Anonymous reminds Apple that UDIDs are creepy


This post has been updated with a statement from the FBI.

Web-based hacker collective Anonymous published 1 million Apple UDIDs on the web early this morning from a trove of 12 million that it allegedly stole from an FBI agent’s laptop in March. Buried within the rambling, bizarre missive from the group about why it published these unique device identifiers — besides attempting to embarrass the FBI for tracking that many iOS(s aapl) devices, and creating general mayhem — was a pointed comment about Apple’s decision to use and publish UDIDs in the first place with iOS devices.

From the group’s post about it on PasteBin:

Also we think it’s the right moment to release this knowing that Apple is looking for alternatives for those UDID currently and since a while blocked axx [access] to it, but well, in this case it’s too late for those concerned owners on the list. we always thought it was a really bad idea. that hardware coded IDs for devices concept should be erradicated [SIC] from any device on the market in the future.

There are many problems associated with having the unique number on a device as personal as an iPhone or iPad or iPod touch be public and associated directly with a device. UDIDs do not contain information that allows a device’s owner to be identified, but when combined with other information, it can. Apple knows this, and that’s why a year ago it started trying to get app developers and advertisers to stop tracking users across apps through vast databases of collected Apple UDIDs. In August 2011 Apple outlawed the practice, but it wasn’t until March that it started to actually crack down.

A June report in the Wall Street Journal hinted Apple was working on an alternative to UDIDs.  The new identifier would be anonymous and “likely to rely on a sequence of numbers that isn’t tied to a specific device.” The idea is to make owners of iOS devices feel slightly less creeped out and that their iPhone, iPad or iPod’s couldn’t be so easily tracked by app makers or advertisers — or law enforcement.

But Apple still hasn’t publicized any alternative yet, as Anonymous has helpfully reminded us.

Apple did not immediately respond to a request for comment.

Update 2:25 p.m.: The plot thickens: the FBI has issued a statement denying the UDIDs were taken from one of its agents. As the agency told the New York Times, “At this time there is no evidence indicating that an F.B.I. laptop was compromised or that the F.B.I. either sought or obtained this data.”


iOS Developer

Apple did introduce an alternative in iOS 6, in the form of per-app/per-user IDs, i.e. an ID that is unique for a particular user-app combination. This ID allows the app developer to collect anonymous stats but not allow the developer to correlate behavior across multiple apps.


Yes, it is important to remember that there are legitimate reasons to identify a certain user of an app, for example, to block unwanted communications from that user (within that app).

Comments are closed.