Apple’s Persistent Device ID is a Threat to Privacy

Today, a group known as Antisec released a collection of one million UDIDs—serial numbers associated with Apple mobile devices, such as iPhones and iPads—which they claim came from a trove of 12 million UDIDs pilfered from an FBI agent’s laptop.

The FBI has issued a statement denying that an agency device was compromised or that “the FBI either sought or obtained the information.” Clearly, there are a lot of open questions, and few solid facts relating to this alleged breach.

Regardless of the specifics of this particular incident, it is time to heed the concerns long voiced by privacy experts about the existence and use of persistent, unique device identifiers such as Apple UDIDs.

Way back in 1999, Intel unintentionally created a privacy firestorm after it included unique, persistent IDs in its Pentium III processors. After consumer groups complained to the Federal Trade Commission, Intel backed down, and subsequently disabled the unique ID in the chips. At the time of the Intel controversy, Deirdre Mulligan, then a staff counsel for the Center for Democracy and Technology told journalists that “the [Intel Processor ID] has the potential to become the personal identifier for everyone on the Internet.”

Fast forward a decade, and Mulligan’s concerns have come true—just with a different consumer electronic company.

The unique IDs that Apple bakes into iOS mobile devices, such as iPhones and iPads, have long been the subject of criticism by privacy experts. In contrast to the cookies used to track consumers on the web, which can be deleted (at least by those consumers tech-savvy enough to navigate to obscure browser settings), UDIDs cannot be deleted or removed. As long as the consumer uses a particular iPhone, the UDID will stay the same. Unsurprisingly, advertising companies embraced the UDID as a way to effectively track and target users of mobile Apps.

Thankfully, Apple has restricted access to UDIDs by mobile app developers (and the advertising networks they partner with). This is a good start, but it does not address all of the privacy concerns. For example, prior knowledge of a device’s UDID is required for government agencies that wish to infect a particular surveillance target’s iOS device with the FinFisher mobile spyware tool.

Consumers can delete the cookies in their web browsers and modify the unique manufacturer-set “MAC address” assigned to their laptop’s WiFi card. Yet no similar privacy controls exist that let them erase their Apple UDID.

Unique, unchangeable UDIDs are not necessary for the functioning of a smartphone. Although Apple’s customer can never escape their UDID, Google’s Android operating system resets the Android ID (which is equivalent to Apple’s UDID) when a user performs a factory reset of their device. Google could, and should make this easier to do (without requiring that users destroy all of the other data on their devices), but this at least demonstrates that there are alternatives to unalterable UDIDs.

It is time for Apple to deliver real privacy controls to consumers, by letting them reset their UDID at will.