No, the Social Security Administration won’t call you about “suspicious activity.”

So my wife rings me up at work this morning to tell me about a strange phone call she’d just gotten. An automated voice claiming to be from the Social Security Administration was contacting her about suspicious activity involving her SSN that will result in an immediate suspension of her number if she doesn’t take steps to clear her name. The longer she listened to it the more she thought to herself, “This is bullshit,” and she hung up on the call.

She called me because there was just enough of a nagging doubt that she wanted to make sure she did the right thing. She did. It’s a scam that’s been growing since at least 2017. Here’s a recording of one of these calls:

Gotta admit that I can see how some folks would panic if they got a phone call like that one. It sounds legit enough and it doesn’t help that the scammers are spoofing the real phone number of the SSA (1-800-772-1213) on your Caller ID.

There are two basic types of these calls. One is to try and get you to “verify” your SSN by entering it into the phone so they can attempt Identity Theft. With the other type they try to get you to pay a fee by going out and buying gift cards and then reading off the codes to those cards to the scammer on the phone. This is basically the same scam as the IRS imposter scam that was making the rounds for a few years.

According to the FTC website:

In 2017, we heard from 3,200 people about SSA imposter scams, and those people reported losing nearly $210,000. So far THIS year: more than 35,000 people have reported the scam, and they tell us they’ve lost $10 million.

Source: This is what a Social Security scam sounds like – Federal Trade Commission

The page I’m quoting from was last updated in December of 2018 and it’s only gotten worse since then. From April 2018 to March 2019 the reported losses grew to $19 million.

Here’s the bit that I don’t get: How is it that folks are not recognizing this is a scam as soon as they’re told to go out and buy gift cards and then read the numbers off to the guy on the phone? How is that not a smack over the head that this is not a legit call?

I mean, I can understand falling for the request to verify your SSN because there are lots of occasions (banks, etc.) where you might be asked to do that, but who out there is so dumb to think that a government agency accepts payment by gift cards only or, worse, Bitcoin?

In an updated article about this from this past April, the FTC said:

Click to embiggen.

As the graphic shows, people reported the IRS scam (in blue) in huge numbers for many years, but the new SSA scam (in orange) is trending in the same direction – with a vengeance. People filed over 76,000 reports about Social Security imposters in the past 12 months, with reported losses of $19 million.1 Compare that to the $17 million in reported losses to the IRS scam in its peak year.2 About 36,000 reports and $6.7 million in reported losses are from the past two months alone.

Just 3.4% of people who report the Social Security scam tell us they lost money.3 Most people we hear from are just worried because they believe a scammer has their Social Security number. But when people do lose money, they lose a lot: the median individual reported loss last year was $1,500, four times higher than the median individual loss for all frauds.4 All age groups are reporting this scam in high numbers, with older and younger adults filing loss reports at similar rates.5

People report sending money in unconventional ways. Most often, people say they gave the scammer the PIN numbers on the back of gift cards. Virtual currencies like Bitcoin come in a distant second to gift cards: people say they withdrew money and fed cash into Bitcoin ATMs. With both methods, the scammer gets quick cash while staying anonymous, and the money people thought they were keeping safe is simply gone.

So let’s break a few things down:

  • No, your SSN is not about to be suspended, your bank accounts are not about to be seized, and you are not about to have an arrest warrant put out on you. This is bullshit, plain and simple.
  • The Social Security Administration will never contact you and tell you to wire them money, send cash, or (for crying out loud) give them gift cards or they’ll suspend your benefits. Never. Doesn’t happen.
  • You should never give out your SSN and/or personally identifying info to someone who has called you out of the blue even if you think it’s legit and the Called ID is the real number for whomever is calling. Hang up and call a number you know is associated with whatever you’re dealing with to make sure the request is legit first.
  • If you did do the above then go to https://www.identitytheft.gov/SSA to learn what steps you can take to protect yourself from Identity Theft.
  • Lastly, report government imposter scams to the FTC at FTC.gov/complaint. To learn more, visit ftc.gov/imposters.

As always, be vigilant. There are a lot of unscrupulous people in this world working hard to scam you out of your money. If something smells like bullshit to you then it’s probably bullshit and you should do some digging before handing over any info or money. Most importantly, remain calm. These assholes are relying on you freaking out to make it easier to get you to do something stupid. Don’t be stupid. Don’t freak out.

Everyone’s using that Russian FaceApp to see what they’d look like old and I’m just sitting here being old.

Me, circa April this year in an early morning selfie. Click to embiggen.

Have you seen all the people on Facebook posting selfies of themselves after they’ve run it through the FaceApp? It’s all the rage right now probably because the results tend to err on the very flattering side. If this app is to be believed, everyone is going to look amazing. Just a few more wrinkles and lots of grey hair. Personally, I don’t need to use that FaceApp to see what I would look like as an old person because I am already an old person.

True story: On the way into work this morning I could not for the life of me remember my age. I knew I was 50-something, but I wasn’t sure if I would be turning 52 or 53 next month on my birthday. I had to literally do the math in my head while driving at 70 MPH on the freeway because it was bugging me so much that I couldn’t recall if I am currently 51 or 52 years old. (For the record, I am currently 51 about to turn 52.) I almost went as far as to ask Google because they almost certainly know my age, but I did the math instead because I didn’t want to interrupt the song streaming on Pandora at the time. So, yeah, I’m old. Not super old. Not even eligible for senior discounts at most places yet, but old enough to have the bloodhounds at AARP on my ass about signing up. I’ve got another three years before I outlive my biological father who died at 55, but I doubt I’ll match my great grandmother who died at 99.

Speaking of that FaceApp, you might want to think twice before playing with it depending on how much you care about your image potentially being sent to Russia for a foreign company to do whatever they want with it. The folks at Slate have a good write up on how worried you should be about the app with responses from the company that makes it:

Privacy Matters and several news outlets (some in rather alarming termspointed out that when you use the app, you grant Wireless Lab a lot of rights. That includes a “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content … without compensation to you.” That basically means FaceApp can do whatever it wants with your photos, according to New York Law School professor Ari Waldman. “You retain copyrights and photos that you upload, but you grant them the opportunity to pretty much do anything they want with the photos that are stored on their servers,” Waldman told me. And in many cases, it’s not just photos of the individual using the app—people upload images of their friends and families, too, meaning such a database of faces would be massive, and that same policy would apply regardless of who is in the photo. “It’s pretty broad, to say the least,” Waldman said.

Soure: How Worried Should You Be About FaceApp? — Slate


That’s a pretty permissive and vague terms and conditions, but to be fair to Wireless Lab, that’s true of a lot of apps because it covers their ass in case someone decides to sue for some stupid reason. Still, you should be aware that you are granting them these rights when you use the app. There was also a rumor going around that it wasn’t just uploading the picture you submitted to foreign servers, but grabbing your entire camera roll. Slate asked security expert Will Strafach to take a look at the app to see if that is true:

And, according to FaceApp’s creator Yaroslav Goncharov at Wireless Lab, that data doesn’t get sent to Russia at all unless you are in Russia:

Yaroslav Goncharov, FaceApp’s creator and Wireless Lab CEO, said in an emailed statement that no user data is transferred to Russia even though “the core R&D team is located” there, and he echoed that the entire camera roll is not tapped for upload. Forbes reported that FaceApp uses Amazon servers located in the U.S. and Australia. And, to be fair, FaceApp said it deletes most photos after 48 hours: “We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation.” But, again, all we have here is its word. When I asked Goncharov what Wireless Lab uses the photos for, he didn’t say. “Privacy policies and terms are drafted by lawyers and they always prefer to be on the safe side,” Goncharov wrote in an email. “We are planning to do some improvements here.” I directly asked if the company actively uses personal data for commercial purposes, and he didn’t respond.

So, in the end, it’s entirely possible that FaceApp is an innocuous bit of mindless fun and the folks at Wireless Lab aren’t keeping your data for very long or doing anything with it you wouldn’t want them to. However, the potential for abuse is still there in that terms of service agreement and if they changed their minds because, say, Russian intelligence needed a shit ton of pics to train a facial recognition system with, well, you’d given them the rights to do just that. Even then it’s arguable whether that would have any real impact on you in the long run outside of having helped the Russians to train an A.I., but it’s something you should consider before using the app.

Then again you should probably stop to consider these things with any app you’re thinking of using. Considering I’m all over both Google, Facebook, and this blog I doubt my using FaceApp could do much more damage to my privacy than I’ve already done to myself. I still won’t use it, though, because I already know what I’d look like when I’m old. Now, if it could remember my age for me…

John Oliver interview with Edward Snowden.

John Oliver has been knocking it out of the park ever since he left The Daily Show to start his own comedy news show on HBO. Last Week Tonight manages to both entertain and inform and, in some ways, is a better show than TDS. Best of all, HBO and Oliver makes full length segments of the show available on YouTube so you don’t have to pay for HBO to see it.

Each week Oliver picks a topic and does a deep dive on it and this week he’s tackling surveillance and Section 215 of the Patriot Act and how we’re not having the debate we should be about the NSA and domestic spying. It’s a great segment, but it’s even better because he managed to score an interview with the man who arguably made it possible to have this debate, Edward Snowden, and he doesn’t pull any punches with his questions:

Once again I have to marvel at how a comedy news program manages to do better journalism than the supposed news channels. It also breaks things down into a context that is not only funny, but which the average person can comprehend.

As Oliver points out, part of the reason we’re not having this debate is because the subject matter is so highly technical and hard to understand for most folks. It’s doesn’t help that too many people barely pay attention to what’s going on around them. Ask them who Taylor Swift is and they can recite lyrics from her latest single, but ask who Edward Snowden is and too many don’t have a clue. These programs need to be seriously revised and given more transparency, but that’s not going to happen so long as we don’t bother to talk about them.

Finally, this gives me a chance to make use of this:

Would've been funnier back when it was still winter, but fuck it.

Would’ve been funnier back when it was still winter, but fuck it.

SEB Mailbag: Hilariously bad extortion email from the “FBI.”

unbearable_consequencesBeing a famous and world renowned blogger such as I am I tend to get a lot of phishing emails where the authors attempt to convince me to send them money. This time out it arrived in the form of yet another letter from the Federal Bureau of Investigations. This isn’t the first time I’ve heard from the “FBI.” I got two emails from them just days apart back in 2008. Back then they contained offers to help me acquire money that I had inherited in another country.

This one is a different story. This one is a threat to ruin my life. Well, it starts that way at least. Then it suggests that the sender knows I wasn’t the person who engaged in the illegal activity because my identity had been used by someone else, but I could still face the consequences unless this person helps me because he’s a Good Christian® and would hate to see me go to jail. (You gotta love how they toss some religion in there.) So if I wire some dude in some other country who doesn’t even have an FBI mailing address $250 he’ll get the whole thing straightened out for me PLUS I’ll get the $10.5 million that I was promised in the previous emails that got me in this mess to begin with! This guy is all over the place and can’t decide which route he should go to convince me to send some money. If one approach is good then all of them must be better, right?

Here’s the hilarious email complete with spelling and grammar errors:

From: “Federal Bureau Of Investigation”<info@fbi.us>
Subject: Re: Final Warning From FBI.

FBI headquarters in Washington, d.c.
Federal bureau of investigation
J. Edgar Hoover building
935 Pennsylvania avenue,
NW Washington, d.c. 20535-0001
Federal bureau of investigation (FBI)

Attention Needed.

Attention to you. This is the final warning you are going to receive from me do you get me????

I hope your understand how many times this message has been sent to you?.

We have warned you so many times and you have decided to ignore our e-mails or because you believe we have not been instructed to get you arrested, and today if you fail to respond back to us with the payment then, we would first send a letter to the mayor of the city where you reside and direct them to close your bank account until you have been jailed and all your properties will be confiscated by the FBI. We would also send a letter to the company/agency that you are working for so that they could get you fired until we are through with our investigations because a suspect is not suppose to be working for the government or any private organization.

Your id which we have in our database been sent to all the crimes agencies in (USA) for them to insert you in their website as an internet fraudsters and to warn people from having any deals with you. This would have been solved all this while if you had gotten the certificate signed, endorsed and stamped as you where instructed in the e-mail below. this is the federal bureau of investigation (FBI) am writing in response to the e-mail you sent to us and am using this medium to inform you that there is no more time left to waste because you have been given from the 13th of January. As stated earlier to have the document endorsed, signed and stamped without failure and you must adhere to this directives to avoid you blaming yourself at last when we must have arrested and jailed you for life and all your properties confiscated.

You failed to comply with our directives and that was the reason why we didn’t hear from you on the 13th as our director has already been notified about you get the process completed yesterday and right now the warrant of arrest has been signed against you and it will be carried out in the next 48hours as strictly signed by the FBI director. We have investigated and found out that you didn’t have any idea when the fraudulent deal was committed with your information’s/identity and right now if you id is placed on our website as a wanted person, i believe you know that it will be a shame to you and your entire family because after then it will be announce in all the local channels that you are wanted by the FBI.

As a good Christian and a honest man, I decided to see how i could be of help to you because i would not be happy to see you end up in jail and all your properties confiscated all because your information’s was used to carry out a fraudulent transactions, i called the efcc and they directed me to a private attorney who could help you get the process done and he stated that he will endorse, sign and stamp the document at the sum of $250.00 usd only and i believe this process is cheaper for you. You need to do everything possible within today and tomorrow to get this process done because our director has called to inform me that the warrant of arrest has been signed against you and once it has been approved, then the arrest will be carried out, and from our investigations we learn that you were the person that forwarded your identity to one impostor/fraudsters in Benin Republic last year when he had a deal with you about the transfer of some illegal funds into your bank account
which is valued at the sum of la

I pleaded on your behalf so that this agency could give from tomorrow on,so that you could get this process done because i learn that you were sent several e-mails without getting a response from you, please bear it in mind that this is the only way that i can be able to help you at this moment or you would have to face the law and its consequences once it has befall on you. You would make the payment through western union money transfer with the below details.

Receiver name: Okagbue Christian
Country: Republic Nigeria
City: Abuja
Text question: You
Text answer: Me
Amount: $250
Senders name:
Senders Country:

Send the payment details to me which are senders name and address, mtcn number, text question and answer used and the amount sent. Make sure that you didn’t hesitate making the payment down to the agency by today or tomorrow so that they could have the certificate endorsed, signed and stamped immediately without any further delay. After all this process has been carried out, then we would have to proceed to the bank for the transfer of your compensation funds which is valued at the sum of $10,500.000.00 MILLION U.S. Dollars which was suppose to have been transferred to you all this while.

Note/ all the crimes agencies have been contacted on this regards and we shall trace and arrest you if you disregard this instructions. You are given a grace tomorrow to make the payment for the document after which your failure to do that will attract a maximum arrest and finally you will be appearing in court for act of terrorism, money laundering and drug trafficking charges, so be warned not to try any thing funny because you are been watched.

Thanks as i wait for your response

Respectively:

Agent Norman Wood.
E-mail: drnormanwood@qq.com
Federal Bureau Of Investigation (FBI)

Religious sites are more dangerous than porn sites for getting malware.

We all have that one friend/relative/client who seems to get infected with some form of virus or malware every week and those of us who take on the task of cleaning up their PCs every time they do always tell the same joke: This wouldn’t happen if you’d stop visiting all those porn sites.

But it turns out that it’s actually religious sites that are the real malware threat. At least according to a report from the folks at Symantec:

The average number of threats found on religious sites was 115 mostly fake antivirus software. By contrast, pornographic sites had less than a quarter, at around 25 threats per site. Of course, the number of pornographic sites is vastly greater than religious sites.

According to Greg Day, Symantec’s security CTO for Europe, the Middle East and Africa, while trojans may seem more serious, “if you have installed fake AV you may think you are protected, when in reality you are open to all sorts of attacks.”

This does make a certain bit of sense when you think about it. A lot of religious websites are set up and maintained by church people with varying degrees of computer skills whereas most successful porn sites are run by people who know what they’re doing and how to secure their platforms. No one thinks the asshats who put malware out on the net are going to bother with some piddly-ass church site so there’s less concern about updating software or locking down server access even if the person running it has a clue how to do those things. From the hacker’s point of view, however, every PC infected is one more PC in the botnet that can send out spam/DDoS attacks/whatever. A lot of attempted hacks are automated with scripts these days so if it’s trivial to hack a site and install your malware it’s worth doing so even if it only nets you a handful of PCs. Not like the hackers themselves even have to think about it.

Which is why you should always wear a condom when you go to religious websites. You know, just to be safe.

ISPs and FBI warning about a nasty rootkit called Alureon.

I got an email from an SEB regular about an email they got to check their PC to see if it’s infected that directed them to DCWG.org. She wanted to know if it was legit or a scam. I checked it out and wrote back and I thought the info would be useful for others so here’s her original email followed by my reply:

Subject: dcwg scam

Not hate mail, but a query:  Is this dcwg.org computer checking site that the FBI is sending us to legit?

You’re the only computer guy I “know” [and not in the biblical sense!]

And my reply:

I hadn’t heard about it before, but it doesn’t appear to be a scam. Their about page (http://www.dcwg.org/aboutcontact/) says it’s a joint effort between the FBI, Georgia Tech, The Internet Systems Consortium, Mandiant, National Cyber Forensics and Training Alliance, Neustar, Spamhaus, Team Cynmru, Trend Micro, and the University of Alabama at Birmingham. That’s a pretty impressive group and many of them have links back to dcwg.org. They also provide several links to the FBI (http://www.fbi.gov/news/stories/2011/november/malware_110911) and other sources for confirmation, plus there’s a good number of news articles about it (http://www.usatoday.com/tech/news/story/2012-04-20/internet-woes-infected-pcs/54446044/1). On top of that there’s a number of articles about it at various ISP such as Comcast (http://forums.comcast.com/t5/Security-and-Anti-Virus/DNS-Changer-Bot-FAQ/td-p/1215341). The fact that it has pretty good prominence on Google’s search is a good indicator it’s legit as well.

If you were sent a notice from your ISP I’d take it seriously and run a couple of the tests to verify. This is a nasty rootkit that modifies what DNS servers you connect to to resolve domain names (it’s how you get from typing in stupidevilbastard.com to an IP address the computer can understand which for SEB would be 209.240.81.155). The rootkit modifies the hosts file on your PC and can, apparently, even modify some home routers as well (especially if you never changed the default password). One clear sign is if your antivirus software has been disabled, but check the links for more info. It appears it’s the Alureon rootkit which you can read more about at Wikipedia: http://en.wikipedia.org/wiki/Alureon

Don’t panic too much. Even if you are infected and lose connectivity in July your PCs can be fixed. The reason they’re working now is the FBI has seized the rogue DNS servers and replaced them with non-naughty ones, but they’re not going to keep them running forever. When they shut them done in July your PC won’t be able to resolve domain names. It’s not that you’re not connected to the net, just that you’d be limited to typing in IP addresses like the one I gave you for SEB. That bypasses DNS altogether.

Les

A small security reminder: Beware of suspicious links!

Even if they come from friends and family on Facebook and other social sites. And always use different passwords on every site!

Worm steals 45,000 Facebook login credentials, infects victims’ friends

A worm previously used to commit financial fraud is now stealing Facebook login credentials, compromising at least 45,000 Facebook accounts with the goals of transmitting malicious links to victims’ friends and gaining remote access to corporate networks.

The security company Seculert has been tracking the progress of Ramnit, a worm first discovered in April 2010, and described by Microsoft as “multi-component malware that infects Windows executable files, Microsoft Office files and HTML fil…

If you have an affected HP printer you’re going to want to apply this firmware update.

If you have an affected HP printer you’re going to want to apply this firmware update.

Sounds like it won’t be too long before we start seeing this exploit show up in the wild. I wonder if anti-virus programs could be made to detect the malicious documents? #google+ #computing #security #HP

Printer malware: print a malicious document, expose your whole LAN

One of the most mind-blowing presentations at this year’s Chaos Communications Congress (28C3) was Ang Cui’s Print Me If You Dare, in which he explained how he reverse-engineered the firmware-update process for HPs hundreds of millions of printers. Cui discovered that he could load arbitrary software into any printer by embedding it in a malicious document or by connecting to the printer online. As part of his presentation, he performed two demonstrations: in the first, he sent a document to …

Beware cold calls from people claiming to be from Microsoft about problems with your computer.

I got a fun phone call this evening. The number was blocked and my initial reaction was to not answer it, but my boss is in town and the phones at work don’t always show up properly on my phone’s caller ID so I went against my better judgement and answered it. The man on the other end of the line had a very thick Indian accent and sounded like he was working in a call center. He claimed to be an official Microsoft Technical Support technician and that they had been alerted to problems with my PC that could result in “very bad” crashes that could result in “total loss of all data.”

Naturally I was very concerned about this newly discovered risk and he helpfully offered to show me where on my computer I could see for myself the dozens of error messages they had been receiving through a “web server” (you could almost hear the double quotes in the way he said it). He had me sit down in front of my PC (I was already there) and gave me step-by-step instructions on how to launch the Event Viewer in Windows. Therein he directed me to the Custom Views and Administrative Events log where there were, indeed, dozens and dozens of error messages and warnings including some that were critical! Oh my!

These generic error messages spell my DOOOOOM!

This is why, he explained as though I were a five-year-old, that my computer was at risk and that I had hit the limit which triggered their contacting me. Not to fear, they could assist in fixing the problem! He asked if I had Internet Explorer, I said I do, so he instructed me to go to a webpage where I should download a product called Ammyy Admin 3 (it’s free!) which would allow them to assist me directly.

It was at this point that I informed him that I was a computer technician myself and that I knew there wasn’t anything wrong with my computer and that they weren’t receiving notifications through a “web server” of problems I might be having and… that’s when he hung up on me.

Now it appears that the Ammyy Admin 3 software is a legitimate product used by a number of folks that asshole scammers have latched onto for this cold calling scam because it’s free and allows them to take control of your PC once it’s installed. There’s even a forum thread on their site about this scam. Not to mention that if you Google the URL you were given you find that immediately after the link to the Ammyy software homepage are links to people reporting on this scam. Word has it that if you go along with the scam they’ll show you some more generic error messages in the Event Viewer logs and tell you it’s because your system is infected with a virus and then they’ll take you to a website where they’ll try to get you to buy an anti-virus software package that probably doesn’t do jack shit. The details vary as does the software — this account from another support professional back in 2005 said they used a remote desktop package called Teamviewer — but the scam is the same. Show you some scary looking logs and convince you to buy their bullshit software.

Here’s the thing, at any given point in time the Event Viewer is almost always going to be chock full of error messages. That’s just the nature of the Windows beast. If you’re familiar with the Event Viewer then it’s not too difficult to figure out that most of these aren’t anything to be concerned about, but for the average Jane or Joe it can look pretty alarming. Folks have said that once they take control of your PC they’ll also do stupid things like list the files in your Temp or Prefetch folder and then tell you that those files are the result of spyware or a virus. Again, if you’re not that familiar with how Windows works it could look pretty scary. One red flag that you’re being bullshitted is the fact that they have you download a free third-party Remote Desktop tool. Windows already has a Remote Desktop tool built in along with a Remote Assistance tool which Microsoft would probably make use of if it was really Microsoft. Which it isn’t because Microsoft would never call you for something like this.

As near as I can tell, the scammers aren’t using the opportunity of having full access to your computer to steal your personal information (e.g. documents, credit card numbers, bank passwords, etc.) but I didn’t dig into too many of the websites that are talking about this so I can’t say for sure that they aren’t. Needless to say, once you’ve given them access to your machine you should probably consider it comprised badly enough to back up your data, erase your hard drive, and reinstall everything from scratch. Hopefully you’ll have read this first and will recognize these assholes when they come calling.

Own an iPhone or iPad? It’s been tracking everywhere you go for the past year.

Pic of output from iPhone Tracker app.

A sample of the output. The bigger the dot the more times you've been recorded as being there.

Here’s something you probably didn’t know about your iPhone/iPad: It appears to be keeping a record of everyplace you’ve ever been both the device itself and on your computer if you use iTunes to back up your phone. The folks over at AresTechnica.com have the details:

Researchers Alasdair Allan and Pete Warden revealed their findings on Wednesday ahead of their presentation at the Where 2.0 conference taking place in San Francisco. The two discovered that the iPhone or 3G iPad—anything with 3G data access, so no iPod touch—are logging location data to a file called consolidated.db with latitude and longitude coodinates and a timestamp. The data collection appears to be associated with the launch of iOS 4 last June, meaning that many users (us at Ars included) have nearly a year’s worth of stalking data collected.

In order to drive the point home, the two developed an open source application called iPhone Tracker that lets anyone with access to your computer see where you’ve been.

Now some of you might be thinking this isn’t anything new as these products have long had GPS features that will tell you where you are and they often notify you that they’re doing so when you use them. Yeah, but this is slightly different. This tracking isn’t being done using the GPS, but by triangulating your position relative to cell phone towers:

Users don’t get to decide whether their locations are tracked via cell towers or not—unlike GPS, there is no setting that lets users turn it off, there’s no explicit consent every time it happens, and there’s no way to block the logging. (Nitpickers will point out that you do give your consent to iTunes when you download and install iOS 4, but this is not treated the same way as the consent given to the iPhone every time an app wants to use GPS.) So, whether or not you’re using GPS, if you’re using your iPhone as a cell phone, you are being tracked and logged constantly without your knowledge.

The only way to avoid this tracking is to turn off the cellphone part of the device. Now the problem here isn’t so much that your devices are tracking your every move, but that you’re not being told about it. The good news is that, as near as the researchers can determine, this data is not being sent back to Apple or any other third party. The bad news is that it’s not at all difficult to get access to which means that if you lose your phone or your computer is compromised then anyone with the iPhone Tracker app can call up everywhere you’ve ever been with it. You can bet your ass that law enforcement absolutely loves this “feature” so if you’ve ever been anywhere you don’t want someone to know about, well, hope you didn’t have an iPhone with you.

Of course, this only really matters if you give a shit about people knowing your comings and goings. Something which more and more people seem to have stopped worrying about. In fact, the folks at Gawker are reporting that this discovery has spawned a hot new trend:

When it comes to technology today, there is barely any distance between outrageous privacy violation and cool new feature. When news broke yesterday that Apple has been secretly spying on iPhone users, many people immediately broadcasted the illicit data to everyone.

[…] Holy crap, Apple has been secretly logging our every move for months? Let’s… broadcast it to everyone on the internet! Many techies are now showing off their iSpy maps: “I find myself fascinated staring at this automatically generated record of where I’ve been,” wrote tech blogger Alexis Madrigal. Tumblr and Twitter arefull of them. “I don’t get out of West LA enough,” user aboycommemoi observed.

For its part, Apple hasn’t said shit about this discovery, but there is some indication that this may not have been an intentional breach of user trust. More likely it’s a bug or an oversight in the program. The folks at Gizmodo explain:

As Gruber’s been informed, consolidated.db—the tin-foil-hat-inducing log in question—is a cache for location data. (As Pete Warden and Alasdair Allan’s FAQ about their project implies.) What’s supposed to happen with the cache is that the “historical data should be getting culled but isn’t”—because of said bug or oversight. In Gruber’s words:

I.e. someone wrote the code to cache location data but never wrote code to cull non-recent entries from the cache, so that a database that’s meant to serve as a cache of your recent location data is instead a persistent log of your location history. I’d wager this gets fixed in the next iOS update.

So how freaked out should you be? If you don’t own an iPhone or iPad then this isn’t really an issue for you. If you do then it depends on how much you give a shit if someone could potentially get hold of that data. The chances that you’ll be hacked and have it stolen for some nefarious, but unknown purpose is probably minimal. However that data is something that could potentially be used against you by law enforcement if they should happen to have reason to acquire it.

Given the recent hoopla here in Michigan where the State Police have been accused of extracting data from cell phones during routine traffic stops, that may be something to consider. (Note, the MSP put out a response to the ACLU’s assertions saying that they do not collect cell phone data during routine traffic stops and only do so with a court issued warrant.) And while you may say that you’ve nothing to hide from the police, it’s not like there aren’t cases where circumstantial and coincidental evidence got an innocent person convicted.

Just the same, forewarned is forearmed and it’s better to know what is being collected about you — intentionally or not — than not know.