Apple and Starlink Enhance Privacy Following Tracking Research
Researchers from the University of Maryland, Eric Rye and Dave Levin, have uncovered serious security and privacy issues in the geolocation systems used by Apple and Starlink. Their study revealed that the data collected and publicly shared by these companies could be used to track the locations of billions of devices worldwide.
How Apple and Starlink Collect Location Data
Apple gathers precise location data on all Wi-Fi access points visible to its devices. This allows Apple devices to provide users with location information without constantly relying on GPS. Google uses similar systems. Both tech giants record Wi-Fi access point identifiers, such as MAC addresses (BSSID).
Unlike Google, Apple returns the geolocation of up to 400 nearby BSSIDs, enabling devices to determine their location based on known access points. This large volume of data allowed the Maryland researchers to track the movement of individual devices anywhere in the world. They requested data on over a billion randomly generated BSSIDs and received information on 488 million access points.
Tracking Starlink Devices
The researchers used this data to monitor the movements of Starlink satellites. Each Starlink device is equipped with its own Wi-Fi access point, which is automatically indexed by nearby Apple devices with location services enabled.
Starlink responded to the study by implementing software updates to randomize the BSSID of its devices, thereby increasing privacy. After analyzing these updates, Levin and Rye found a significant reduction in the number of trackable Starlink devices, indicating the effectiveness of the changes.
Apple’s Privacy Policy Updates
Apple also made changes, updating its privacy policy in March 2024. Users can now opt out of location data collection by adding “_nomap” to their Wi-Fi access point’s name. These changes were introduced after researchers pointed out the lack of opt-out options.
Risks and Recommendations
The researchers warn that these issues pose risks to vulnerable groups, such as people escaping domestic violence, and urge Apple to implement additional measures to prevent misuse of location data. They also noted that mobile hotspots that randomize BSSID do not present the same privacy threats as stationary Wi-Fi access points.