Skip to content
Naked Security Naked Security

Smartphone location data can be used to identify and track anyone

In today’s smartphone economy, hiding your location has become a major challenge.

In today’s smartphone economy, hiding your location has become a major challenge.

At any moment, someone knows where you are, or have been, and they might even be able to work out where you will go next.

The work of government? Google? Advertising companies? Or perhaps Facebook, which this week was hauled up by US Senators who think the company is tracking smartphone users locations despite having apparently promised not to?

While these might be tracking your location, according to the New York Times Privacy Project it’s the entities nobody has heard of that should perhaps worry us more.

Its researchers know this, they say, because earlier this year the NYT’s Privacy Project got its hands on a large data set leaked to it by unnamed sources from a “data location company.”

The data contains 50 billion location pings generated by the smartphones of 12 million Americans in cities including New York, Washington, New York, San Francisco, and Los Angeles during 2016 and 2017.

This looks like a first. To date, almost all that is known about how location data is collected and used is based on the capabilities of the technology and inferences made from the business models of the companies concerned.

The research demonstrates what’s really going in new detail. One way to understand it is to view the visuals generated by the NYT to explore the deeper patterns it can be coaxed into revealing.

For instance, the activity map showing a “senior Defense Department official and his wife” as they attended the Women’s March in 2017.

In another example, the researchers were able to pick on a random smartphone spotted in Central Park and track the owner’s entire movement history across New York over a period of up to two years.

Following the movements of defence officials, police officers, lawyers? No problem. They even traced smartphone pings from workers inside the Pentagon.

One search turned up more than a dozen people visiting the Playboy Mansion, some overnight. Without much effort we spotted visitors to the estates of Johnny Depp, Tiger Woods and Arnold Schwarzenegger, connecting the devices’ owners to the residences indefinitely.

Peek-a-boo

Takeaway number one is that very few people realise how much can be inferred about someone, including people that hackers might be very interested in, simply by noticing the location of their smartphone through time.

A second is that this data doesn’t appear to be as anonymous as companies claim. Indeed, if this evidence is held across large numbers of smartphone users, one might even conclude that the anonymity defence is somewhere between evasion and an outright lie.

The company whose data was studied isn’t named but the NYT offers a list of companies which it says are in the same location data business. The data is collected using GPS, but also via other sources such as Bluetooth beacons (small sensors hidden in stores and malls) and, presumably, Wi-FI and cell base station proximity.

Some companies say they don’t sell data but because there’s little regulation to stand in the way of this beyond privacy policies few read it’s impossible to be sure – the data is privately collected and, in the US at least, private property.

Short of turning off a smartphone for long periods, or not carrying one, it’s probably impossible to stop all tracking, even using the facilities provided in mobile operating systems.

Similarly, turning off GPS, Wi-Fi, mobile data, Bluetooth, and NFC isn’t exactly going to make someone’s smartphone more useful.

But before people get to that stage, they need to know that location data has become the sort of problem that could define the next 10 years of privacy arguments.

9 Comments

The New York Times’ reporting is well worth reading. Thank you for helping to highlight their work — top notch journalism.

So the mobile industry “improve its self-regulation”.
I’ll not be holding my breath for any positive action,

Who are these people that feel the need to hide where they have been? Paranoid or what?

It’s not a question of whether you ‘need to hide your location’, it’s the issue of ‘someone else decided to share it instead of you’.

Being able to keep precise tabs on your location is pretty jolly useful to cybercrooks and scammers, because it gives them loads of additional detail about your life and lifestyle over and above what you’ve chosen to share online.

With a point-by-point map of where you’ve been for the last year, say, a crook who wanted to impersonate you could probably figure out any and all of: where you work, where you live; where your kids go to school; whether you support a sports team (and if so, which one); whether you play a sport (and if so, which one); whether you are religious (and if so, where you worship); the name of your doctor; which surgery you attend; whether you’ve been to hospital; whether you’ve been in hospital; whether you drink (and if so, which pubs you like); whether you have a wife; whether you have a girlfriend; whether you have a wife and a girlfriend; how often you travel by car, on foot, by bicycle, by bus, on trains, in planes…

We have a right to privacy. We should not be expected to demonstrate a need before being ‘allowed’ a right. Before you ask things like ‘why do people need privacy’ ‘why do people need to express themselves’ or ‘why do people need to have weapons to defend ourselves answer this: Why did Rosa Parks NEED to sit in the front of the bus?

Sadly there are those out there that strongly oppose any intrusive, albeit legal tracking by law enforcement agencies without a warrant making it much more difficult to aid in fighting crime or terrorism, yet we all turn ourselves and our privacy over to any number of private companies with complete abandon. Apple went so far so as to use their phones as “locked device” w/o a “back door” for legally searching by law enforcement as advertising even though it was Made in China???? Yes, they trust the Chinese government NOT to do anything underhanded yet the American government (that needs a search warrant) was considered the Big Brother snooping. Worst of all the US Government actually bought these phones to use for employees???? again made in China????

This kind of tracking wasn’t even possible until just recently. The constant surveillance is unconstitutional, at least in the United States where probable cause is a constitutional requirement.

The 4th Amendment reads:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Tell me, how does constant location monitoring and logging, constant pervasive, persistent surveillence without probable cause, amount to being “secure in their persons….”?

Well so far, neither the previous, nor the current US President brought Apple’s production « back » home, despite some announcements in that sense by the previous one and the « make America great again » by the current one… I guess that is the leap between words and action, wrt America’s greatest challenge ever : an authoritarian system subverting capitalism to make it authoritarian too !

“Major challenge” is a little hyperbolic. No, it really isn’t that hard to prevent most of this. Everything has tradeoffs. “…turning off GPS, Wi-Fi, mobile data, Bluetooth, and NFC isn’t exactly going to make someone’s smartphone more useful.” It truly isn’t that hard to disable those things when you don’t need them. It’s just a little less convenient. Remember when we didn’t have always-on tracking devices, and somehow, we still got through the day? Are we really that helpless now?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?