An investigation led by the New York Times discovered alarming findings regarding how easily nondescript location data, collected by smartphone apps and sold to businesses, can be traced back to individual users.
The article, eerily titled “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret” reviewed a 2017 database that found at least 75 companies are sold anonymous location data harvested from apps whose users “enable location services” — for example, to get local news or weather. Using this database, Times reporters were easily able to connect the anonymous details to individuals. This makes clear that replacing names and other identifying details with unique ID numbers is no guarantee that one's identity is protected.
As the report explains, selling such data to advertisers, among others, is a “hot market”:
These companies sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior. It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year. IBM has gotten into the industry, with its purchase of the Weather Channel’s apps. The social network Foursquare remade itself as a location marketing company. Prominent investors in location start-ups include Goldman Sachs and Peter Thiel, the PayPal co-founder.
Businesses say their interest is in the patterns, not the identities, that the data reveals about consumers. They note that the information apps collect is tied not to someone’s name or phone number but to a unique ID. But those with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.
The report further explains that phone users give apps permission to sell their data — which includes most of their whereabouts — but the granting of such permission is not always transparent.
The reports explains that health care facilities, for instance, are a “more enticing” area for tracking. An advertising firm that is a data client of the location company discussed in the article said it sometimes targets people in emergency rooms with ads for personal-injury lawyers. The technology is called “geofencing.”
Ryan Polk, policy adviser for the Internet Society, a global nonprofit focused on internet technology, policy and development, told Salon that users can protect themselves by using their privacy settings to limit which apps get access to their location data.
“However, the sharing of other forms of data can be harder to control,” he said via email. “Other options include deleting the app, checking the app permissions or turning off the apps’ abilities to use cellular data (so at least it’s not sending data when off wifi)," Polk wrote, adding that these may not be practical solutions for many people. "It is quite telling that, after seeing the scope of location data collected on them, those [people quoted] in the article just began deleting their apps.”
Regarding the permissions issue, Polk said consumers need to be given “valid, understandable choices on how their data is collected and what it will be used for, and easy ways to make those choices in their apps and devices.”
“Strong transparency and choice are crucial when it comes to data privacy; unfortunately, in a data-driven economy these are the exception and not the norm.”