from the what-were-you-doing-*there*-friend? dept.
Dan Goodin over at Ars Technica is reporting on a company called Babel Street and its Location X program.
From the article:
You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock.
Reston, Virginia-located Babel Street is the little-known firm behind Location X, a service with the capability to track the locations of hundreds of millions of phone users over sustained periods of time. Ostensibly, Babel Street limits the use of the service to personnel and contractors of US government law enforcement agencies, including state entities. Despite the restriction, an individual working on behalf of a company that helps people remove their personal information from consumer data broker databases recently was able to obtain a two-week free trial by (truthfully) telling Babel Street he was considering performing contracting work for a government agency in the future.
Tracking locations at scale
KrebsOnSecurity, one of five news outlets that obtained access to the data produced during the trial, said that one capability of Location X is the ability to draw a line between two states or other locations—or a shape around a building, street block, or entire city—and see a historical record of Internet-connected devices that traversed those boundaries.
[...]
404 Media, another outlet given access to the data, reported that the trove allowed a reporter to zoom in on the parking lot of an abortion clinic in Florida and observe more than 700 red dots, each representing a phone that had recently visited the clinic. Location X then allowed the reporter to trace the movements of one specific device.That device—and by extension, the person carrying it—began the journey in mid-June from a residence in Alabama. The person passed by a Lowe's Home Improvement store, drove on a highway, visited a church, crossed into Florida, and finally stopped at the clinic where the phone indicates the person stayed for two hours before leaving and returning to Alabama. The data tracked the phone as having visited the clinic only once.
The technology making this vast data collection possible is, of course, tracking mechanisms built into Android and iOS and the apps that run on those operating systems. By default, Android assigns a unique ad ID to each device and makes it available to any app that has location permissions. iOS, by contrast, keeps its "Identifier for Advertisers" tracker private, but gives each installed app the opportunity to request access to it.
Some apps are given permission to access a phone's location and then sell the device's location to consumer data brokers. The data can also be made available through the web ad ecosystem. While an ad-supported page loads, the advertising network holds an auction in real time to sell a personalized ad to the highest bidder. A key piece of information bidders use to set a price is—you guessed it—the location of the device running the browser. Advertisers generate additional revenue by selling that history to the likes of Location X provider Babel Street.
TFA also provides information which can limit your exposure:
There are multiple settings that phone users must choose to close off the constant leaking of their locations. For users of either Android or iOS, the first step is to audit which apps currently have permission to access the device location. This can be done on Android by accessing Settings > Location > App location permissions and, on iOS, Settings > Privacy & Security > Location Services.
For most users, there's usefulness in allowing an app for photos, transit, or maps to access a user's precise location. For other classes of apps—say those for Internet jukeboxes at bars and restaurants—it can be helpful for them to have an approximate location, but giving them precise, fine-grained access is likely overkill. And for other apps, there's no reason for them ever to know the device's location. With a few exceptions, there's little reason for apps to always have location access.
Not surprisingly, Android users who want to block intrusive location gathering have more settings to change than iOS users. The first thing to do is access Settings > Security & Privacy > Ads and choose "Delete advertising ID." Then, promptly ignore the long, scary warning Google provides and hit the button confirming the decision at the bottom. If you don't see that setting, good for you. It means you already deleted it. Google provides documentation here.
So is this just good old American ingenuity at its best? An unacceptable invasion of privacy?
Speaking of such things, how (if at all) does this comport with the Fourth Amendment?
What say you, Soylentils?
(Score: 4, Interesting) by mrpg on Sunday October 27, @05:18PM (4 children)
Mine had no advertising ID, and the apps that had access (to location) when on use were firefox, whatsapp, internet samsung and phone. I removed them and the browsers said "some important things might not work" but I don't care, lets see if something breaks. Google and maps have permanent access that u can turn off too.
(Score: 3, Informative) by Deep Blue on Sunday October 27, @05:29PM (2 children)
There's still Bluetooth and Wifi and AirTag-type thing can work the other way around as well, paying with phone will track you. Not to mention cameras with face detection, which was a story here recently about cloud cameras and their service providers giving out that info. Just sayin'
(Score: 4, Interesting) by mrpg on Sunday October 27, @05:43PM
I almost never turn on location, but I think I saw a story about it being used notwithstanding. I have a second phone to install things I want to test, but in my main one, only 4 apps: vpn, firefox, etc.
(Score: 2) by NotSanguine on Monday October 28, @12:31AM
Paying with just a card and no phone will track you too. Or rather, paying with phone will allow the phone/wallet vendor *and* your credit card provider to track you. Double the fun!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NotSanguine on Monday October 28, @12:28AM
Yep. That was my experience as well.
I do allow a few apps to use location services only while they're running, but only apps that actually need such access (e.g. Network Cell Info Lite [google.com], Gadgetbridge [gadgetbridge.org], etc.).
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Informative) by krishnoid on Sunday October 27, @07:46PM
Forget the apps, it's coming from inside the phone [www.zeit.de]! Richard Stallman [stallman.org] called it (search down to "Cellular Phones").
(Score: 3, Insightful) by SomeGuy on Sunday October 27, @07:54PM (3 children)
Good luck tracking my 1990s desk "landline" telephone. I'll go ahead and tell you - it's sitting on my desk right next to me. Where it fucking stays.
Why people are OK with this kind of tracking just blows my mind.
Of course, then there are cameras every five feet these days recording your face and/or your car.
(Score: 2) by janrinok on Sunday October 27, @07:58PM
Same here - old fashioned landline to POTS. No spam, I only give the number to certain people.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 0) by Anonymous Coward on Sunday October 27, @08:08PM
I don't think they would be if they found out retailers are selling location information to these companies.
You just have to drive near them.
(Score: 4, Interesting) by looorg on Sunday October 27, @09:26PM
I don't have a landline anymore, after they removed the copper and made it telephone over ip then I figured why bother. I have two phones, one work phone and one private phone. The work phone is at the desk at work, the home phone is at my desk at home. According to tracking I'm either working around the clock and living beneath my desk or I have not left my home for about a decade. The work phone might move around a bit, but it's somewhat rare. I figure I'm at home, or I'm at work or I'm to busy to talk to you cause I'm doing something else, send an email or an SMS and I'll get back to you when I get back to either phone. I don't need or want any apps, I don't want to do any kind of computing on a 6-7" screen.
I still get tracked by other means. But it's not from my phones or any kind of apps-schmaps-bullshit.
(Score: 2) by Frosty Piss on Sunday October 27, @08:11PM
"What have you got to hide?"
(Score: 2, Insightful) by Anonymous Coward on Sunday October 27, @08:43PM (1 child)
"Some apps are given permission to access a phone's location and then sell the device's location to consumer data brokers."
so the next time your favorite retailer REALLY wants you to download their app, tell 'em to fsck off.
(Score: 5, Insightful) by aafcac on Sunday October 27, @09:41PM
The big issue I take is requiring location services for bluetooth pairing. That should be a separate permission from general location permissions.
(Score: 1, Interesting) by Anonymous Coward on Monday October 28, @01:28AM
If you're letting your browser give away your location to advertisers, thanks for helping to pay for stuff on my behalf. On the other hand if you're faking your location and sending fake locations to advertisers, double thanks - you're helping to pay for stuff AND polluting their DBs.
By the way, it's not just GPS. WiFi, cell tower, bluetooth info can all be used to figure out your location.
I use WiFi info to help clients to track the location of the computers they own. It often helps to know the places where a laptop has been to when the lease is over and you want to return it for a newer one.
You can add WiFi capability to a desktop just by attaching a usb wifi (many of these are cheap and the drivers are built-in to most OSes). It does not need to actually connect to an AP. The way it works is if a device can see SSIDs that only show up in a particular location, it means it's likely be within 100m of that location. Add signal strength data and Google can figure out the position even more precisely (whether they tell you or not)...