Stories about privacy blunders by big companies always attract a lot of attention.
When that big company is Apple, you can replace ‘a lot’ with ‘a whole lot’.
And Apple likes to make public pitches about the privacy its products provide, like the video here:
So, when renowned investigative cybersecurity journalist Brian Krebs recently published a quizzical article entitled The iPhone 11 Pro’s Location Data Puzzler, tongues began to wag.
What puzzled Krebs is that the privacy interface for Location Services on his iPhone didn’t seem to work as he expected, which he rightly thought was worth investigating carefully.
After all, thanks to GPS, modern smartphones can work out where you are with astonishing precision, even when you’re offline and have no other positioning data to refer to.
Apps that do clever things with your location have therefore ended up among both the most useful and the most feared software on smartphones.
On one hand, you need never get lost again in an unfamiliar city – no more stumbling around at midnight desperately trying to find the purple building that’s the landmark for where you turn left (or is it right?) to reach your hotel.
On the other hand, the downside of streaming your location to an online service in case you get lost on the way back to your hotel is that someone, somewhere, is clocking up an excruciatingly detailed record of exactly where you’ve been.
Heck, many countries use GPS tracking tags as a form of judicial punishment, as an alternative to keeping convicted criminals in prison.
With that in mind, voluntarily letting yourself be tracked, perhaps by multiple apps and websites at the same time, might suddenly seem like a terribly bad idea.
Safeguarding your location
Apple provides a pretty decent system for controlling how apps use your location:
On the Settings → Privacy → Location Services page, you can choose, for each app, when it’s allowed to use your location data:
Never does what it says – the app can call the iOS functions to retrieve your location, but won’t get anything back; and Always is similarly obvious.
There’s also While Using the App, a middle ground that all location-aware apps admitted to the App Store must now support.
While Using says that the app can only track you while it’s the foreground app on your phone – as soon as you switch to another app or lock your phone, this setting cuts off access to your location.
In other words, if you can’t see the app, it can’t see you.
The confusion starts here
This is where Krebs decided that Apple – or, more precisely, his smart new iPhone 11 Pro – had confused him.
He explicitly turned every app’s setting to Never, while leaving the main Location Services slider turned on.
Krebs inferred that turning every individual switch off would produce the same result as turning the master switch off.
But it doesn’t, in the same way that there’s an important difference between isolating your home’s main circuit breaker, and going round the house turning off every light, plug and appliance individually at the wall.
Krebs started seeing the telltale arrow from time to time when he started using a new iPhone 11 Pro, even with all the individual settings on Never…
…a behaviour he couldn’t reproduce on an iPhone 8. (In the interests of science, he went back and tried.)
Something’s changed
Conclusion: something had changed, and it had privacy implications!
But what?
At first, Apple wasn’t terribly helpful, apparently saying simply that:
We do not see any actual security implications […] The icon appears for system services that do not have a switch in Settings.
In other words, the master switch was there to deal with any system components that didn’t have a switch of their own.
Nevertheless, the unanswered part of the question was, “What new system components have recently been added that don’t have a switch of their own and are provoking this previously unseen behaviour?”
A couple of days after the first article came out, Krebs finally received an answer from Apple to fill in the missing detail, so he was able to report as follows:
Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.
This feature, known as Ultra Wideband (UWB), is basically a peer-to-peer wireless data transfer protocol that uses a much wider range of frequencies than regular Wi-Fi, but at much lower power to reduce interference.
But UWB isn’t allowed everywhere in the world.
A few countries have regulated its use, apparently for fear that it might mess with existing radio communications, and Apple therefore added system software that uses your location data, as long as the master location switch is turned on, to disable UWB automatically as required.
Mystery unravelled!
No room for ambiguity
The moral of this story is that there is no room for ambiguity or confusion in software components where users manage their privacy.
We assumed that the master switch only existed because there were location-related features for which there were no individual control sliders.
Krebs assumed from the layout and behaviour of the very same configuration page that the master switch was redundant if all apps were turned off anyway.
Both assumptions are reasonable, but only one can be correct.
So, if you’re a programmer or a user interface designer, you need to go out of your way to avoid security ambiguity in your configuration screens.
Apple, for example, knowing that UWB support on the iPhone 11 Pro would produce location usage warnings in a way that hadn’t happened before, could easily have tweaked the message under the master switch to clarify the situation.
Ironically, Apple is now planning to add a separate control switch for the new UWB feature; let’s hope it accompanies this update with a list of any other iOS services that could cause the location arrow to pop up but that still don’t have their own switches.
And another thing…
While we’re on the topic of user interface design, here’s a long-standing bugbear of ours in Location Services.
Once you’ve turned the location master switch off, you can no longer inspect, let alone adjust, the per-app settings that will apply as soon as you turn it back on:
This means that you can’t tidy up your location settings to improve your privacy without potentially leaking location data while doing so.
If you install a new app and want to make certain that it’s set to Location Services → Never, you have to risk giving it temporary access to your location by turning the master switch on just to get access to turn the app-specific switch off.
(We’d also like a quick-press button to Turn All Apps to Never in one go, for when we decide we want to opt out of everything, instead of wading through the whole app list to make sure we didn’t miss one…
…but that might just us being fussy.)
Readers, what do you think?
Cassandra
While we’re on the topic of user interface design, here’s a long-standing bugbear of ours in Location Services.
Once you’ve turned the location master switch off, …
Personally , I don’t like “slide switch” in any circumstances unless accompanied by an unambiguous comment like “Location Services currently turned on”. Possibly Apple think that by blanking the subquestions, this gives such an indication – but I agree with you about avoiding leaks when adjusting subsettings.
I don’t like slideswitches because I am sometimes not sure whether something is on or off.
Is there a convention that slide “to the right” is on and “to the left” is off?
Green means “good” – does that mean “off” (privacy preserved) or “on” (full functionality)?
What is wrong with a checkbox? Is it concerns that under touch interfaces it is too easily “switched”, whilst a “slide” is more difficult to do accidentally?
Paul Ducklin
To be fair to Apple, the idea of lighting up a switch that’s on and making it dark when it’s off isn’t unusual (the switch for my electric water heater does that, although it’s red rather than green – you know at a glance whether it’s on or off).
Having said that, when you are at the Privacy screen, the entry for Location Services actually uses the word “On” or “Off” to describe whether location services are on or off.
I think the slide-style control took over from the checkbox because [a] it looks cooler and [b] it provides animated feedback of the change in state. Also, why does an X in a checkbox mean ON when an X is the opposite of a check mark? An X on a test paper means “you got it wrong”, while an “✓” means you got it right :-)
Patrick McDonald
Duck — SOME teachers use a “C” for correct and a check “✓” as incorrect
Paul Ducklin
We use the word ‘tick’ in place of ‘check’, but it’s the same thing…
…and a ‘tick’ only ever has positive connotation. Thus the phrases “tick it off” (i.e. task successfully completed) and “cross it out” (because it is wrong).
Gavin
The use of the tick (✓) to mean “correct” in the UK is generally not the case in the US (at least in my experience). As a British transplant to America I was confused when my child’s homework would come back with ✓ marks all over the wrong answers, only to find out that the teacher was using a “check mark” (which is still a “✓”), literally meaning “check your work here, it’s not right.” I don’t think I’ve seen “X” used on homework or test papers here at all.
“✓” can also mean “done”, as in checking things off a list. In that context, “✓” and “X” are virtually interchangeable. Talk about ambiguity!
So from a system interface design perspective, all that confusion may be quite nicely side-stepped by a graphical slider as long as it is clear what “on” and “off” actually mean in a particular context.
All that said, I heartily agree with the suggestion that settings should stay visible (albeit greyed out) when a master switch is turned off. It has always niggled me that this is not the case. I’d also like to choose default settings that apply to any app that is newly installed. I’d then be able to set my defaults to “Location Services: Off”, “Background Processing: Off” etc. Then any time I installed a new app I’d know that those defaults were applied automagically.
Paul Ducklin
That makes the check/tick/cross box even less suitable given that its interpretation varies so much (even between two countries that have a mostly-common language… except why on earth do you call them restrooms?).
As an aside, that’s why I despise the cybersecurity words ‘whitelist’ and ‘blacklist’ so much. Not merely because some people unexceptionably find them offensive because of the inadvertent implication that ‘white is better than black’. Not merely because in the finance sector, white is black and black is red, for added upside-down confusion. Not merely because the notion of ‘blacklisting’ alludes to illegally and secretly ganging up with competitors to deny someone you don’t like the freedom to seek work. But because replacement words of equal length exist that are entirely self-descriptive and therefore don’t rely on remembering whether a spam blacklist is black in the sense of ‘needs to be kept out of sight’ or black in the sense of ‘solvent and trading lawfully’. Those words are allowlist and blocklist and I commend them to you as a way of being both politically correct and scientific at the same time – and without having to change the text layout in your menu pages :-)
Cassandra
So last week when I used a stubby little pencil to put an X in a box, was I marking which party was “wrong”? I should have marked them all!
(Time to move away from voting with the mark of illiteracy!)
Paul Ducklin
I guess the answer to that question is…
…it depends whom you voted for :-)
The use of a cross in voting is semantically quite different because there is only “X” and “no mark at all”.
My understanding (from a chum who used to volunteer as an electoral observer for the party he supported – this was not in the UK but in ‘a country that speaks English and drives on the left’) is that a diagonal cross is used because there is a clear intersection point – as the word ‘cross’ makes clear! – that can be used by the returning officer to judge pretty objectively what the intention of the voter was in a ballot that is not immediately obvious and gets contested.
The place where the lines cross is deemed to denote the voter’s choice, so if the ends of the lines protrude beyond the box, even by some distance, the ballot can be allowed because there isn’t much room for doubt. A tick or check mark doesn’t have quite the same visual clarity because deciding on the precise location of the inflection point in the V of the tick is much harder than deciding the location at which “X marks the spot”.
Anonymous
If you install a new app and want to make certain that it’s set to Location Services → Never, you have to risk giving it temporary access to your location by turning the master switch on just to get access to turn the app-specific switch off.
I believe by default apps do not get permissions. That’s why when you initially run a new app if i needs l location services you have to enable it access. Same for the microphone and pictures and so on.
Patrick McDonald
I like the idea of “Turn All Apps to Never” … sometimes a draconian measure IS appropriate …
Anon
On a similar note why do some apps refuse to work if you deny access to the microphone?
Paul Ducklin
I guess it depends what they are supposed to do. A voice recorder app that couldn’t access the microphone wouldn’t be much use, so it would make sense for it simply to say so and exit if you fired it up while the mic was off.
Eddie Urbanski
Apple Weather still only has Never or Always options, nothing in between.
Paul Ducklin
I dumped that app long ago (who needs an Apple weather app when you have windows, no pun in10ded)…
…just reinstalled it from the App Store and it *does* have all three choices: Never, When Using and Always. You sure you have an up-to-date iOS? (I have 12.4.3 on an iPhone 6, which is the latest version for that vintage of device.)