Commentary
OpenFeint ID Leaks May Add To Apple Legal Woes
- by Wendy Davis , Staff Writer @wendyndavis, May 9, 2011
Now, however, it turns out that some people can be named based on their iPhone/iPad identifiers, or UDIDs -- a sequence of 40 letters and numbers unique to each iPhone or iPad.
New Zealand security expert Aldo Cortesi last week posted research showing it's possible to figure out the identities of some iPhone and iPad users who are on Facebook, and who also have applications powered by gaming network OpenFeint.
"Testing with a small corpus of UDIDs gathered from my own and friends' devices, I was able to link roughly 30% of UDIDs to GPS co-ordinates, 20% of users to a weak identity (e.g. OpenFeint profile picture, user-chosen account name), and 10% of UDIDs directly to a Facebook profile," Cortesi writes.
OpenFeint, which has 75 million users, reportedly stopped leaking this data after hearing from Cortesi. Even so, that doesn't change the fact that UDIDs, like other so-called "anonymous" data, can be combined with other information to identify specific individuals.
Cortesi's research adds to a growing body of evidence showing that people can be de-anonymized despite assurances from web companies that they won't disclose personally identifiable information. The most famous example probably comes from AOL, which in 2006 posted search histories for 650,000 users; within days, The New York Times pieced together the identity of one of them and profiled her on the front page. But that's not the only example. Other researchers reported that it was possible to personally identify some Netflix users who posted movie reviews under screen names.
Apple, meanwhile, faces at least two lawsuits from users who say the company violated their privacy by transmitting UDIDs to app developers. The latest research could make it difficult for Apple to convince a judge that such transmissions don't identify users.
Wendy Davis is a Senior Writer at MediaPost. You can reach Wendy at wdavis@mediapost.com