Filed under: Bad Apple, iPhone
Regarding the IMEI tracking brouhaha
Late last night, we got word that Dan over at Uneasy Silence had discovered a URL embedded into two iPhone programs. The URL, which is formatted to include your iPhone's equipment ID (IMEI), apparently contacts Apple when you use the weather and stocks programs.
TUAW took a look at these programs and can confirm that the URL appears in both. When we tried connecting to Apple, the URLs did not return any data, further supporting Dan's concern that these were used for tracking purposes. We tried with both valid IMEI numbers and spoofed ones.
So is Apple using this data for nefarious tracking purposes? That point remains less clear. It's possible that Apple added this URL for future use to restrict data access to those iPhones with valid AT&T accounts--your IMEI gets registered with your phone number. It's also possible that Apple uses this URL to track activity, i.e. how much use per account for internal auditing.
One thing that is very clear, as Dan points out, is that active iPhone users have consented to data collection in the end user agreement. Beyond that, what data is collected, and how it is used remains fuzzy. Perhaps Apple will now issue a statement clarifying the situation and put user fears to rest.
Update; Gizmodo reports that sniffers detect no actual IMEI data being sent at this time. If you'd like to personally confirm the two URLs we found, you can easily do so by copying the two executables to your computer and issuing the strings command.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Andy said 10:42AM on 11-19-2007
Oh dear apple should really take care with this, There are some enourmeously stringent consumer protection laws in europe. And it wont matter what it says in the contract then.
Reply
Frank said 10:51AM on 11-19-2007
so, it's the stock program and the weather? big deal, i say. i think i've fired up the stock program twice since i got my phone in june. i do fire the weather one up quite often, but still. i'm not getting the hubbub.
Reply
boz said 11:06AM on 11-19-2007
Hey dudes, I heard rumors that AT&T actually tracks every phone call you make on your iPhone.. not just when and how long you talked but also WHO you called. Oh noes!!
Now, tell me again why Apple identifying me when I hit their servers is a problem?
Reply
Patrick McCarron said 11:09AM on 11-19-2007
How about someone setup a server on their network with a PHP script and repoint the DNS entry to that box to see what data the iPhone really sends to it?
Reply
mikka said 11:12AM on 11-19-2007
@boz lol. Normally, I'd side along the lines of as long as th information is used for internal auditing/personal account management for Apple/Att&T, I wouldn't have a problem. BUT considering the current ATT&T+NSA teamup, I'm a little worried when they do anything. I mean, it's already known that you can track where cellphone calls are coming from and all that, but still, it is something that should be noted. Thanks for the wistle, blower.
Reply
jeff said 11:16AM on 11-19-2007
I don't really think Apple is "tracking". This is how their web services work. If you look at Calculator on Leopard (or Tiger), it uses: http://wu-calculator.apple.com/dgw?imei=APPLE&apptype=finance. This is used to query the web service for currency conversion.
It is simply a web service API. In the Stock and Weather examples that you show, this API is called then redirected to Yahoo for data.
Reply
bob sakamano said 11:17AM on 11-19-2007
oooo apple is watching which stocks i don't have any monitoring my weather checking habits.
big woop
i also agree with boz
Reply
matthew said 11:17AM on 11-19-2007
I'm sure Apple just wants to make sure you keep checking the Cupertino weather and AAPL price.
Personally, I don't have a problem with usage tracking. You're crazy if you think your usage isn't tracked when you check the weather or stock prices via means other than an iPhone widget. If you really care, just add Redmond and MSFT to your widgets to mess with their heads.
Reply
Lars said 11:41AM on 11-19-2007
Some server-phone interchange is obviously required for the widgets to function, but both can function without the inclusion of IMEI. So the question why it's sent at all is a valid one.
Reply
Rob said 11:48AM on 11-19-2007
Maybe Apple doesnt want other devices to access the feed, so the URL contains a valid IMEI to make sure only the iPhone has access.
Reply
leifab said 11:59AM on 11-19-2007
What about those of us who have those same apps on the iPod Touch. They work just fine sans imei.
Reply
Chris said 12:01PM on 11-19-2007
You want privacy?
1. Stop using your Debit/Credit Cards.
2. Don't use Google for anything. Ever.
3. Use prepaid cell-phones that you pay for in cash.
4. Or use Pay Phones (if you can find one)
5. Don't use the internet unless you control your DNS servers
6. Don't use the internet unless you have an end-to-end VPN service
7. Don't use email unless you host your own email on your own servers.
None of you has any privacy. I'm not defending this privacy concern that Apple may be tracking your data. But I *know* I'm being tracked in so many other ways that I really don't care about this at this time. Until I'm ready to fall off the grid and use nothing but cash and live in the mountains, this is my reality.
Reply
joseph said 12:09PM on 11-19-2007
Who cares. They could collect the same data by collecting your IP (OH NO YOUR PHONE IS BROADCASTING AN IP ADDRESS) and then tying those IPs back to AT&T's logs. Give me a break.
Reply
Henry Flower said 12:59PM on 11-19-2007
Strangely, my stocks and weather apps stopped working on my Touch recently...
Reply
Mark 2000 said 12:59PM on 11-19-2007
This may or may not be a big deal, but I'll never understand people who side to passionately and angrily with corporate. What are you gaining? What have they done to win such loyalty? And, most importantly, how much are they paying you to troll these blogs? I want some of that sweet troll money.
Reply
Adam S said 1:13PM on 11-19-2007
Has anyone tried editing their DNS to spoof that site and confirmed thatthe iMEI is actually transferred.
Also, is it in any way a bad thing to have your iMEI transmitted in plain text? The URL is not encrypted in HTTPS, right, so on a wifi network, you could be trasnmitting your iMEI in plain text.
Reply
WiFone said 1:41PM on 11-19-2007
Now where's that smartass lawyer's webform to sign up for the upcoming punitive damages class action...
Reply
John said 1:35PM on 11-19-2007
This isn't the only area in the iPhone/iPod Touch where stuff is tracked.
I bought a Touch last month while out on business, but didn't have wireless in my room. (Long story)
Getting out and about, I did find a WiFi spot. Safari worked fine, but:
Two interesting things after loading up some MP3s:
1. Youtube won't work unless you sync with iTMS with an internet connection.
2. I'm really trying to figure this one out... When double clicking the button on the front of the device, a little mini music control comes up. Only the pause/play control would work for me until I synced with iTMS with internet. Tested for a week, and wouldn't work until the device communicated back with Apple.
Reply
Sparks said 1:35PM on 11-19-2007
As a developer, looking at this I think we're probably seeing something originally designed so that widgets could count unique visitors by IMEI instead of IP; IP is useless for tracking mobile apps since you're generally behind some form of NAT or proxy gateway when connected via GPRS/EDGE, and when you add in bouncing on and off of WiFi networks into the mix, that would make it worse.
Advertisers and business partners want to know things like 'unique visitors' -- this is why so many sites add a random identification cookie to your browser -- and I am betting that things were designed this way to address that. Using the IMEI looks like a privacy concern at first, but... really, it's just a unique ID which is guaranteed to be unique to a specific phone, but doesn't betray information like your phone number or whatever (unless you go harass AT&T for customer records, I suppose).
Reply
Bantu said 2:56PM on 11-19-2007
1st, Dan didn't discover the URL at all. Some random guy in a forum "discovered" it and posted it, without bothering to check if it actually transmits the IMEI. Dan is just repeating the rumour, much like you are
2nd. It's just rubbish. The iTouch and Calculator.App on OSX both have the same URL, yet they aren't phones and can't possibly be transmitting an IMEI
3rd. Some Germans have done a test (packet sniff the data, rather than see the word IMEI and assume it transmits a an IMEI) and found that it doesn't transmit the IMEI
Have the decency to check your facts before repeating non credible information that stems from one unsubstantiated post on a forum
Reply