2 NOV 2012 - 1747 CDT
To all ARRL Officers, Directors, and Vice Directors:
Even though I am a heavy user of Information Technology, I have never
been
a user of Apple devices of any type. Therefore, it has taken more
time than
I planned to research the potential security issues with the Apple iOS
digital QST application.
This message consists of two parts; a brief discussion of the
issues,
followed with a series of questions that should be answered before
any
decision is made to publicly release and support the use of our
Apple
iOS digital QST application.
Potential Security Issues With Apple iOS Digital QST
Application
1. According to Harold Kramer, the Apple iOS QST App does send
tracking
information to somebody. It is assumed that this
information is
de-identified, only includes the current geographic location
of the
user, and is sent to Apple.Com, or an Apple
contractor. Without a
verified, detailed description (from Apple?) of all of
this data,
there is no way of making a proper judgement of the user's
data
security when using this application.
2. I understand the default setting of this "data tracking
feature" is ON.
It can be turned OFF, but the labeling and wording used to
control this
"feature" is not clearly understood. At the
least, I suggest the
default setting for this tracking process should be OFF with
a warning
displayed when the user chooses to activate it.
3. When the user stops using this QST App, it is still active and
could
continue to send data as long as the user's device is turned
on. I
think most iOS users do not know this is going on.
4. There is at least one Apple iOS hacking program available at
http://www.iphonetracker101.com/iphone-tracking-app that can be
used to view and record keystrokes and phone audio. I
suspect there
are also one or more Apple iOS hacking programs that enable
the
insertion of program (trojans) that will command the
targeted Apple
iOS device send specified data to anonymous third party(s)
without
the knowledge of the device user.
Questions That Should Be Answered Before Releasing the Apple iOS
Digital
QST Application
1. Harold Kramer told me that Chris Imlay has vetted this contract,
but
I still don't know who is the contractor. Who is the
contractor?
What are we paying for this application?
2. What data is being collected? I can understand pages-read data
that
would be of used by ARRL staff to improve magazine
content. The same
goes for clicks on active links to track advertising
response.
But if things like the reader's current location, the
reader's use of
other applications, any financial or personal transactions
by the reader,
the reader's keystrokes, etc. are being sent out... the ARRL
should not
be receiving this information. We already have the
user's ARRL membership
and ham radio license data. What more do we
need?
3. Is this application is sending data to third parties - without the
user's
knowledge or agreement? Depending on the data being
sent, the ARRL
could be held liable for damages.
4. Is there a clearly worded, easily accessed, option allowing the user
to
permanently stop this data collecting?
I have probably missed some points and I welcome comments and suggestions
on these issues. Here is one final question for my fellow
directors.
5. Do you think the ARRL Board of Directors should formally approve
this
IT project? In view of our past IT problems, I believe
we should vote
on releasing and supporting this Apple iOS digital
QST application.
73 - Dick Isely, W9GIG