by Christina DesMarais for Techlicious
Is the FBI Tracking 12 Million Apple Users?
UPDATE 9/10/2012: Paul DeHart, CEO of the Blue Toad publishing company, told NBC News that its million-record database of UDIDs was stolen within the last 2 weeks and that there was a 98 percent correlation between its dataset and the one the hacker group Anonymous claims it stole from an FBI agent’s laptop in March.
This week the hacker group known as AntiSec released a list of one million UDIDs—Unique Device Identifier numbers associated with Apple mobile devices—which it says came from a collection of 12 million UDIDs lifted from an FBI agent’s laptop.
The complete original file also contains user names, name of device, type of device, APNS tokens, ZIP codes, mobile phone numbers, addresses, and more. AntiSec’s release doesn’t include this personal information and the hacker group says it only wants the public to know that the FBI uses such information to spy on people.
Apple says it never gave the FBI any such information while the bureau itself issued a statement denying the data came from them. “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data,” it says, in a remarkably short and vague answer to a controversy of this magnitude.
Still, the UDIDs are real—many news outlets are publishing examples of people who have found their devices on the list.
Where did the List Come From?
An Apple spokesperson told the web site AllThingsD that “The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID.”
If that’s true and assuming the list wasn’t gleaned from some kind of hack into Apple or other company, the next most likely culprit is an app developer. Here’s why:
The UDID is an alpha-numeric string of characters that tells Apple and developers which device is yours so they can do things like push alerts to your phone, serve you ads and keep track of your preferences. Following privacy concerns Apple has cracked down on developers that track users via the UDID because it found that in addition to the identifier some developers were also garnering personal user data. That means any number of developers with more than 12 million users could have compiled the data the FBI agent supposedly had on his laptop.
