The sale of location data sales has become both big business, and one of the biggest privacy threats in recent years. While the companies involved in this $14B industry claim that only aggregated and anonymized data is sold, numerous investigations have shown that this simply isn’t true.
Just yesterday, we learned that the Federal Trade Commission is suing a data broker that can identify people seeking abortions, and that it made samples of that data publicly available. In the past, we’ve seen how location data can reveal everything from where cops’ kids go to school to US troop movements in war zones …
How do companies get location data?
Location data can be collected in several different ways.
GPS
First, and most obviously, by apps when we grant permission to access our location. For example, a weather app is little use unless we let it see where we are, so it can display local weather. When we give permission for location access, the app then has direct access to our iPhone’s location data – including GPS access – which can identify our location to within a few tens of feet.
Cell towers
Mobile carriers can see which cell towers are within range of our iPhone, even when we’re not actually using them. Towers regularly ping our phones to see where they are, in order to know which cells to use when we receive a call, and triangulation typically allows carriers to locate us to within a few hundred feet – and sometimes much more precisely, in busy areas served by micro-cells.
Wi-Fi networks
If we connect to a public hotspot, the owner of that hotspot obviously knows we’re within range, narrowing down our location to a small area. But databases of routers SSIDs – both public and private – can allow companies to locate us with great precision.
IP address
Every time you connect to a website or other server without using a VPN, your IP address is visible to the server. That can reveal your location within a general area at least, and sometimes more precisely.
Don’t they need permission?
Not necessarily.
That depends on the local law where you are – or where the company is based. But even in Europe, with its ultra-strict GDPR privacy law, permission is just one of six justifications for collecting personal data, including your location.
The others are performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. These are all defined in rather broad terms.
In other countries or states, there may be virtually no legal protections at all.
But you probably gave permission anyway
Every time you install an app and agree to the conditions, you are granting the developer permission to do whatever it says it will do in those conditions or privacy policy.
Nobody ever reads that small print, and it very often contains a clause with some vague language to the effect that the developer may share your data with “partners.” It may not be obvious (and indeed, it’s intended not to be), but this includes selling your data to data brokers, who then sell it on to others.
Developers are heavily incentivized to do this, earning anything from $12K to $1M a year from these sales.
What’s the solution?
Over the years, Apple has tightened up on privacy requirements for app developers, through things like App Tracking Transparency and App Privacy labels.
But developers are still free to do pretty much anything they like provided they tick the appropriate boxes – and many of them simply lie.
I would argue that we need a specific federal law (and the equivalent in other countries) to explicitly ban the sale and purchase of location data.
In an ideal world, this would be just one component of a much broader federal privacy law – but it could be years before politicians can agree on the terms for this, if ever. It should be far simpler to get agreement on this one thing: You are not allowed to sell my location to a third party, nor are you allowed to buy my location from a third party. Period.
Do you agree? Please take our poll, and share your thoughts in the comments.
FTC: We use income earning auto affiliate links. More.
Comments