyberterrorism, they also would allow companies to share user’s private data with the government without a warrant or any oversight.
There’s also a landmark case in which the Supreme Court in January ruled unanimously that police and the FBI violated the Fourth Amendment when they secretly attached a GPS tracker to a man’s car and tracked him for a month.
“But now the government — instead of fixing the way it conducts this kind of invasive surveillance — has simply set its sights on another way to obtain people's location information: their cell phones,” writes the ACLU in a statement.
The defendant is being retried and last week his attorney said that prosecutors have also obtained records showing the location and movement of his cell phone over the course of five months.
“Since the GPS data from Jones's car was thrown out by the Supreme Court, it seems the prosecution intends to use Jones's cell phone data to get another bite at the apple. Like the GPS device on the car, the government was able to obtain the cell phone information without a probable cause warrant. Instead, it only had to claim that the data was ‘relevant and material’ to an ongoing investigation,” the ACLU points out, adding that after investigating public records the civil liberties watchdog group found that hundreds of law enforcement agencies engage in cell phone tracking on a regular basis, many of which do so without a warrant.
The ACLU says pending legislation in Congress, titled the Geolocation Privacy and Surveillance (GPS) Act, would require law enforcement agents to obtain a warrant in order to access location information.
Want to support it? The ACLU has a slick tool on its site that will send a message to your legislators.