New York Times Reveals Scope of Mobile Apps’ Location Spying

Location tracking

A New York Times report about the ways smartphone apps track users and sell their location data (on a far greater scale than most customers realize) has gotten much deserved attention this week.

One data sample obtained by the Times showed records of a company updating users’ locations up to 14,000 times a day in 2017.

While many users allow location tracking on their mobile apps to enable tailored content such as weather or nearby restaurants, they are often unaware that their travel history and daily routines are closely monitored and sold for use in the $21 billion advertising market.  

“[T]he explanations people see when prompted to give permission are often incomplete or misleading,” the Times explained in the article. “An app may tell users that granting access to their location will help them get traffic information, but not mention that the data will be shared and sold. That disclosure is often buried in a vague privacy policy.”

The users for location data go well beyond advertising nearby businesses. Financial firms use location data to guide investment decisions on the basis of traffic to stores or numbers of employees at a facility. To give just one of many examples, the Weather Channel, owned by IBM, used data from their mobile app to analyze data for hedge funds.

Many of the businesses listed in the article state that the data collected is anonymized and not tied to personally identifiable information such as a name or phone number. Anonymization is not failsafe. As the Times noted:

“[T]hose with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.”

Another concern is the security of the location data itself.

“There really are no consequences… other than bad press that gets forgotten about,” said computer security and privacy researcher Serge Egelman.

Read the Times article here.