Stories about privacy blunders by big companies always attract a lot of attention.
When that big company is Apple, you can replace ‘a lot’ with ‘a whole lot’.
And Apple likes to make public pitches about the privacy its products provide, like the video here:
So, when renowned investigative cybersecurity journalist Brian Krebs recently published a quizzical article entitled The iPhone 11 Pro’s Location Data Puzzler, tongues began to wag.
What puzzled Krebs is that the privacy interface for Location Services on his iPhone didn’t seem to work as he expected, which he rightly thought was worth investigating carefully.
After all, thanks to GPS, modern smartphones can work out where you are with astonishing precision, even when you’re offline and have no other positioning data to refer to.
Apps that do clever things with your location have therefore ended up among both the most useful and the most feared software on smartphones.
On one hand, you need never get lost again in an unfamiliar city – no more stumbling around at midnight desperately trying to find the purple building that’s the landmark for where you turn left (or is it right?) to reach your hotel.
On the other hand, the downside of streaming your location to an online service in case you get lost on the way back to your hotel is that someone, somewhere, is clocking up an excruciatingly detailed record of exactly where you’ve been.
Heck, many countries use GPS tracking tags as a form of judicial punishment, as an alternative to keeping convicted criminals in prison.
With that in mind, voluntarily letting yourself be tracked, perhaps by multiple apps and websites at the same time, might suddenly seem like a terribly bad idea.
Safeguarding your location
Apple provides a pretty decent system for controlling how apps use your location:
On the Settings → Privacy → Location Services page, you can choose, for each app, when it’s allowed to use your location data:
Never does what it says – the app can call the iOS functions to retrieve your location, but won’t get anything back; and Always is similarly obvious.
There’s also While Using the App, a middle ground that all location-aware apps admitted to the App Store must now support.
While Using says that the app can only track you while it’s the foreground app on your phone – as soon as you switch to another app or lock your phone, this setting cuts off access to your location.
In other words, if you can’t see the app, it can’t see you.
The confusion starts here
This is where Krebs decided that Apple – or, more precisely, his smart new iPhone 11 Pro – had confused him.
He explicitly turned every app’s setting to Never, while leaving the main Location Services slider turned on.
Krebs inferred that turning every individual switch off would produce the same result as turning the master switch off.
But it doesn’t, in the same way that there’s an important difference between isolating your home’s main circuit breaker, and going round the house turning off every light, plug and appliance individually at the wall.
Krebs started seeing the telltale arrow from time to time when he started using a new iPhone 11 Pro, even with all the individual settings on Never…
…a behaviour he couldn’t reproduce on an iPhone 8. (In the interests of science, he went back and tried.)
Conclusion: something had changed, and it had privacy implications!
At first, Apple wasn’t terribly helpful, apparently saying simply that:
We do not see any actual security implications […] The icon appears for system services that do not have a switch in Settings.
In other words, the master switch was there to deal with any system components that didn’t have a switch of their own.
Nevertheless, the unanswered part of the question was, “What new system components have recently been added that don’t have a switch of their own and are provoking this previously unseen behaviour?”
A couple of days after the first article came out, Krebs finally received an answer from Apple to fill in the missing detail, so he was able to report as follows:
Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.
This feature, known as Ultra Wideband (UWB), is basically a peer-to-peer wireless data transfer protocol that uses a much wider range of frequencies than regular Wi-Fi, but at much lower power to reduce interference.
But UWB isn’t allowed everywhere in the world.
A few countries have regulated its use, apparently for fear that it might mess with existing radio communications, and Apple therefore added system software that uses your location data, as long the master location switch is turned on, to disable UWB automatically as required.
No room for ambiguity
The moral of this story is that there is no room for ambiguity or confusion in software components where users manage their privacy.
We assumed that the master switch only existed because there were location-related features for which there were no individual control sliders.
Krebs assumed from the layout and behaviour of the very same configuration page that the master switch was redundant if all apps were turned off anyway.
Both assumptions are reasonable, but only one can be correct.
So, if you’re a programmer or a user interface designer, you need to go out of your way to avoid security ambiguity in your configuration screens.
Apple, for example, knowing that UWB support on the iPhone 11 Pro would produce location usage warnings in a way that hadn’t happened before, could easily have tweaked the message under the master switch to clarify the situation.
Ironically, Apple is now planning to add a separate control switch for the new UWB feature; let’s hope it accompanies this update with a list of any other iOS services that could cause the location arrow to pop up but that still don’t have their own switches.
And another thing…
While we’re on the topic of user interface design, here’s a long-standing bugbear of ours in Location Services.
Once you’ve turned the location master switch off, you can no longer inspect, let alone adjust, the per-app settings that will apply as soon as you turn it back on:
This means that you can’t tidy up your location settings to improve your privacy without potentially leaking location data while doing so.
If you install a new app and want to make certain that it’s set to Location Services → Never, you have to risk giving it temporary access to your location by turning the master switch on just to get access to turn the app-specific switch off.
(We’d also like a quick-press button to Turn All Apps to Never in one go, for when we decide we want to opt out of everything, instead of wading through the whole app list to make sure we didn’t miss one…
…but that might just us being fussy.)
Readers, what do you think?