Skip to content
Naked Security Naked Security

Facebook’s location tracking policy still worries US Senators

Does Facebook continue to track the locations of its users even when they’ve told it not to? Yes!

In November, US Senators Josh Hawley and Chris Coons wrote to Facebook boss Mark Zuckerberg to ask him an important privacy question – does Facebook continue to track the locations of its users even when they’ve told it not to?

This week, in a reply leaked to The Hill, they got their answer: Yes.

The fuss started with a September change to the wording of Facebook’s policy for gathering location data outlined in the blog in Understanding Updates to Your Device’s Location Settings.

Formulated earlier in 2019 in response to changes in the way Android 10 and iOS 13 manage location settings, Facebook’s explanation of how it planned to manage this going forward sounded ambiguous.

On the one hand it stated:

You’re in control of who sees your location on Facebook. You can control whether your device shares precise location information with Facebook via Location Services, a setting on your phone or tablet.

Clear enough, surely, and yet in the next paragraph, it was qualified:

We may still understand your location using things like check-ins, events and information about your internet connection.

Which anyone who’d read this far would probably have been confused by.

Facebook seems to be allowing users to opt-out of location tracking by one route (GPS, say) while reinstating much of the same tracking through other routes (software events, IP addresses, noticing the Wi-Fi networks someone uses or is near).

Senators Hawley and Coons remain unconvinced. Facebook claims its users are in control of their location privacy, but this is only partly true, said Coons:

The American people deserve to know how tech companies use their data, and I will continue working to find solutions to protect Americans’ sensitive information.

No escape

How should Facebook users who’d rather the company didn’t know their location make sense of this apparent stand-off?

One answer is to be realistic about how today’s internet economy works. Companies like Facebook make their money from advertising and one of the things that matters to advertisers is where a user is located.

That is to say, the adverts these platforms think a Facebook user will be interested in depends on which country, city or even street they are in. Not having this data at all would be a big loss.

Luckily for them, as we’ve already mentioned above, there are lots of ways to get this information.

Many assume GPS is the big reveal but, in fact, another route (which also works indoors) is to infer location by noticing someone’s proximity to local, fixed, Wi-Fi networks and cell towers. Facebook is far from the only company which has found itself in hot water over the privacy implications of this.

A year ago, a 43-strong group of European consumer organisations alleged that Google’s location tracking breaches the EU’s General Data Protection Regulation (GDPR).

This can be curtailed to some extent via Android’s Web and App Activity but most users will either not know to do this or not grasp the implications of ignoring the setting, it was alleged.

Only weeks before, Google and Facebook were hit by separate class action lawsuits in California which claimed both companies continued to collect location data even when users thought they’d turned it off.

1 Comment

… does Facebook continue to track the locations of its users even when they’ve told it not to?
This week, in a reply leaked to The Hill, they got their answer: Yes.

In which case, “what is a ‘user'”?

If as part of the bloatware on my “smart phone” I have the facebook app – and it cannot be removed, do I count as a “user”?

If I do count as a user because the app – or some driver – in the background is doing something (like reporting my location), do I have to create a facebook account in order to access the app and tell facebook that I do not want to be tracked (because, to date, without a facebook account, I have not “told them not to”)?

And just how do you do a GDPR style “Subject access request” to Facebook without potentially telling them more about you? I have multiple email accounts – will separate requests for each account solve the problem or will facebook with its inexhaustible desire to curate every crumb of data about you make inferences from the routing of all these requests?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!