Researchers announced today that they found what look like secret files on the iPhone that track user location and store it on the device, without the permission of the device owner. It’s unclear what the data is used for and why Apple has been collecting it in iOS products that carry a 3G antenna for nearly a year now.

Pete Warden, a writer, and Alasdair Allan, a senior research fellow in astronomy at the University of Exeter, discovered the log file and created a tool that lets users see a visualization of that data. They say there’s no evidence of that information being sent to Apple or anybody else. Even so, the pair note that the data is unencrypted, giving anyone with access to your phone or computer where backups may be stored a way to grab the data and extrapolate a person’s whereabouts and routines.

To help users understand more about the data that’s being collected, what the risks are, and what they can do about it, CNET has put together this FAQ, which has been updated several times since it first published on April 20.

Who are the researchers and how did they find this?
Warden, who used to work at Apple (though not on the iPhone), and Allan had been collaborating on some location data visualization projects, including a visualization of radiation levels over time in Japan after the earthquake, when Allan discovered the file on an iPhone. “After we dug further and visualized the extracted data, it became clear that there was a scary amount of detail on our movements,” they wrote in a blog post.

When did this start and what devices are tracking this data?
According to Allan and Warden, the tracking didn’t begin until iOS 4, which was released in late June 2010. The previous version of iOS did in fact track a similar set of information, including cell towers and GPS information, but the data was not stored in a simple directory format.

iOS 4 was the first version of iOS to drop support for devices like the original iPhone, with devices like the iPhone 3G and second-generation iPod Touch getting a more limited feature set. Along with iPhones, 3G-enabled iPads are also keeping track of the data, though it’s unclear if this is true for people who have 3G devices without active cellular subscriptions.

The tracking data itself was actually discovered last year. Research from Alex Levinson and a book by Sean Morrissey from Katana Forensics detail information that can be gleaned from these files. There’s also a tool by French programmer Paul Courbis that’s similar to the one released by Allan and Warden and is able to plot up to 10,000 of these data points from the database file to a Google Map. The issue was known in forensics circles but not widely, Allan and Warden said in a news conference this afternoon at the Where 2.0 conference in Santa Clara, Calif. An application they released that allows people to see what data is on individual devices makes the abstract tracking concept more real.

Did they contact Apple on their findings?
The researchers said they had contacted Apple’s Product Security team but hadn’t heard back.

Where is this data being stored?
The database of location information is stored primarily on your phone, though due to the iOS device backup system in iTunes, these files can also end up on your computer. When iTunes saves these backups, which are set by default to be stored every time you sync an iOS device, the data file goes along with it.

What’s curious is that this log can extend across multiple devices as long as those devices use the same restore point. Allan and Warden noted that the database used as part of the project spanned an iPhone 3GS and an iPhone 4, the latter of which had used a restore point.

The researchers have more technical details and the downloadable application to see a visualization of the data collected from your phone over time here. The application does not work with iPhones on Verizon, the researchers said.

In the 13-page response to a letter about phone privacy sent by Rep. Ed Markey (D-Mass.) back in June, Apple more firmly laid out the storage location of various types of collected information, which you can read here (PDF). The long and the short of it is that Apple said it tracks this information and uses it as part of its own database of locations and cell towers. Some of that information, including Wi-Fi access points and cell towers, is sent back to the company every 12 hours when users are connected to a secured Wi-Fi network. That information is decoupled from the user to make sure it cannot be traced back to the specific device. The transmitted GPS information specifically remains private to the company, Apple said.

What’s inside this data?
A database of cell tower coordinates and timestamps to indicate when your device was connecting with them. This includes what operator you’re on and the country code. The research also found that Apple was tracking data about what Wi-Fi networks you were connecting to, which also included slightly less accurate location information, but continued to track that data by time. The researchers’ visualization app shows large blue dots for frequent activity and smaller red or orange-colored dots for less frequent activity. However, it’s unclear exactly what is triggering the logging, they said.

Is there an easier way to see that information than a giant database form?
Yes, Allan and Warden created an open-source software program that is able to go through the data from the database file and turn it into a visualization of what towers your device connected to based on the dates and times. The pair say the application intentionally cuts down on the accuracy of this data to keep the software from being used for bad things. You’re also likely to see points in places you haven’t been, since the tracking tools within the iPhone make use of nearby cell towers to triangulate location. “As a data geek I was excited to have this data set, but I don’t want anyone else to have this data,” Allan said.

What is the harm with this data being collected and stored on the device?
“By passively logging your location without your permission, Apple [has] made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements,” the researchers wrote in their FAQ.

Some forensics companies offer such software, which you can read more about in this post.

While acknowledging that there is no need to panic, the researchers noted that if someone gets hold of the device, they can access the unencrypted data. “Your cell operator has this information,” they said in the news conference. Anyone who wants it has “to get a court order to get that from a provider. But now, all you have to do is lose your phone in a bar.”

Apps on the device cannot access the data, because it is “sandboxed,” the researchers said. However, it could be accessed by software on the computer that holds the backup, they said.

How do I protect this data from being seen by others?
The data file itself is completely unencrypted, meaning anyone who gets hold of it can access the data freely. On the iTunes side, there’s an option to encrypt your backups, which will keep someone who gets access to a backup file while rummaging through your hard drive from being able to dig through it and pull out the database file.

To enable that feature, click on the device icon when it’s plugged into iTunes, then check the “Encrypt iPhone Backup” item in the “Options” area. As for your iPhone, or iPad with 3G, your best bet is to keep someone else from getting it in the first place, and then using Apple’s free “Find My iPhone” app to do a remote wipe if it’s lost or stolen.

Read more: http://news.cnet.com/8301-13579_3-20055885-37.html#ixzz1KfD9krBh