Every step you take: NYT investigation finds apps know way too much about us

Private and anonymous? Not quite: Times was able to connect location details to specific individuals

By Nicole Karlis

Senior Writer

Published December 10, 2018 9:00PM (EST)


An investigation led by the New York Times discovered alarming findings regarding how easily nondescript location data, collected by smartphone apps and sold to businesses, can be traced back to individual users.

The article, eerily titled “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret” reviewed a 2017 database that found at least 75 companies are sold anonymous location data harvested from apps whose users “enable location services” — for example, to get local news or weather. Using this database, Times reporters were easily able to connect the anonymous details to individuals. This makes clear that replacing names and other identifying details with unique ID numbers is no guarantee that one's identity is protected.

As the report explains, selling such data to advertisers, among others, is a “hot market”:

These companies sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior. It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year. IBM has gotten into the industry, with its purchase of the Weather Channel’s apps. The social network Foursquare remade itself as a location marketing company. Prominent investors in location start-ups include Goldman Sachs and Peter Thiel, the PayPal co-founder.

Businesses say their interest is in the patterns, not the identities, that the data reveals about consumers. They note that the information apps collect is tied not to someone’s name or phone number but to a unique ID. But those with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.

The report further explains that phone users give apps permission to sell their data — which includes most of their whereabouts — but the granting of such permission is not always transparent.

Many location companies say that when phone users enable location services, their data is fair game. But, The Times found, the explanations people see when prompted to give permission are often incomplete or misleading. An app may tell users that granting access to their location will help them get traffic information, but not mention that the data will be shared and sold. That disclosure is often buried in a vague privacy policy.

The reports explains that health care facilities, for instance, are a “more enticing” area for tracking. An advertising firm that is a data client of the location company discussed in the article said it sometimes targets people in emergency rooms with ads for personal-injury lawyers. The technology is called “geofencing.”

Ryan Polk, policy adviser for the Internet Society, a global nonprofit focused on internet technology, policy and development, told Salon that users can protect themselves by using their privacy settings to limit which apps get access to their location data.

“However, the sharing of other forms of data can be harder to control,” he said via email. “Other options include deleting the app, checking the app permissions or turning off the apps’ abilities to use cellular data (so at least it’s not sending data when off wifi)," Polk wrote, adding that these may not be practical solutions for many people. "It is quite telling that, after seeing the scope of location data collected on them, those [people quoted] in the article just began deleting their apps.”

Regarding the permissions issue, Polk said consumers need to be given “valid, understandable choices on how their data is collected and what it will be used for, and easy ways to make those choices in their apps and devices.”

“Strong transparency and choice are crucial when it comes to data privacy; unfortunately, in a data-driven economy these are the exception and not the norm.”

By Nicole Karlis

Nicole Karlis is a senior writer at Salon, specializing in health and science. Tweet her @nicolekarlis.

MORE FROM Nicole Karlis