Editor’s note: In the days before Edward Snowden Apple’s iPhones were notorious for privacy problems and lots of people went to jail because their phones snitched on them. IPhones were generally regarded as the worst offenders, with Android it depended on what malicious software the carrier added and whether or not the user used Google services with it. After the Snowden revelations broke, Apple might have decided to reverse course fearing lost sales, thus the recent encrypted iPhones the FBI is whining and moaning about.
Back in 2011 Cnet broke an extraordinarily ugly report that Apple iPhone/iPad devices were tracking user movements and storing a log file of all user movements unencrypted on the device.
Even worse, this log file was routinely transferred to computers syncing to the device. If you older computer containing this file is taken in a raid or if you are ever arrested with an iPhone of that era, the cops could get a record of ALL your movements while carrying it. The report is out on cnet, so presumably the “computer crime” cops also know about it. Don’t be surprised if someone taking money from the cops was the source of this code, for that matter.
Even the feds were furious with Apple, and Congressman Ed Markey demanded answers from Apple’s CEO about this user tracking, which of course Apple never told users would happen.
I would guess this sort of tracking file was intended for the use of online advertisers. That, of course, is assuming Apple did not get screwed by a programmer taking money under the table from the Secret Service, the FBI, or the NSA.
If you own an iPhone from that era and bring it to protests, stop doing so now if it is running iOS version 4 unless you are capable of rooting the phone, finding the log file, and securely deleting it. Otherwise, any two iOS 4 Phones captured together at a protest could tell police a lot of things that could put people in serious jeopardy! Ask me in person about details of how this sort of information could be exploited-I am not telling them how to use it on an open forum as they may be too stupid to figure it out for themselves.
If you have carried such a device in the past to protests from which criminal charges could ever ensue, you need to take it to a hacker who knows how to find and securely delete this file-or totally destroy the hard drive and replace it, never bringing the phone to a protest again.
With most cell phones (Android and old-style dumbphones) you can remove the battery when you just can’t afford to be tracked, but Iphones have batteries that cannot be removed without an X-acto knife. This means you can’t carry it but only put the battery in when in use. I do not know if iPhones can be turned on remotely under a wiretap order, but I do know that may other phones can be. Most common approach is to replace the dialog that turns the phone off with malware that only shuts down the screen, the speaker, and responsiveness to user input. Removing the battery and putting it back in will forcibly shut off and keep shut off a phone with that particular malware. Assume this sort of thing applies to all phones until proven otherwise, and do not carry any phone whose battery cannot be removed unless you have a metal-lined or metal-covered case for it. These cases, known as “faraday cages” block all signal to the phone, and testing them is simple: turn the phone on, put it inside, and try to call the phone. It must not ring and you must not be able to reach it.
General cell phone security still relevant today:
Cell phone companies cannot be trusted, so never combine your camera, your sensitive computer work, or anything else with your cell phone. One option is a cheap no-frills voice phone on a prepaid plan paid for with cash only, batteries out when security counts. edit 2017: The rise of encrypted text messaging services like Signal has created a valid use case for smartphones, as has the ability to encrypt them. You still can’t trust Signal anytime you can’t trust the microphone or the touchscreen however, and certainly never use the same phone for activism and your whole personal life. Avoid contract phones. A prepaid phone under a false name can be connected to you by analyzing contacts and movements but might be harder to admit into court proceedings than a phone registered to your name. A burn phone is such a phone used once with no other phone turned on, than discarded. Those are next to imposible to trace.
Keeping cameras, meeting notes, addresses et all other than on your phone is as important as ever, as is never using the phone’s browser for any online activity you can’t afford to have traced to you by the phone. Do not fill out all the details in “contacts,” keep that as sparse as you can remember the entries. Never install the Facebook app, never use the phone with Facebook, turn location OFF (you don’t want a Google location history!), and preferably avoid logging into ANY website. Avoid ad-supported apps and use the Adblock browser with all ads and trackers disabled. Those ad networks try to get your entire surfing history, so block all of them, all of the time.
It is possible to install Linux on some tablet computers, then use them with external, USB-connected cell phone data plan adapters for functionality similar to an iPad with a hell of a lot more security. This way, the cell phone tower cannot see anything your secure operating system does not explicitly send them except your location when you are actually using the adapter. That can be found simply by triangulating the signal, but is not as accurate as a GPS phone would be and cannot tell your position in a dense crowd or on a city block. Unlike a normal cell phone, the carrier can’t push spyware to the tablet as the 4G radio is not physically connected to its memory bus.