Your Apps Know What You Did Last Night (And They're Not Keeping It Secret)

Your wife may not know about those little trips to that Thai massage place in the strip-mall, but your smartphone does - and it may be telling any one of at least 75 companies exactly what time you went, how you got there and where you stopped on the way - with staggering precision to within a few yards, according to the New York Times

The millions of dots on the map trace highways, side streets and bike trails — each one following the path of an anonymous cellphone user.

One path tracks someone from a home outside Newark to a nearby Planned Parenthood, remaining there for more than an hour. Another represents a person who travels with the mayor of New York during the day and returns to Long Island at night.

Yet another leaves a house in upstate New York at 7 a.m. and travels to a middle school 14 miles away, staying until late afternoon each school day. Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher. Her smartphone goes with her.

An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin’s identity was not disclosed in those records, The Times was able to easily connect her to that dot.

The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing. -NYT

"It’s the thought of people finding out those intimate details that you don’t want people to know," said Magrin, whose location data was reviewed by The Times

Several of the 75 companies which collect location data receive anonymous - yet extremely precise location data from users who enable location services for such benign purposes as weather, news and mapping software, according to the Times. Several appmakers have claimed to track up to 200 million mobile devices in the United States alone - around half of the devices in use during 2017.

These companies sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior. It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year. IBM has gotten into the industry, with its purchase of the Weather Channel’s apps. The social network Foursquare remade itself as a location marketing company. Prominent investors in location start-ups include Goldman Sachs and Peter Thiel, the PayPal co-founder.

...

More than 1,000 popular apps contain location-sharing code from such companies, according to 2018 data from MightySignal, a mobile analysis firm. Google’s Android system was found to have about 1,200 apps with such code, compared with about 200 on Apple’s iOS.

...

To evaluate location-sharing practices, The Times tested 20 apps, most of which had been flagged by researchers and industry insiders as potentially sharing the data. Together, 17 of the apps sent exact latitude and longitude to about 70 businesses. Precise location data from one app, WeatherBug on iOS, was received by 40 companies. When contacted by The Times, some of the companies that received that data described it as “unsolicited” or “inappropriate.” -NYT

"Location information can reveal some of the most intimate details of a person’s life — whether you’ve visited a psychiatrist, whether you went to an A.A. meeting, who you might date," said Oregon Democratic Senator Ron Wyden, who has proposed bills which would limit the ability of big tech to collect and sell such data. "It’s not right to have consumers kept in the dark about how their data is sold and shared and then leave them unable to do anything about it."

Always watching

Manhattan nurse Elise Lee told the Times she was thoroughly creeped out after she saw that her device had been tracked to the main operating room at the hospital where she works. 

“It’s very scary,” said Ms. Lee, who allowed The Times to examine her location history in the data set it reviewed. “It feels like someone is following me, personally.”

Initially designed to help local businesses market to mobile phone customers, location-based data collection has morphed into a "data collection and analysis machine," reports the Times

Now, retailers are contracting with tracking companies to provide intelligence on their customers and competitors - while financial firms are using the data to make investment decisions. 

For a web seminar last year, Elina Greenstein, an executive at the location company GroundTruth, mapped out the path of a hypothetical consumer from home to work to show potential clients how tracking could reveal a person’s preferences. For example, someone may search online for healthy recipes, but GroundTruth can see that the person often eats at fast-food restaurants.

We look to understand who a person is, based on where they’ve been and where they’re going, in order to influence what they’re going to do next,” Ms. Greenstein said.

Financial firms can use the information to make investment decisions before a company reports earnings — seeing, for example, if more people are working on a factory floor, or going to a retailer’s stores. -NYT

Attorneys are getting in on the tracking game too, as ambulance chasing lawyers can simply purchase emergency room location information according to Long Island advertising firm Tell All Digital, which contracts with a location company to run ad campaigns for personal injury lawyers targeting those who have had unfortunate visits to the hospital. 

"The book ‘1984,’ we’re kind of living it in a lot of ways," said Tell All managing partner Bill Kakis. 

The Weather Channel app - owned by a subsidiary of IBM, told users that sharing their locations would give them "personalized local weather data, alerts and forecasts." In fact, the app also analyzes tracking data for hedge funds in a pilot program which was promoted on the company's website, and which IBM says has ended. They are hiding behind the argument that "other uses" of tracking data is discussed in a separate "privacy settings" area of the app. 

The Times found information on advertising in that section, however found no such notification upon a search of the app. 

"Most people don’t know what’s going on," said data broker Emmett Kilduff, whose company Eagle Alpha sells information to financial firms and hedge funds. He said responsibility for complying with regulations governing data collection fall on the companies which collect it. 

Several people in the location business said that it would be relatively simple to figure out individual identities in this kind of data, but that they didn’t do it. Others suggested it would require so much effort that hackers wouldn’t bother.

It “would take an enormous amount of resources,” said Bill Daddi, a spokesman for Cuebiq, which analyzes anonymous location data to help retailers and others, and raised more than $27 million this year from investors including Goldman Sachs and Nasdaq Ventures. Nevertheless, Cuebiq encrypts its information, logs employee queries and sells aggregated analysis, he said. -NYT

In January, we detailed how interactive online fitness tracking app Strava's online "heatmap" of user routes had unwittingly revealed the location, staffing, patrol routes and layout of U.S. and foreign military bases around the world, as discovered international security researcher Nathan Ruser

In most urban areas such as major cities such as New York, Strava's map appeared as solid neon lights following just about every road on which one might exercise. 

Remote locations, however, such as deserts in places like Syria and Iraq are almost entirely dark aside from clandestine locations where military personnel using fitness trackers are stationed.  Personnel in some of the US government's most sensitive facilities have been unwittingly been broadcasting sensitive information up to and including underground tunnels. 

FBI Academy:

NSA Headquarters:

The bottom line

Collecting location data is of course all about following the money. App developers can profit from directly selling harvested data, or by sharing it for location-based ads which command a premium. At half a cent to two cents per user per month, an app with 10 million users can generate as much as $2.4 million per year. 

Smaller companies compete for the rest of the market, including by selling data and analysis to financial institutions. This segment of the industry is small but growing, expected to reach about $250 million a year by 2020, according to the market research firm Opimas. -NYT

Google and Facebook are big players in location-based advertising, according to the Times. The companies say they use the data internally to track whether ads lead to sales at brick-and-mortar stores, while Google says it modifies the data to be "less exact." 

Apple and Google, meanwhile, have taken steps to put a leash on the amount of location data collected. In the most recent version of the Android operating system, for example, apps which are not in use are now limited to collecting locations "a few times an hour" as opposed to continuously. Apple has been requiring apps to justify collecting location details in pop-up messages to notify users. That said, the company's instructions for writing the pop-ups do not require disclosing that the data may be used for advertising purposes. 

After learning that her phone was constantly spying on her, the nurse interviewed by the Times, Elise Lee, immediately limited the data which apps could collect on her - and she warned other operating-room nurses to do the same. 

"I went through all their phones and just told them: ‘You have to turn this off. You have to delete this," Lee said. "Nobody knew."