Most iPhone users should be well aware by now that many third-party apps regularly collect location data for various reasons, but what may be considerably more surprising is how much of this location data is not only being collected, but actually being logged and stored by companies that specialize in tracking this information.
A new investigative report from The New York Times titled Twelve Million Phones, One Dataset, Zero Privacy set out to determine and reveal exactly how pervasive location tracking is across the United States, discovering that dozens of companies that you’ve probably never even heard of are not only tracking the movements of tens of millions of people but actually logging and storing this information in massive databases.
Several months ago, the Times Privacy Project was able to obtain a subset of this data, which it called “by far the largest and most sensitive ever to be reviewed by journalists,” containing more than 50 billion location pings from the phones of more than 12 million Americans across major U.S. cities such as Washington, D.C., New York, San Francisco, and Los Angeles.
Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017.
The data was provided to the Times by anonymous sources who were clearly not authorized to share it, and indicated that they could “face severe penalties” for doing so, but said that they had “grown alarmed” about the possible abuse of this data and wanted to make sure the public and lawmakers are aware of what’s actually happening behind the scenes.
The Times spent months analyzing the dataset, which includes the movements of people from nearly every neighbourhood and block in the cities that it covers, and while the data is technically anonymized, it was relatively trivial to find patterns that could identify specific individuals just based on the locations that each anonymous dot tended to frequent.
Without much effort we spotted visitors to the estates of Johnny Depp, Tiger Woods and Arnold Schwarzenegger, connecting the devices’ owners to the residences indefinitely.
In fact, as the Times points out, there’s a very high possibility that if you lived in one of the cities covered by the dataset, which includes data from 2016 and 2017, and used something as innocuous as a weather or local news app, there’s a good chance that you’re in there too.
Hidden in Every App
What’s even more alarming is that this data isn’t being collected by the companies that you would suspect of being the obvious culprits. This file didn’t come from Apple, or Google, or Facebook, or AT&T, Verizon, or T-Mobile. Nor did it even come from any app developers you may have heard of. Instead, it came from a company that specializes in location data, which the Times notes is one of dozens that are “quietly collecting precise movements” through advertising and analytics tools that are built into everyday apps.
It’s become fairly common for developers to use third-party libraries and modules, known as “SDKs,” to help track user behaviour and monetize their apps in various ways, either by blatantly sharing analytics data from users, or simply determining how best to serve ads. In some cases, developers incorporate these libraries with the best intentions, such as attempting to analyze user interactions in order to improve the user experience. Unfortunately, however, many developers have no idea what these extra bits of code are actually doing, and we’ve already seen reports earlier this year of how many hidden trackers are sending out data from users’ iPhones, and how some were even capturing screen recordings directly.
So this is far from the first report of this kind of tracking, but as the Times notes, it’s the largest data set that anybody has ever seen, and what’s even more frightening is that it appears that it’s the tip of the iceberg.
Even still, this file represents just a small slice of what’s collected and sold every day by the location tracking industry — surveillance so omnipresent in our digital lives that it now seems impossible for anyone to avoid.
There’s No Such Thing as ‘Anonymous’ Location Data
The report also highlights how so-called “anonymization” of data can be virtually meaningless when sufficient data is available. For example, your iPhone may only be a seemingly arbitrary number in the database, but it’s fairly easy to see how somebody could tie that number back to you simply by knowing your home address and identifying which number appeared there most often, at which point it would be a trivial matter to see where else the dot with your number appears, and when, allowing your entire location history to be tracked over a long period of time.
In most cases, ascertaining a home location and an office location was enough to identify a person. Consider your daily commute: Would any other smartphone travel directly between your house and your office every day?
As Paul Ohm, a law professional and privacy researcher at the Georgetown University Law Center told the Times, it’s “a completely false claim” to say that any location data is anonymous, “Really precise, longitudinal geolocation information is absolutely impossible to anonymize.”
To prove this point, the Times used the data to identify “people in positions of power,” using publicly available information like home addresses. The report notes that they were able to track “military officials with security clearances as they drove home at night,” and “law enforcement officers as they took their kids to school.”
Watching dots move across a map sometimes revealed hints of faltering marriages, evidence of drug addiction, records of visits to psychological facilities.
The Times report goes on to name names of specific individuals — disclosed with permission, of course — who investigators were able to track, many of whom they spoke to, and even the most privacy-conscious among them couldn’t point to any specific app on their iPhone that would have been providing this location data.
Perhaps the worst part of this is that while the government is busy investigating the big players like Apple, Google, and Facebook — all of which are far more cautious due to the level of scrutiny — dozens of relatively unknown companies with names like Gimbal, NinthDecimal, Reveal Mobile, Skyhook, and PlaceIQ are collecting vast amounts of location data with zero oversight or accountability, and doing so well within the confines of U.S. law, where it’s perfectly legal to collect and sell this kind of information.
There are no federal privacy laws that cover this kind of activity, and the industry has therefore relied on self-regulation and their own ethical guidelines, but that’s a little like asking the fox to guard the henhouse, since even with the grandest of intentions, it’s difficult to believe that the companies won’t make compromises when their bottom line is at risk.
It’s also not about sharing the data either — many of the companies involved make it clear that they don’t sell or otherwise disclose the location data, but only use it for marketing analytics where they don’t necessarily care about identities. However, the fact that the Times was able to obtain such a large dataset from an insider suggests that this data could be just as easy disclosed to far less ethical groups for entirely different purposes, and even if every employee with access to the data is 100 percent trustworthy and ethical, there’s no system that can’t be broken into by a determined group of hackers.
How to Protect Yourself
The scary thing is that there’s not much you can do to avoid this kind of tracking except by disabling location services on your iPhone entirely, or at least limiting it to apps that you are absolutely certain are completely trustworthy — something that’s very hard to be certain of. For example, even though we’d place Apple’s own first-party apps high on that list of trust, Apple has shared little about what location data it could be collecting and storing; even with the best of intentions, Apple doesn’t have a perfect track record when it comes to handling stored user data privately, and as we’ve already discussed, with a sufficiently large data set, “anonymity” doesn’t actually exist.
That said, Apple has made some big improvements to privacy in iOS 13, such as eliminating the “Always Allow” option for third-party apps that request access to location data, so that users who really want to allow continuous background location tracking must specifically visit the system-wide location privacy settings in order to do so. Even then, iOS 13 will regularly remind users when apps are tracking their location in the background, requesting that users reauthorize these apps on a periodic basis.
Fortunately, there’s an easy way to turn location services off on an app-by-app basis entirely, and this is strictly enforced by iOS.
- Open the Settings app
- Scroll down and tap Privacy
- Tap Location Services
The list of apps using location services is shown here, along with what level of access they have to your location. A solid arrow is also shown beside any apps that have used your location in the past 24 hours, while a hollow arrow is used to indicate apps that may be alerted when your location changes, for things like location-based reminders.
Tapping on an individual app will show an explanation, provided by the developer, for why the app wants to use your location, as well as the ability to set it to one of four access levels which are fairly self-explanatory: Never, Ask Next Time, While Using the App, and Always. Note that not all apps support the Always setting, and regardless this is something we’d recommend against enabling except for those apps where you very specifically need it and know exactly why you do.
Still, without fully understanding how these apps are using location data, who they’re sending it to, and how it’s being stored, it can be difficult to trust any app at all with access to this information. Even the most innocuous weather app could be sending location data to any one of these location tracking companies, and the developers themselves might not even be fully aware of how this data is being used.