from the ill-communication dept
We’ve noted a few times now that while Facebook gets a lot of justified heat for its privacy scandals, the stuff going on in the cellular data and app market in regards to location data makes many of Facebook’s privacy issues seem like a grade-school picnic. That’s something that was pretty well highlighted by the recent Securus and LocationSmart scandals, which showcased perfectly how cellular carriers and location data brokers routinely buy and sell your daily travel habits with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards.
Over the weekend, the New York Times had an interesting read that offers some fresh insight into just how commonly your daily location data is traded and shared without much in the way of meaningful protection or oversight. There’s a certain naive shock by both the Times authors and its subjects as they suddenly realize that apps on mobile devices routinely hoover up users’ daily movement patterns, often without anything in the way of real consent or transparency, then sell that valuable data to every Tom, Dick, and Harry in a bid to monetize it:
“The app tracked her as she went to a Weight Watchers meeting and to her dermatologist?s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend?s home, information she found disturbing.
?It?s the thought of people finding out those intimate details that you don?t want people to know,? said Ms. Magrin, who allowed The Times to review her location data.
The Times investigation found that at least 75 companies routinely receive anonymous, precise location data from apps that collect location data but fail to clarify how that data is used. Several of the firms tracked by the Times note they routinely collect data on more than 200 million mobile devices; data that in many instances is so granular it’s updated as many as 14,000 times a day. Of course if you’ve been paying attention, location data has been a gold mine for cellular carriers (and everybody in the chain) for the better part of the last decade as it’s sold to everyone from city planners to shopping malls.
And while carriers and those handling this data routinely insist there’s no harm because this data is “anonymized,” reports have repeatedly shown that this kind of data isn’t really anonymous, especially if it can be linked with other private data (obtained by hackers, leaked, or already in the wild). That’s something you can feel the Times reporters realizing as the story proceeds:
“Businesses say their interest is in the patterns, not the identities, that the data reveals about consumers. They note that the information apps collect is tied not to someone?s name or phone number but to a unique ID. But those with access to the raw data ? including employees or clients ? could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person?s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.”
Curiously, the Times doesn’t even mention the cellular carriers’ role in this problem, insisting that location data sales “began as a way to customize apps and target ads for nearby businesses.” In reality, cellular carriers have been tracking and selling your location data before the concept was even a twinkle in many app makers’ eye, and as the recent LocationSmart scandal (which exposed the personal data of nearly every mobile customer in North America) made very clear, this data is sold to dozens of third-party location data brokers and their sales partners — without much, if any, effort to ensure it’s being protected down the chain.
In other words, app location data sharing is just a smaller part of a massive problem. A problem that started with telecom operators and our total unwillingness to hold them accountable for similar behavior. Politically powerful cellular carriers who repeatedly insisted we didn’t need any meaningful privacy rules of the road because “public shame” would keep the industry honest. That promise has never really worked out that well.
Multiple ISPs were accused years ago of collecting and selling consumer clickstream data. When they were pressed for details, many simply either denied doing it or refused to respond. Collectively, we decided that was fine. As more sophisticated network gear like deep-packet inspection emerged, ISPs began tracking and selling online browsing habits down to the millisecond, some even charging users extra if they wanted to protect their own privacy. Wireless only made things worse, some carriers even going so far as to modify your very data packets to glean additional insight without your knowledge or consent.
That initial attitude has subsequently infected every other ecosystem on the network as countless industries ran toward the location data cash cow, utterly apathetic to the slow but steady erosion of consumer trust and privacy. There’s an endless list of points of failure here by self-interested companies eager to prioritize growth over all things, from the carriers themselves to the app store approval process. As such, the focus specifically on apps–or Facebook–tends to miss the bigger picture: that this sort of behavior is now the norm across all of tech, not some errant anomaly.
That said, the Times piece is still full of some entertaining revelations on app privacy specifically, like the fact that even some of the companies involved don’t understand why the hell they even have access to all of this customer location data:
“To evaluate location-sharing practices, The Times tested 20 apps, most of which had been flagged by researchers and industry insiders as potentially sharing the data. Together, 17 of the apps sent exact latitude and longitude to about 70 businesses. Precise location data from one app, WeatherBug on iOS, was received by 40 companies. When contacted by The Times, some of the companies that received that data described it as ?unsolicited? or ?inappropriate.’
Currently, outside of a week of bad press that’s quickly forgotten (see: Equifax), there’s really no penalty for even the most mammoth of privacy abuses (aside from the occasional wrist slap for violating kid specific privacy laws like COPPA). This apathy and incompetence was rooted in the cellular and telecom industry, and has since spiraled outward, infecting every app and internet ecosystem as numerous industries ran to feed at the unsupervised trough. The fact that we’re still so collectively naive to the scope of the problem a decade or two later is utterly mind boggling in and of itself.