I finally got around to upgrading my iPhone to iOS5 last weekend.
The list of new features sounded exciting, even though I can’t have Siri on my 3GS (that’s still not fair).
I didn’t time the installation but it was long and involved several reboots. Once everything was ready, a few screens appeared prompting me for information. I had to decide whether or not to enable location services:
There was the standard disclaimer. The best reason to enable location services is the Find My iPhone feature, which requires them.
Next, Apple did something I didn’t expect. They asked for my birthday!
Now, maybe they’ve always asked for birthday information, and it’s been so long since I had to enter it that I’d forgotten, but I was not expecting this and was taken aback. What does that message mean, “determining appropriate services?” Is it supposed to give the impression it’s about protecting minors from adult services? It could be equally useful for advertising purposes, couldn’t it?
Never mind that; what’s really disconcerting is that the message says they want to know my birthday to be able to retrieve my password if I forget it. WUT? I don’t know why people think birthdays are useful for this sort of thing anymore. I suppose maybe that used to be true, before the Internet and social networking. For my part, I try to keep personal information like my birthday confidential, but not everyone does. Just a few days ago I saw a report about student researchers from the University of British Columbia who demonstrated that a network of social bots could be used to friend strangers on Facebook and steal their personal information. [The project was described as white-hat hacking, and they claimed the stolen data was encrypted and then deleted when the project was over.] Lucky that most of us aren’t of celebrities or well-known people whose birthdays can be found on Wikipedia, too.
Even though I try to make sure my birthday stays private, an enterprising person could probably find it rather easily in one of several places or through social hacking. Most of my friends know my birthday, and anyone could casually notice if someone wishes me a happy birthday on Twitter or elsewhere. It’s also printed on most of my identity documents. Someone could take a peek at my driver’s license, passport, or any of countless other documents where it might be found. This could even be done with my permission, for example when a cashier asks for a picture ID at a check-out.
Yes, a random person on the Internet would have to go to some trouble to find my birthday, and the real question is would the trouble be worth it if the prize were to recover my Apple password. That depends in turn on what I’m using my Apple ID for. In any case, my birthday is a piece of information that could be found rather easily by someone motivated enough to do so if the rewards were high. If that password could give access to my banking information, for example, that would probably be motivation enough.
I’m reasonably sure that Apple has security engineers that understand this, so I see two explanations:
1) Apple is trying to reassure people about giving their birthday “for security verification purposes” in case they need to recover their password when the real reason for wanting the password is something else;
2) Apple’s security engineers aren’t working on this part of the interface and the people who are really think a birthday is good information to use as proof of identity.
If the former, then shame on them for misleading people. Apple, please tell us the real reason you are asking for our birthdays!
If the latter, then we should definitely worried about security on our iPhones. Birthday information probably isn’t adequate to protect password recovery, unless it’s used in conjunction with other measures designed to authenticate the true account owner. If your account information can be used to access valuable services such as your bank account or credit card information, then it’s worth making sure you take reasonable precautions to prevent information like your birthday from being widely known.
Whatever the explanation, there is one thing Apple should do above all after having asked this question: remember to wish everyone a happy birthday! It’s the least they can do. An iTunes gift certificate or a free download on my birthday would be nice too.