After breaching an FBI agent’s laptop and finding over 12 million people’s personal information, the hacker group AntiSec redacted and published 1 million unique device identifiers (UDIDs) yesterday. Click here to check if your device was on the list. Note that you’ll need your device’s UDID, which you can find by connecting your device to a computer, opening iTunes, clicking on your device, and then clicking the “Summary” tab. The summary tab will display the device’s serial number, but clicking on the serial number will change it to the UDID.
In a statement, AntiSec says the original data they found on the agent’s computer contained UDIDs, “user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses,” and more. AntiSec removed most personally-identifiable information before publishing, but kept the UDID, Apple Push Notification Service (APNS) tokens, device type, and name.
Your UDID is a string of numbers and letters that serves as a unique identifier for your device. With it, anyone can see that a particular device belongs to you. App push notifications work by sending notifications to a particular device, identified by the UDID. UDIDs can lead to uncovering additional, linked personal information, including logins, passwords, and past GPS locations. Apple and several App developers have been sued over using UDIDs to track users across different apps. After Apple received widespread criticism for creating the UDID system because of the privacy risks it created, they banned app creators from using UDIDs in March 2012.
Privacy implications of the UDID breach
The biggest privacy concern around the breach of UDID’s is that a lot of people–like app developers, data resellers, and mobile analytics companies–are aggregating personal information that’s associated with UDIDs, so knowing a UDID means you can easily find a lot more information about the person who owns that device. OpenFeint, a large mobile social gaming network, has de-anonymize UDIDs, linking them to usernames, email addresses, GPS locations, and even Facebook profiles. MacRumors reported in March 2012 that “While the UDID doesn’t specifically identify a user, the sharing of UDIDs across ad networks and apps can help piece together a valuable picture of activity and interests of the user of a specific device.”
What if your device was hacked?
Unfortunately, there’s not much you can do if your UDID was one of the 1 million that AntiSec released. It’s your device’s permanent fingerprint: the only thing you can do to change is is get a new device. And because UDIDs are tied to additional personal information, including user names, device names, notification tokens, cell phone numbers and addresses, you’re at greater risk of identity theft. In the future, never use your personal information in the name you give your device, like “John Smith’s iPhone:” it’s unnecessary, and it exposes more of your data during a breach.
It’s also possible that malicious app developers could abuse push notifications by hyper-targeting single individuals with things like fake iOS updates. We’ve seen the same kind of thing happen with the shift from phishing emails to spear phishing emails, where attackers use a target’s personal information to make the email seem more convincing.
This breach should also caution users about committing your entire digital life to a single device or service provider. Avoid putting all your eggs in one company’s basket–like having an iPhone, iPad, and iPod Touch–so that a breach on one device isn’t crippling to the others. With our mobile devices, we’re being asked to put our entire digital lives in the hands of the device manufacturers and wireless carriers, and with more personal information than they’ve ever had before.
The realities of data-sharing between private companies and law enforcement
AntiSec published a subset of this information to make the point that the FBI frequently uses private companies like Apple as data sources for surveillance. The name of the file containing the information was “NCFTA_iOS_devices_intel.csv,” which has led to speculation that Apple is sharing its users’ personal information with the FBI through the National Cyber-Forensics and Training Association (NCFTA), which “functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime.” The question they’re posing is, “Why did the FBI have all this information in the first place?”
Consumers share their information with sites and companies that they trust, but the same companies hand that information over to law enforcement millions of times each year. Companies have little ability to deny a valid request. In July 2012, Massachusetts Congressman Markey published an accounting that wireless companies like Verizon and AT&T received 1.3 million requests for customer cell phone information, like text messages and GPS records, in 2011. Google had to turn over personal data on 11,385 users in the past 6 months. Law enforcement can obtain anyone’s archived emails for about $25.
A company’s options are 1), adopt pro-privacy policies, including storing the minimum amount of personal information required by law so that they have almost nothing of interest to give to law enforcement when asked; 2), challenge the request for being unreasonable, as Twitter has done with a demand for an Occupy Wall Street protestor’s past tweets; 3), alert the customer whose data is being requested so that customer can take up his or her own legal action; or 4), continue storing and selling customer data, hand it over whenever law enforcement asks, and don’t publish or alert consumers, which is unfortunately the option that most companies currently take.
The reality here is that Apple wasn’t hacked: a single FBI agent’s computer that happened to have Apple customer data on it was. In that sense, Apple’s no more at fault than any of the hundreds of companies that law enforcement regularly forces to turn over users’ personal information.