Slashdot Mirror
Is Apple Tracking iPhone Users Through IMEI?
ariefwn writes ""As I sit here applying a new layer of Reynolds tin foil to my international hat of conspiracy, its been proven that Apple tracks iPhone usage and tracks IMEI numbers of all their iPhones worldwide. Hidden in the code of the 'Stocks' and 'Weather' widgets is a string that sends the IMEI of your phone to a specialized URL that Apple collects. I wonder if there will be any implications to owners of hacked iPhones..."
You signed an agreement when you bought the device.
When you interact with Apple, we may collect personal information relevant to the situation, such as your name, mailing address, phone number, email address, and contact preferences; your credit card information and information about the Apple products you own, such as their serial numbers and date of purchase; and information relating to a support or service issue.
However people will expect this to be at manual support time and not all the time.
liqbase
I'm waiting for someone to respond with an eight page analysis of why this isn't really a big deal, complete with immaculate formatting and excellent grammar. Then everyone simply looks at the length of the post and says, "aha! see, it ISN'T a problem! Not that I read it all, but I'm with *this* guy!"
Don't let me down.
At least it's Apple tracking you, not AT&T?
Wait...
Exactly what are they tracking though? My location, my history, my music? What?!
Of course, if I happened to be running the Stocks and Weather applications on my iPod Touch it wouldn't have an IMEI number to send, would it? Not that I am running those applications on my ipod, because that of course isn't allowed.
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
I, for one, welcome Steve Jobs as our new overlord.
http://www.CelloFourteGroupie.net
The moral here, is perhaps not to buy songs from Apple in the first place if it bothers you. Amazon.com sells music in MP3 format and you can use it any way and in any device you please.
AT&T could send Apple whatever they wanted to know about usage and location.
What else is there to know about your iPhone? Oh yeah, software version, but that's trivial to find out.
Just when I'm looking to replace T-Mobile as my GSM provider, I'm pretty well stuck with the competition that is eager to drop their shorts and give whatever is asked for to whoever asks for it. Except me, of course.
Well, time to go 'negotiate' with T-Mobile. Bleagh.
deleting the extra space after periods so i can stay relevant, yeah.
That's iMEI !
Like all others Apple iThings.
-- Rastignac was here.
While I'm not an economist or stockbroker, it seems to me that if apple knows which shares iphoners are most interested in, at a given time, this is extremely valuable information, e.g. to spot trends. Can't be bothered to read the user-agreement (have no iphone) but curious to know whether it gives apple the right to sell this data on to large brokers or even act upon the intel themselves?
Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
Ever think maybe there was a more benign reason for this? Like to perhaps help in the retrieval of a stolen phone? Granted, it is probably not great for privacy, but if explicitly disclosed a savvy phone stealer could just disable or modify the apps. *This by no means excuses apple's privacy violations.
Get a web developer
ÑÑÑÑÑÑÑ zap
This is the first post on this article coequal with Congress and monkey-spanking. ÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑÑ
So, should people start wrapping their iPhones in tinfoil?
You could just read all the comments about Blizzard's Warden program for WoW, as they will likely be strikingly similar.
I'd hope there are more people on here who know what an IMEI is, what its used for, when it is used on ANY GSM phone and how it relates to the IMSI...
/., I expect the flamefest to be shorter...
This is
After all, they do share the same code base. So it won't shock me if Apple is doing something similar there via the MAC address of the WiFi chipset.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
"As I sit here applying a new layer of Reynolds tin foil to my international hat of conspiracy,"
Reynolds doesn't make tin foil. They make aluminum foil! There is a big difference between Tin and Aluminum!
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
This is more likely explained by a variant of Hanlon's Razor, to wit "never attribute to malice what could be explained by laziness".
Since they know there's only one instance of the browser running on the phone, this is an easier way to maintain session information than using cookies. It's cheap, cheesy, and lazy.
On to the solution: it shouldn't be hard to create a Mach/Cocoa overrider (using any of the various tricks to patch running apps, like APE does) to change the IMEI seen by widgets if you really want to hide which phone you are.
Apple might be able to 'play off' the fact that they are gathering info on you through the Weather applet (though I find it unacceptable). But the Stocks applet? So now every request for stock information sent to Apple contains identifying information about myself? I
'm sorry but which stocks I own/watch is my own business. Even when the PR machine spins up, "we're not doing anything with the information" is not good enough to me. Maybe that explanation would be good enough if it was just the Weather widget, because that info is somewhat irrelevant, but someone's financial information is different.
Of course the phone company already knows where you are, and can provide this sort of service, but then you have to use the phone company's UI. Apple can provide you with a nice elegant unified user interface, and that's what most users want.
Now, once they've got this information, they can misuse it for all sorts of purposes. It needs consumer pressure (or in Europe, there's data protection legislation) to keep such companies honest. But expecting them not to need to have this information is rather strange - they do have a need if they want to present the best localized UI possible.
And no, I don't have an iPhone. I do have a Blackberry, and I know Research in Motion know where I am all the time, because most of my traffic traverses one of their proxies. Most other smart phones do something similar. Apple really doesn't seem half as bad in comparison.
they are definetly going the wrong way here
(as they did so many times), and will pay
a dear price.
There's a substantial difference between receiving information and tracking people. Do the land-line phone companies "track" the calls you make? Sure, they use it to send you a bill, but most people don't seem to think it's a privacy violation. The author does not, as he claims, have "proof" that Apple track iPhone users, simply that they have the wherewithal to collate information about the services used by people if they could be bothered.
The IMEI number is there to facilitate identifying mobile devices to the Public Land Mobile Network (PLMN) for the purpose of charging for services. Your IMEI goes out every time you connect to the EDGE network or any GPRS service anywhere in the world, and is (and always has been) logged by the phone company, irrespective of what brand of phone you have. It's always been possible for the phone company, or anyone with the right data sharing relationship with the phone company (e.g. Apple), or the police with a court order, or the CIA/FBI/KBG/MI6, to link this to the IP address assigned to the mobile device, and from there to server logs. People who worry about this shouldn't just be wearing tin-foil hats, they should be putting tin foil around their phones too.
If intelligent life is too complex to evolve on its own, who designed God?
I just wrote some first impressions regarding my new iPhone. The inability to remove both the YouTube and Stocks icons is my biggest annoyance so far. Now I have even more reason to be rid of Stocks! Guess I'm going to have to void my warranty after all....
Brought to you by the author of such childrens' classics as "Some Kittens can Fly!" and "All Dogs go to Hell."
Just use your phone in a Faraday cage, and they can't track you at all.
It is pitch black. You are likely to be eaten by a grue.
The Apple IMEI is TEA encrytped according to the phone's hardware ID and NOR ID. Both of these numbers can be found with a few tools found at iphone-elite.org. The IMEI lives at 0xA003FAB00 address. All you need to do is write out your seczone (0xA003FA000), TEA encrypt a nice Motorola RAZR IMEI number at offset 0xB00, and write it back to your NOR...and voila...your iPhone now looks like a Motorola RAZR.
Sad story - for 3 non-consecutive years, I volunteered in a fund-raiser for the symphony orchestra here in my home town(I was in music school at the time). They had my name, email addy and phone number.
Last month, I received a call from their sales department where a very polite man tried to sell me subscriptions to the next season.
I got rightfully insulted, because the least they could call me with is a job...Then, having worked as desk monkey for an IT sales organization, I chalked it up to overzealous merchants and moved on, albeit rather dissapointed in the cultural stature of said symphony orchestra.
Moral of the story: when a company is out to make money(and they often are), any prospecting info is good info.
Microsoft put the "sucks" in "success".
They are tracking how many times you check the weather. It's probably to gather data to test the viability of using iPhone to proactively provide mental health services. People who suddenly begin displaying obsessive compulsive tendencies by checking the weather over and over will be offered the new service.
If you mod me down, I shall become more powerful than you could possibly imagine.
Maybe they just mesh the IMEI number with location data provided by the GPS and/or AT&T to give you weather information based on where you are located at the time. Ever seen the ad where Google is used to find local eating joints? Don't know about you but I did not see any kind of location information getting entered and so some kind of location info is getting used.
And you know that every ISP keeps records on what phones ping what cell towers and your ISP( AT&T ) already is known to have been very willing to hand out cell records.
So get a pre-paid phone at Walmart if you want to limit your track-ability. After all, getting a "smart" phone from Apple with all the locked down and tied to Apple features isn't a clue that they just might track things? I hope you don't touch anything running Microsoft code.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
the iphone *needs* to access the site http://iphone-wu.apple.com/ with your imei in order to update the weather.app. After i blocked the url in my proxy server, the weather app would no longer update.
What is weird is that it either is sending a wrong imei number, or it is a hashed value...
I'm sorry, but Reynolds tin foil isn't really an option anymore, because they use aluminum alloy (look at the bottom of the FAQ). It isn't even pure aluminum anymore! It's getting harder and harder to find a genuine tin foil manufacturer. It's a conspiracy, I tell you!
This is likely the differentiator between an iPhone and iPod Touch. If there's no IMEI, then it's not an iPhone, and the app doesn't work.
Has anyone thought that maybe the applications like weather and stocks are transmitting the IMEI number to Apple so that they are only providing service for their widgets on their own product?
What if I took a Nokia Symbian phone and hacked together a widget that queried Apple for an update on stocks and weather? I would think Apple would be mildly upset that I were exploiting their service. The sensible action would be to have the server query the IMEI number and verify it is transmitting data to a allowed recipient.
But that's just me using common sense and my extreemly rudimentary knowledge of technology. Sorry I forgot this is SlashDot. I now patiently await the attacks on my grammar, spelling, poor knowledge of mobile phone platforms and even worse knowledge of how the internets works. Because it's really just all a series of tubes. Wireless tubes without locks or valves.
I hate all sigs, even this one.
what if someone runs a script which infinetly connect to this URL:
http://iphone-wu.apple.com/dgw?imei=2335&apptype=finance
maybe changing imei data.
Will their data be still interesting?
The app *does* work on the touch though, so that argument doesn't work.
"but aggregating this type of information to have the "big picture" is the problem."
I'd say the problem is your ignorance combined with your rampant paranoia.
I just find it interesting that if you were to replace the words Apple and iPhone with....oh I don't know maybe say Microsoft and Vista you would have completely different messages. Even if it was complete legitimate that it be sending information, like updating a weather app. You would still have 9000 people screaming bloody murder with 2 little word changes. However it involves Apple so what you have is slightly over 100 comments with some iPeople looking for anything they can to defend it. Just interesting to me.
I'll try anything once. Twice if it tastes good
Like a few people have already stated, this is probably being used to make sure that no evil unlocked iPhones are using their services.
Also, it could be like MAC authentication because essentially an iPhone is just a client on their WAN.
Finally could this be a means of redirecting the apps to a new provider should Yahoo piss them off?
"You do not support the root but the root supports you." - Romans 11:18
Even worse: I went to a Web site and it warned me that my iPhone was broadcasting its IP address to EVERYONE!
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
It's the truth. change IMEI => goto jail, do not pass go, do not collect £200
STOP GIVING THEM YOUR MONEY.... is it THAT difficult? Really, have people lost their brains and common sense while I was away?
http://www.rense.com/general79/wdx1.htm
Has anyone actually captured this off the wire? IEMI is self-descriptive, but it'd be interesting to see if it's the full IEMI or something else completely.
So we all can do a little hack to drench the URL in falsified information making the data completely invalidated.
If you can't get them by doing A you can do it by doing B instead.
</evil>
Of course all mobile devices are identifiable, the IMEI is part of the GSM standard and identifies the handset, just dial *#06# on your phone. The IMSI is the ID stored on the SIM card.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
"Never admit to malice that could easily be excused as indifference."
For the longest time I have been pushing open source, it works, its free and if there is a problem you can pop the hood and replace parts. It is very apparent that Apple will be the next Microsoft, and their monopoly (if they got one) would be worse then MS's because they control the hardware and software. But, for the time being, I am loving my iPhone that has T-Mobile for its service, and until I have problems, I'm interested in taking down monopolies but Apple isn't there yet.
To see a few of my Android apps goto: www.hartwired.com
Most of the commentators here seem to be missing the point, rather eagerly so. Nothing to bother here, move on please will not do. However the key word here is surreptitiously. How many Iphone users knew about this before this story broke? So what else is your Iphone sending that you don't know about. In the long term it pays to care about these things.
The phone company pretty much has to track your phone 24x7. How else do they know how to route incoming phone calls. They have to know which cell tower you are nearest and they have to keep the information in a central place so they can quickly look it up when you get a call.
I know they keep this information too. I lost my cell phone once and called Verison to ask them the last few locations they had. They were able to answer to within a few miles. Enough that I could figure out which place a left my phone.
If you do not want to be tracked then do not cary a radio transmitter around with you all day.
They're tracking hacked iPhones to figure out where to roll out the iPhone next. That is, if a ton of them are being used in Lithuania, expect the iPhone to be rolled out in Lithuania next.
Of course they have to track it. How else will they know when its in an advantageous position to carry outs its mission ?
I spy, with my little eye, lots of things that start with an i
Under docpool.org/iphone you can see, that the numbers on stocks and weather are different.
heise Security did some research on this issue and actually captured the packets with the requests for stock prices. And while they did contain a number, it was certainly not the IMEI of the iphone. For what it is worth: the weather application even transmitted a different imei parameter. see: Controversial checks of stock prices with iPhone bye, ju
Of companies that AREN'T tracking you.
Have a credit card? Use a bank/credit union? Have utility bills? Ever buy anything without using cash? Wait wait, have a social security number (yes only applies to US citizens.) Ever fly on a commercial airline? Ever sign up for a "discount card" at a retail store? Ever leave the country? Let's not forget there is now even the possibility any international calls are being snooped on. AT&T is sending all your Internets to San Francisco!
And yet THIS is the one people choose to pay attention to.
Hm.
No sig for you!!
Now that's brand marketing for you, Bill! (sucker!)
Anyways, gimme the URL, I'd like to send them some stuff. (hehehe)
is determined by the portion of the map within active view. If you are looking at China and search for a restaurant, it isn't going to be anywhere near you (unless you are actually in China, of course).
So, what's the last word on OpenMoko development?
"Good news, everyone!"
there's a system whereby the cellular/mobile operator can pass some part of your identity on; in the UK it's called whitelisting - they simply put a URL into their whitelist of websites which are allowed to receive additional headers allowing them to uniquely identify the cellphone/mobile phone (GSM in UK/Europe). GPRS data is a finicky beast, given that the mobile phone lives behind multiple levels of nat, special gateways to fragment IP to go over the GSM air protocol etc, so it's very hard for a website to be able to give a persistent session to a mobile phone - especially as some (historically) have poor cookie handling. Used sensibly, it's a reasonable thing to do. Oh, and it was admitted on a mailing list by an employee of O2, the UK operator who won the contract from Apple to gouge their customers for lots of money, that they record and track the handset data to make sure that people don't take their iPhone "unlimited data" sim and put it into a different phone for use with their computer!
... its probably iMEI (and stands for Message Exchange Interface) or, Multiple Extension Internetworking...
AT&T has this data already. But apple doesn't have to. Apple getting this data would be like Nokia or Ericsson rather the t-mobile keeping track of when, how, or where ur phone is being used.
This also refutes some claims made in previous posts that this is a non-issue since our phone providers keep track of this stuff anyway. The analogy that land line companies having this data is a bad one. Apple is to your land line phone MAKER not PROVIDER.
So yes, assuming that the IMEI really IS sent to Apple (which wasn't exactly verified by the TFA's author) this can be considered a privacy issue beyond the usual. (Releasing ANY data is a privacy issue to whomever. Just sometimes they are unavoidable or useful enough to out weigh the potential problems. Not this case though.)
Personally I don't see it as being as trivial as some posters have made it out to be either. Even assuming the IMEI is encrypted when sent out (with reasonable authentication and privacy unlike say GSM or WEP) it is always a bad idea to be releasing such critical information to a third party. In particular a third party which happens to be a large coorporation which is (understandably) motivated by profit and self interest.
What can be tracked with your IMEI? Your IMEI is a unique identifier for your phone. Thus if it can be correlated with location, time or any other data this is essentially YOUR private information. I think no one needs a picture drawn for them of what's wrong with Apple correlating IMEI with sock data queries or (to a lesser degree) weather queries. But even just allowing Apple to correlate with time (i.e. when your phone was on and when not) is already more then Apple should know. The point is the moment we're talking about _unique_ numbers being reported somewhere bell's should be ringing.
Since announcing your IMEI to Apple is not vital to intended functionality of the iPhone I think the "feature" was a... mistake, and should be disabled (by Apple in an ideal world).
And according to a German security site, the ID is the same for every phone that was tested. Conspiracy hats off. Case closed.
Maybe now we can discuss if the Kindle knows which pages you're lingering over and transmits suspicous activity to the NSA...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Don't know about Gmail, but a small number of sites ask for the device unique id when I connect from my Japanese docomo phone. Gmail asks when I connect via ssl. I can choose to refuse.
It seems the answer to the headline is "no."
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
As the article has been updated... they have redacted the part about it being the IEMI number.
The iPhones are pretty integrated into certain carriers. Those carriers can map an IMEI number in use to a location, to a phone number or to the subscriber information. I can quite easily see Apple/O2/AT&T offering a pseudo-GPS system based upon cell tower you're in range of, or offering a "where are my buddies?" service that did similar, for example.
There have been statistics published all across the news and magazines, for example
http://www.foxnews.com/story/0,2933,304456,00.html
If apple/at&t wasn't tracking the iPhones through their IMEIs how could they have published these numbers?
Some websites track IP addresses so they check for abuse. How is this different? an IMEI is much more secure.