Mobile Location Scandals Keep Making Facebook's Privacy Flubs Look Like Child's Play
from the ill-communication dept
We've noted a few times now that while Facebook gets a lot of justified heat for its privacy scandals, the stuff going on in the cellular data and app market in regards to location data makes many of Facebook's privacy issues seem like a grade-school picnic. That's something that was pretty well highlighted by the recent Securus and LocationSmart scandals, which showcased perfectly how cellular carriers and location data brokers routinely buy and sell your daily travel habits with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards.
Over the weekend, the New York Times had an interesting read that offers some fresh insight into just how commonly your daily location data is traded and shared without much in the way of meaningful protection or oversight. There's a certain naive shock by both the Times authors and its subjects as they suddenly realize that apps on mobile devices routinely hoover up users' daily movement patterns, often without anything in the way of real consent or transparency, then sell that valuable data to every Tom, Dick, and Harry in a bid to monetize it:
"The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.
“It’s the thought of people finding out those intimate details that you don’t want people to know,” said Ms. Magrin, who allowed The Times to review her location data.
The Times investigation found that at least 75 companies routinely receive anonymous, precise location data from apps that collect location data but fail to clarify how that data is used. Several of the firms tracked by the Times note they routinely collect data on more than 200 million mobile devices; data that in many instances is so granular it's updated as many as 14,000 times a day. Of course if you've been paying attention, location data has been a gold mine for cellular carriers (and everybody in the chain) for the better part of the last decade as it's sold to everyone from city planners to shopping malls.
And while carriers and those handling this data routinely insist there's no harm because this data is "anonymized," reports have repeatedly shown that this kind of data isn't really anonymous, especially if it can be linked with other private data (obtained by hackers, leaked, or already in the wild). That's something you can feel the Times reporters realizing as the story proceeds:
"Businesses say their interest is in the patterns, not the identities, that the data reveals about consumers. They note that the information apps collect is tied not to someone’s name or phone number but to a unique ID. But those with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there."
Curiously, the Times doesn't even mention the cellular carriers' role in this problem, insisting that location data sales "began as a way to customize apps and target ads for nearby businesses." In reality, cellular carriers have been tracking and selling your location data before the concept was even a twinkle in many app makers' eye, and as the recent LocationSmart scandal (which exposed the personal data of nearly every mobile customer in North America) made very clear, this data is sold to dozens of third-party location data brokers and their sales partners -- without much, if any, effort to ensure it's being protected down the chain.
In other words, app location data sharing is just a smaller part of a massive problem. A problem that started with telecom operators and our total unwillingness to hold them accountable for similar behavior. Politically powerful cellular carriers who repeatedly insisted we didn't need any meaningful privacy rules of the road because "public shame" would keep the industry honest. That promise has never really worked out that well.
Multiple ISPs were accused years ago of collecting and selling consumer clickstream data. When they were pressed for details, many simply either denied doing it or refused to respond. Collectively, we decided that was fine. As more sophisticated network gear like deep-packet inspection emerged, ISPs began tracking and selling online browsing habits down to the millisecond, some even charging users extra if they wanted to protect their own privacy. Wireless only made things worse, some carriers even going so far as to modify your very data packets to glean additional insight without your knowledge or consent.
That initial attitude has subsequently infected every other ecosystem on the network as countless industries ran toward the location data cash cow, utterly apathetic to the slow but steady erosion of consumer trust and privacy. There's an endless list of points of failure here by self-interested companies eager to prioritize growth over all things, from the carriers themselves to the app store approval process. As such, the focus specifically on apps--or Facebook--tends to miss the bigger picture: that this sort of behavior is now the norm across all of tech, not some errant anomaly.
That said, the Times piece is still full of some entertaining revelations on app privacy specifically, like the fact that even some of the companies involved don't understand why the hell they even have access to all of this customer location data:
"To evaluate location-sharing practices, The Times tested 20 apps, most of which had been flagged by researchers and industry insiders as potentially sharing the data. Together, 17 of the apps sent exact latitude and longitude to about 70 businesses. Precise location data from one app, WeatherBug on iOS, was received by 40 companies. When contacted by The Times, some of the companies that received that data described it as “unsolicited” or “inappropriate.'
Currently, outside of a week of bad press that's quickly forgotten (see: Equifax), there's really no penalty for even the most mammoth of privacy abuses (aside from the occasional wrist slap for violating kid specific privacy laws like COPPA). This apathy and incompetence was rooted in the cellular and telecom industry, and has since spiraled outward, infecting every app and internet ecosystem as numerous industries ran to feed at the unsupervised trough. The fact that we're still so collectively naive to the scope of the problem a decade or two later is utterly mind boggling in and of itself.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: location data, mobile apps, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
HIPAA compliance
A possibly similar scenario;
If someone hacked a medical services provider and sold patient data, would the hacker have committed a HIPAA violation?
[ link to this | view in chronology ]
Re: HIPAA compliance
So a telecom provider, an app developer, a platform provider (Apple, Google), etc. aren't subject to HIPAA.
HIPAA was signed into law in 1996 and I imagine very few people at that time could have foreseen the current situation.
[ link to this | view in chronology ]
Re: Re: HIPAA compliance
If a covered entity wants to use a platform they'll need a HIPAA-compliant Business Associate Agreement with its provider—and Google's cloud platform is compliant, meaning HIPPA may apply. But it doesn't apply if you simply put your appointments into Google Calendar, or decide to provide all your location data to get a free app, or share photos of your medical bills on Twitter.
[ link to this | view in chronology ]
If this was one of the former totalitarian communist states one would be concerned but not particularly worried.
We are not discussing former totalitarian states but states that were once was the beacon of enlightenment.
[ link to this | view in chronology ]
isn't that why they called it "SPYWARE"?
How many times do people need to be reminded of that old saying, "There's no such thing as a free lunch."?
[ link to this | view in chronology ]
Re: isn't that why they called it "SPYWARE"?
Not that paying actually helps. As Karl wrote, the carriers—which are taking quite a bit of our money—are collecting and selling our data too.
[ link to this | view in chronology ]
Re: isn't that why they called it "SPYWARE"?
How many times do people need to be reminded of the fact that this is happening in services that people DO pay for?
Besides, waving away the problem as if it's just a bunch of freeloaders getting what they deserve won't fit anything, even if was true.
[ link to this | view in chronology ]
Re: isn't that why they called it "SPYWARE"?
There is, in fact, rather a lot of free software that doesn't monetize your personal information. Unfortunately, there's an ambiguity to the term "free software"; see gratis versus libre.
There's plenty of software out there that's freely available and isn't invasive. The Linux kernel is an obvious example. Firefox is another.
[ link to this | view in chronology ]
Re: Re: isn't that why they called it "SPYWARE"?
[ link to this | view in chronology ]
They keep reporting a non-anonymizable thing such as location information as anonymous.
Unless the reporter is claiming that location data that maps an individual to their home and place of work is anonymous, then it isn't anonymous. Claiming otherwise only serves to help surveillance companies perpetuate their privacy grift.
[ link to this | view in chronology ]
Re:
One of these rights called the Fourth Amendment protected the people from unreasonable searches and seizures.
Unfortunately at that time the view of government was the states were supreme over the federal government a view that was somewhat altered by the 17Th amendment. There is still big controversy over electric power grids, something CA is acquainted with, and banking which are noted here only to verify that the US government is part 18th century and part 21st century.
Back to the Fourth Amendment. At the time of passage and well into the last decade of the 20th century if the police or anyone wanted someone record which were by necessitate on paper the only way to obtain these records was to physically take possession of them. One could not copy them except by a long and painful process which was very time consuming. And, supposedly according to fourth amendment the police had to obtain a warrant for such. Anyone who attempted to enter a premises and obtain such records could only do so by a process called burglary which is prosecutable as a criminal offense.
In the early 1970s computers were individually produced and rights SOLD on an individual bases just like blacksmith individually crafted horseshoes. Each horseshoe was individually crafted and all rights to the horse show were sold with the horseshoe. Mass distribution of software in the format of Henry Ford production line was not feasible until some legal genius thought of not selling software by renting it.
If a company leased or rented they could first collect all rental payment upfront, second control the expiration date, week of infinity, third control the terms of usage. And, the terms of usage could be such that the software company could change, called updates, the software at will and own whatever was produced by the software. That means that even though I am the author of this posting I do NOT own all the rights to it. Various software companies, like Microsoft, AT&T, just to name two, own the rights to do with this post as they please.
Then cell phones were added to this stew. The telephone companies, like AT&T, operating system companies, like Microsoft, and usage companies, like google have the right to all data that flows through their software which the individual is only allowed to rent or use.
There is a point to all this.
No one has any Fourth Amendment Rights or ownership rights to anything anything that flows through any digital system, anywhere, anytime.
In fact digital systems and the internet are the biggest threat to individual freedom that has ever existed.
Every thing one does, everyone one knows, everything one thinks about by recording it in a computer or phone, and every place one goes is now recorder by one or another entity.
Currently the biggest challenge to governments is how to collate all their collected data into a command and control system.
As far as the action side, the police were militarized years ago in the continuous was on drugs.
Currently it is impossible in the US to go from one coast to the other coast with out the action being reported to the police. In fact I dough one could go 1 miles in more populated ares without this being recorded. In certain rural areas the distance is longer only because of the sparse population.
[ link to this | view in chronology ]
Re: Re:
Direct election of senators?
WTF are you talking about?
[ link to this | view in chronology ]
Re: Re: Re:
Then again, nothing else he said made any sense either.
[ link to this | view in chronology ]
Re: Re:
Your assertion that you could not mass produce software until "some legal genius thought of not selling software by renting it." I think you mean not selling software but instead renting it. But it turns out large scale duplication of software was possible once we moved away from tape drives. Floppies (5.25" and 3.5", among others) had far better data copy speeds and were easily duplicated. CDs were even better. Shareware was everywhere in the 80s and early 90s for this reason - the business model was based on getting a name out there, scattershot style. Money was made. And in no time was the primary software I was dealing with requiring a long EULA. I never dealt with those beyond the OS level until Windows 95.
Also, Microsoft does not have an ancillary copyright interest in your post on this website. It doesn't own that post to do with as it pleases. I'm unsure what terms you think are the basis of that. Neither does At&T. It might be spying on the packets sending that data, but it does not own the contents of those packets to do with as it pleases. It can't claim to be the copyright holder, unless your claim is that AT&T contracts transfer all copyright of all data transferred over its network, which it can't do given you might be sending information you have a license to send over the network, but don't own the copyright and therefore can not transfer the copyright of that information. If I am wrong please feel free to cite the contracts and case law that change that.
Of course, what you seem to be really talking about is data we store with these companies that are considered 'Third Party Records'. But that is a different stew then what you are arguing, making the debate...problematic.
And a question, what police is being reported of your movement, and for what? I challenge the impossibility of being reported to the police (a phrase which indicates criminal behavior). I also posit that the likelihood of someone in the government noticing you crossing the country somewhere is as likely as it used to be, the only difference being it could get recorded in a database. But as Techdirt notes, going out in public is a privacy tradeoff. Techdirt is noting a poorly/not at all understood tradeoff we are making, to push policy in a better direction.
[ link to this | view in chronology ]
GDPR
GDPR has it's own problems, but it's quite clear that whatever data protection law you have in the US, it's not good enough.
[ link to this | view in chronology ]
Re: GDPR
Yes. Is there any indication that Europeans avoided these problems?
[ link to this | view in chronology ]
Is NYT naive? Or pretending?
Yeah, tell me about it! YOU carry spying gadgets everywhere, then somehow imagine that data is "safe" with 3rd parties, and that gov't requires a warrant for "pen register" data you've freely given away! YEESH. You kids are as I've long said: without self-awareness.
But MAIN take-away from this Techdirt re-write is never negative mention here of biggest data collector of all: GOOGLE! Google gives NSA "direct access", according to Snowden.
[ link to this | view in chronology ]
Re: Is NYT naive? Or pretending?
[ link to this | view in chronology ]