click to view enlarged image

I hit on a couple articles today that raised awareness on yet another mobile device security issue, this one applies to all the iPhones and iPads with active GPS. A little deeper digging uncovered an excellent forensic discussion and rebuttal by Alex Levinson that details his own research, paper and even forensic software that has been available for some time. The primary issue is that the Apple iOS has been storing your unsecured location history within different file locations since GPS enabled iPhones were available. The only way to prevent this slow accumulation of time-location information is to turn off your Location Services. Although this information has been available previously through the Lantern 2.0 application  from Katana Forensics LLC, it is now accessible via a free open source utility called the iPhoneTracker. The June 2010 iOS 4.0 release by Apple moved all the diverse tracking information into a new Consolidated.db central location that is easier to access.

All of this could be blown off as being only relevant to criminal or private investigations. Police forensic labs have known about this location storage for some time. However, as these articles get more publicity, savvy young plaintiff attorneys and eDiscovery consultants can start targeting interrogatories and discovery requests to get this information if time and location information can be made potentially relevant to a matter. Can you imagine having an hourly location log of a key witness that goes back as long as they have used an iPhone? I have been deposed several times recently in matters and I can tell you how hard it is to exactly remember dates and places after more than a year. That is why I try to take very clear notes to jog my memory on most engagements. “So Mr. Smith, I see by your affidavit that you say that you saw the leaking valve two days before the explosion. If that is the case, why does your iPhone say that you were in Cabo on that date?”

So what does this mean for corporate Legal and IT? I would recommend an immediate review of your written and applied mobile device policies. If you support and provide Apple mobile devices for employees, then you should evaluate how likely they are to be relevant to future matters. I would recommend using the application to pull this information from one or more sensitive employees to see what it looks like.  That will allow your counsel to make the risk vs. effort call on the policy. The primary decision is whether to require users to disable the Location services and clear that file. Of course, you may have to do collections for any active holds that predate the policy change. eDiscovery is a moving target. We keep finding new sources, formats and the implications of them are not always clear. So keep up to date and regularly review your policies and procedures. Let me know if you have had anyone actually request this type of information to date as I would love to hear about it.