Some apps pass personally identifiable location data to as many as 40 companies

A lengthy NY Times feature provides some stark illustrations of the extent to which potentially-identifiable location data is being captured, shared and retained by both iOS and Android apps, threatening user privacy.

The paper was able to identify specific individuals from some location patterns, and found that one iOS app was passing exact location data to a total of 40 different companies …

Location data is supposed to be anonymous, not tied to any specific individual, and used only to analyze overall patterns. But the paper found that it was possible to track location movements with enough precision to identify individual people – and to learn an alarming amount about them.

[One phone] leaves a house in upstate New York at 7 a.m. and travels to a middle school 14 miles away, staying until late afternoon each school day. Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher. Her smartphone goes with her.

An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin’s identity was not disclosed in those records, The Times was able to easily connect her to that dot.

The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.

“It’s the thought of people finding out those intimate details that you don’t want people to know,” said Ms. Magrin.

The NYT found that her location was recorded an average of once every 21 minutes over a four-month period, and that all that data had been retained. In another case, captured data appeared to be from a phone used by a child, as it went to a school, spent some time in the playground and then entered the school building where it remained from 8am to 3pm.

It says that while companies may not target specific individuals, the specificity of the data creates the risk of mis-use.

Those with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.

The majority of apps they tested tracked precise locations, not just general areas.

The Times tested 20 apps, most of which had been flagged by researchers and industry insiders as potentially sharing the data. Together, 17 of the apps sent exact latitude and longitude to about 70 businesses. Precise location data from one app, WeatherBug on iOS, was received by 40 companies.

The NYT also found that privacy explanations were ‘often incomplete or misleading.’

Typical was theScore, a sports app: When prompting users to grant access to their location, it said the data would help “recommend local teams and players that are relevant to you.” The app passed precise coordinates to 16 advertising and location companies.

Even IBM was found to be sharing location data with hedge funds without disclosing that fact.

The Weather Channel app, owned by an IBM subsidiary, told users that sharing their locations would let them get personalized local weather reports […]

The app did not explicitly disclose that the company had also analyzed the data for hedge funds — a pilot program that was promoted on the company’s website.

The piece is likely to add to calls for federal privacy regulation along the lines of Europe’s GDPR. Apple is a strong proponent for such a law.

Leave a comment

Your email address will not be published. Required fields are marked *