Boffins from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally—including non-Apple devices like Starlink systems—and found they could use this data to monitor the destruction of Gaza and the movements and, in many cases, identities of Russian and Ukrainian troops.

At issue is how Jobs’ Mob collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Job’s Mob operates Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points within their mobile devices' range. Both record the Media Access Control (MAC) address used by a Wi-Fi access point, known as a Basic Service Set Identifier (BSSID). Periodically, Apple mobile devices forward their locations by querying GPS and/or using cellular towers as landmarks and any nearby BSSIDs.

This combination of data allows Apple to figure out where they are within a few feet or meters, and it's what allows your mobile phone to continue displaying your planned route even when the device can't get a fix on GPS.

With Google's WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths -- via an application programming interface (API) request to Google -- whose WPS responds with the device's computed position. Google's WPS requires at least two BSSIDs to calculate a device's approximate position.

Apple's WPS accepts a list of nearby BSSIDs. Still, instead of computing the device's location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple's API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to determine the user's location based on known landmarks.

Google's WPS computes the user's location and shares it with the device, but Apple's WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.

This follows Apple’s business model of encouraging users to shout loudly that they have an iPhone with the same vigour that a vegan must declare it whenever they have the opportunity.

The University of Maryland boffins claim they could use the verbosity of Apple's API to map the movement of individual devices into and out of virtually any defined area of the world.

The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated randomly. They learned that while only about three million randomly generated BSSIDs were known to Apple's Wi-Fi geolocation API, Apple also returned 488 million BSSID locations already stored in its WPS from other lookups.

"Plotting the locations returned by Apple's WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points," the report adds.

"The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America."

The researchers wrote: "We observe routers move between cities and countries, potentially representing their owner's relocation or a business transaction between an old and new owner. While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location."