The latest privacy lawsuit out in California has several users suing mobile gaming company OpenFeint for violations of the federal wiretap law and computer fraud. According to the complaint, OpenFeint, unbeknown to its users, utilized each user’s iPhone’s Unique Device Identifier (UDID) and — intentionally or unintentionally — converted the UDIDs anonymous information into an actual user identity.
A recent Cortesi study (which, btw, warned OpenFeint about its security gaps), described how easy it is for iPhone apps to de-anonymize UDIDs:
The saving grace is that your device UDID is not linked to your real-world identity. If it were possible to de-anonymize UDIDs, the result would be a serious privacy breach…
If the user registered a Facebook account with OpenFeint, a profile picture URL hosted by the Facebook CDN was returned in the user’s profile data. Facebook profile picture URLs include the user’s Facebook ID, directly linking it to their Facebook account.
For example, here’s Bruce Schneier’s Facebook profile picture URL:
The 11-digit number in this URL is his Facebook user ID. We can now view his profile using a URL like this:
This final step represents a complete de-anonymization of the UDID, directly linking the supposedly anonymous identifier with a user’s real-world identity.
Of course revelation of a Facebook identity would not be a big deal where the user actually provides his or her Facebook profile to the application. However, the combination of a Facebook identity and the UDID which, for some reason, app companies insist on using to collect user locations, would prove an unwanted breach of privacy (e.g., the app would reveal the user’s exact location and his or her identity).
Enter your email to get started.