Shady Tracking Firms Are Selling Your GPS Location History

In a worrying report, the Gray Lady is waking up Americans to the silent world of smartphone location tracking and brokerage. In a long-winded article, The New York Times today “reveals” that smartphone apps sell your data to advertisers.

However, it also points out how fragile the protections on this data are. It shows how easy it is to de-anonymize your tracked locations and how a malicious insider could leak the home addresses of government or military personnel to hostile powers.

DevOps Connect:DevSecOps @ RSAC 2022

The risks are obvious. And not so obvious. In today’s SB Blogwatch, we know where you live.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Baby Yoda.

GPS: Ghastly Privacy Secret

What’s the craic? Stuart A. Thompson and Charlie Warzel show “what we found”:

 Dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. … One such file … holds more than 50 billion location pings from the phones of more than 12 million Americans.

[It] was provided [by] sources [who] said they had grown alarmed about how it might be abused. [It] originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. … They can see the places you go every moment of the day, whom you meet with or spend the night with, where you pray, whether you visit a methadone clinic, a psychiatrist’s office or a massage parlor.

If you … use apps that share your location — anything from weather apps to local news apps to coupon savers — you could be in there. [And] you might never use your phone the same way again.

News organizations have reported on smartphone tracking in the past. But never with a data set so large. Even still, this file represents just a small slice of what’s collected and sold every day by the location tracking industry — surveillance so omnipresent … that it now seems impossible for anyone to avoid.

Citizens would surely rise up in outrage if the government attempted to mandate that every person … carry a tracking device that revealed their location 24 hours a day. Yet, in the decade [we] have, app by app, consented to just such a system run by private companies.

Today, it’s perfectly legal to collect and sell all this information. … But it’s child’s play to connect real names to the [data]. Only internal company policies and the decency of individual employees prevent those with access to the data from, say, stalking an estranged spouse or selling the evening commute of an intelligence officer to a hostile foreign power.

Yikes! Ben Lovejoy adds—“You could be in this ‘zero privacy’ location-tracking database”:

 Anyone who has ever granted a third-party app access to Location Services could be in a location-tracking database of 12 million phones. … And while this database is the largest one yet examined, it represents just a small fraction of the location data bought and sold every day.

The privacy policies of many apps allow their developers to share your location with ‘trusted partners,’ which could be code for ‘companies who want to buy location data.’ … The paper was able to identify everything in the location-tracking database from people attending job interviews to those meeting up for a few hours at a time in motels.

OK, so disable location permission on every app. Job done, right? Wrong, says Xeni Jardin—“Facebook offers funny answer for why it tracks users’ locations even when they turn tracking services off”:

 Responding to a letter from Sen. Josh Hawley, (R-MO), and Sen. Chris Coons, (D-DE), Facebook said it needs that extra location data to target ads, and for various security functions.

Coons and Hawley now say that Facebook needs to give users more control over their data. I say, delete Facebook.

What about the app stores’ responsibility? Benedict Evans wants to see platforms act:

 Among other things, stories like this are an argument for platform owners exerting (even) more control over what developers and publishers are allowed to do, and doing more aggressive curation of the app stores. … The demand for more privacy and security on your phone is sometimes (not always, but clearly here) a direct conflict with the demand for Apple and Google to let developers do whatever they want on competitive grounds.

An open unrestricted platform where users and developers are not limited by Apple or Google is, ipso facto, a platform where any random developer can do whatever they want with your data. Pick your trade-off.

But Ol Olsoc wonders if this is all a fuss over nothing:

 That’s how cell phones work. It’s inherent in the process. Now we can quibble about who gets the logs, but it’s pretty simple – if you want your whereabouts to be a secret, you do not want to be carrying [a] phone.

Wake up, sheeple! v1s10nary stands on the shoulders of leprechauns: [You’re fired—Ed.]

 Let’s be real. … No matter how many times Big Tech gets exposed for intruding on our privacy or leaking our personal data, we’ll still bend over and let them **** us with modern technology.

They can get away with unregulated mass surveillance because the average consumer couldn’t care less about privacy/security. … We’ve reached a point with technology where there is no real way to ensure complete anonymity/security with modern consumer-grade devices.

Or perhaps it’s just impossible? Prof. James Joyner—@DrJJoyner—wants to see regulation:

 I can’t really exit the relationship with Google. The cost of unplugging in an always-connected world is extremely high, especially for those of us in the information space. Nor is the extent to which they’re harvesting, much less sharing, our private information well advertised.

I think Google, Amazon, Facebook, and some others are sufficiently large that they ought be regulated akin to public utilities.

Google and Facebook are, for all practical purposes, natural monopolies. The former because they’re vertically integrated with so many products. The latter because it’s where certain cohorts are (and therefore others aren’t.)

And NorthernVirginia agrees:

 It takes little imagination to envision a Chinese, Russian, or US intelligence agency create a front company with a forgettable, innocuous name like “Advertising Experiences” and then purchasing all available tracking data. That has almost certainly been going on for years.

One thing is certain: industry self-regulation is illusory. Congress must act to regulate the industry.

Meanwhile, LDoBe wonders if you’d prefer a nice game of chess:

 A strange game. The only winning move is not to play.

And Finally:

Billy Cobb opines a controversial opinion

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: US National Executive Committee for Space-Based Positioning, Navigation and Timing (public domain)

Richi Jennings

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 370 posts and counting.See all posts by richi