Skip to content
Naked Security Naked Security

Phones are selling location data from “trusted” apps

Data brokers are tracking 200 million mobile devices in the US, updating locations up to 14,000 times a day, the New York Times has found.

A New York Times investigation has found that apps such as GasBuddy and The Weather Channel are among at least 75 companies getting purportedly “anonymous” but pinpoint-precise location data from about 200 million smartphones across the US.
They’re often sharing it or selling it to advertisers, retailers or even hedge funds that are seeking valuable insights into consumer behavior. One example: Tell All Digital, a Long Island advertising firm, buys location data, then uses it to run ad campaigns for personal injury lawyers that it markets to people who wind up in emergency rooms.
The Times reviewed a database holding location data gathered in 2017 and held by one company, finding that it held “startling detail” about people’s travels, accurate to within a few yards and in some cases updated more than 14,000 times a day. Several of the businesses whose practices were analyzed by the Times claim to track up to 200 million mobile devices in the US.
The data being sold is supposedly anonymous, as in, not tied to a phone number. The Times could still easily figure out who mobile device owners were through their daily routines, including where they live, where they work, or what businesses they frequent.
The businesses can reflect intimate details. For example, the Times used the database to track a 46-year-old math teacher, starting from leaving her home, traveling to her school 14 miles away, attending a Weight Watchers meeting after work, visiting her dermatologist’s office for a procedure, hiking with her dog, and staying over at her boyfriend’s house – information sold without her knowledge that she found highly disturbing after giving the newspaper the go-ahead to review her location data:

It’s the thought of people finding out those intimate details that you don’t want people to know.

The teacher’s location was recorded over 8,600 times – on average, once every 21 minutes. Sometimes, the frequency went up to once every two seconds.
Many companies claim that the data is up for grabs once users enable location services. But the Times found that when apps prompt users for permission, the explanations they were given were often incomplete or misleading. And whatever fuzzy, vague disclosure there is, it’s often buried in a hard-to-read privacy policy.


For example, an app might tell a user that enabling location data will get them the latest weather or traffic updates, but not mention that the data will be shared and sold – a fact tucked away in the privacy policy.
In the US, legislators such as Senator Ron Wyden have proposed bills to limit the collection and sale of this type of data, as well as to punish company execs when it’s mishandled.
The way location data is being treated by profiteers is a classic example of the type of privacy invasion that should be regulated, Wyden told the Times:

Location information can reveal some of the most intimate details of a person’s life – whether you’ve visited a psychiatrist, whether you went to an A.A. meeting, who you might date. It’s not right to have consumers kept in the dark about how their data is sold and shared and then leave them unable to do anything about it.

Good luck legislating this away, Senator Wyden: the market for location-targeted advertising is on track to hit an estimated $21 billion this year.
Let’s not hold our breath for the US to turn into the European Union anytime soon when it comes to giving us control over our data, but there are still things we can do to limit this pervasive spying.

How to keep apps from tracking your location

There’s no definitive list of the hundreds of apps that are constantly dogging your heels and profiting off of your location data. Besides the apps the New York Times picked up on in testing, there are an untold number of apps flying under the radar: they could well be gathering and saving your data and not selling it straight away, meaning that such apps wouldn’t have shown up in the Times’ tests. (Speaking of which, here’s their testing methodology.)
Your best bet, the Times says, is to find out which apps have permission to get your location in the first place.
The newspaper has compiled thorough instructions on how to stop apps from tracking you on iOS and Android, be it app-by-app or by toggling tracking off on the phone itself, as well as how to delete what those mobile operating systems already have on you.

Scraping yourself out of their databases

While we can turn off location sharing and delete web activity histories, that still leaves the data that the apps have already collected about us and tucked away in their money-maker databases.
However, a lack of transparency or regulation in the US makes it crazy tough to get access to, or to delete, the data from companies’ databases (or from the databases of whoever they sold it to or shared it with). You might recall that in August, after the General Data Protection Regulation (GDPR) came into full force, a researcher banged on the door at Facebook’s data warehouse to get all the data it had on him (which the GDPR had granted citizens as their right).
Sorry, Facebook said: it’s too tough to find your information in our ginormous data warehouse.
Same story with the other tracking apps, the Times writes:

Most of them store location data attached not to a person’s name or phone number, but to an ID number, so it may be cumbersome for them to identify your data if you want to delete it – and they are under no obligation to do so.

Unless they’re in the EU, that is, where – thanks to the GDPR – people now have the legal right to request a copy of the data that companies hold about them, and to ask that it be deleted.

3 Comments

Do not the people in power understand that they too are being tracked and their day to used as well?! I simply don’t understand the passiveness of this when the people in power could actually do something about it as they do in Europe. I’m beginning to hate people more and more everyday. So sad.

The right of access for data subjects was one of the rights introduced under GDPR.
In general terms, the General Data Protection Regulation (GDPR) provides individuals with the right to request information on how companies are handling their personal data.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?