Khirman & Son

It is sad to write something bad about a good company, but they deserve it….Probably…

In the Former Soviet Union ( oh, boy, how I love the sound “former” ), whenever we had a political discussion in the family room, we used to rotate a phone dial a half way and fix it in this position with a pen. Why, you may ask? Somehow we believed that it prevented “people who need to know”  from snooping after what we talked about. (Soviet-made rotary phones had a microphones connected directly to the line. ) Someone may call it “a paranoia”, but not the ones who survived “advanced socialism” experience….

Fast forward to our days… Certainly, each country has its own “people who need to know”, but fortunately, in normal countries their activities are well regulated by government and courts (and, indirectly, people ,  who elect government and courts) . Some may not like it, but CALEA is a useful tool for preventing ( or punishing)  crime and terrorism. However,  “lawful” and “court approved” are the  keywords here...

The story is different when private company uses technology to snoop after their customers. It can be described as something in  the spectrum from “bad business” to “illegal surveillance ”. Many Internet companies collects information while you are visiting their websites – Google, Yahoo, DoubleClick and many other actually base their business on the ability to learn customers preferences and to personalize responses. But  usually they can’t link this information back to you, Ms. or Mrs. Smith, living at 314 BrockBack str, MidOfNowhere, CA. Probably, they would  love to, but they lack of essential information that links your personal information toyour internet activities ( it can be easily done by ISP, but usually they refuse to share this info without court order).

Now it is an Apple's turn – just recently they came out with a new hit product – iPhone. Wow! … Sold in the US only to AT&T customers for $400 and bundled with expensive two-year contract, it became an instant hit , “must have”  status item in the US and abroad ( many items had been smuggled out of the US and hacked to support non-AT&T networks even before Apple started to sell this product in Europe).  As usual with recent Apple products, IPhone is indeed a great combination of technological and esthetical perfection.  And Apples numbers prove it – just in the first 74 days after the product introduction, Apple sold 1 million iPhones.

iPhone is not just a “better phone” – it is your personal handheld communication center,  equipped with broadband 3G and WiFi connectivity. It includes not just communication and entertainment applications, but a set of business oriented applications. It is made for ALL of your communication needs! Just use it . Whenever you are, whatever you are doing… Nice gadget…

For example – you can use STOCK application to watch your preferred tickers. Whenever you are, whatever you do, it lets you know price changes, market movers, etc…Now you can manage your 401k while riding a train or pretending to enjoy SF Opera. 

But here is a bummer… Or shocker.. Or the potential illegal surveillance…Or nothing.. Depends on your point of view:

Few days ago (Feb 16,2007) “good guys” from “mackintosh hacking” community review STOCK application executable code and…WTF!!!!!!!!!! Inside of mesh of bit and bytes , they found an almost “innocent” string :

http://iphone-wu.apple.com/dgw?imei=%@&apptype=finance

 
Certainly, considering “close source” nature of iPhone, no one ( beside few Apple developers) know for sure what this string is exactly for. Some preliminary “network sniffing” tests didn’t show anything really alarming, but from a programmer perspective, it is obvious that this string is to be used to form a URL that includes “imei” variable substituted with actual numbers to be determined by running application ( and probably – unique for your device).

In  non-programmers words it is even simpler:

        Whenever you are using iPhone to check stock market, STOCK application informs Apple headquarter
(a) what you are doing (b) your IMEI number.

So What? Big Deal?    

Yes, IMHO, not just BIG– HUGE deal !

Let’s start with IMEI – what the hell is it? Apparently , every GSM phone has a unique identification number. It is build into the phone during manufacturing process and can’t be changed (without pretty difficult hacking). It is not related to inserted SIM card or associated phone number – it is a permanent identifier of the device itself. Whatever SIM card you insert, whatever carrier you are using, your IMEI is still the same. This simple fact is still obscure to general public , and sometimes results in quite successful anti-terrorist operations:

            http://www.hinduonnet.com/fline/fl2403/stories/20070223002310900.htm

Police investigators began by attempting to trace Abul Rahman Paddar through his mobile phone. Bharat Sanchar Nigam Limited (BSNL) staff found that while his phone number had become inactive, his cellphone - identified by its IMEI (international mobile equipment identity) number, 357054000874988, was still running, now fitted with a new SIM (subscriber identity module) card.

Poor bastard wasn’t just a killer – he was a cheapskate , saving on a new cellphone ;-)

Back to the Apple.....

Why do they need to know IMEI ? Don't they already know your IP and browser cookies numbers? Yes, but this information is not much different from the one already known by Yahoo or Google – they can trace all activities made by the same person, but have no way to know who this person is without ISP ( AT&T in iPhone case) cooperation.

With IMEI, Apple made one, but the last and the most important step – it got a unique opportunity to link network activities to a specific person, his social security number, home address, credit card information and so on. How? Very simple – when you purchased your iPhone in the AT&T shop you get your new device “provisioned” or “activated”.  Your new device IMEI  number, together with your personal information (including all extensive info necessary for credit check ) ,  submitted into centralized AT&T database. AT&T has to pass this data to Apple to get an activation number ( unique for each IMEI). Apple server calculates secret activation code and forwards it back to AT&T and the sales person who is helping you with your shopping. Would you believe that Apple drops all the received information out of their database? Call me paranoid, but I rather assume that they keep it.

Do I need to tsay more? From now on everything is simple… Apple knows (a) who you are (b) where you are (c) what you are doing on the internet right now…. How they will use this info? I do not know, but they certainly made an effort to collect it… Probably Steve Jobs has some new bright idea… (Crushing Wall Street by using real-time info collected from high-profiled iPhone users ? – looks like a good theme for action movie, doesn't it  ;-)

Still waiting for more interesting discoveries….