Dan Goodin over at Ars Technica is reporting on a company called Babel Street and its Location X program.
From the article:
You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock.
Reston, Virginia-located Babel Street is the little-known firm behind Location X, a service with the capability to track the locations of hundreds of millions of phone users over sustained periods of time. Ostensibly, Babel Street limits the use of the service to personnel and contractors of US government law enforcement agencies, including state entities. Despite the restriction, an individual working on behalf of a company that helps people remove their personal information from consumer data broker databases recently was able to obtain a two-week free trial by (truthfully) telling Babel Street he was considering performing contracting work for a government agency in the future.
Tracking locations at scale
KrebsOnSecurity, one of five news outlets that obtained access to the data produced during the trial, said that one capability of Location X is the ability to draw a line between two states or other locations—or a shape around a building, street block, or entire city—and see a historical record of Internet-connected devices that traversed those boundaries.
[...]
404 Media, another outlet given access to the data, reported that the trove allowed a reporter to zoom in on the parking lot of an abortion clinic in Florida and observe more than 700 red dots, each representing a phone that had recently visited the clinic. Location X then allowed the reporter to trace the movements of one specific device.That device—and by extension, the person carrying it—began the journey in mid-June from a residence in Alabama. The person passed by a Lowe's Home Improvement store, drove on a highway, visited a church, crossed into Florida, and finally stopped at the clinic where the phone indicates the person stayed for two hours before leaving and returning to Alabama. The data tracked the phone as having visited the clinic only once.
The technology making this vast data collection possible is, of course, tracking mechanisms built into Android and iOS and the apps that run on those operating systems. By default, Android assigns a unique ad ID to each device and makes it available to any app that has location permissions. iOS, by contrast, keeps its "Identifier for Advertisers" tracker private, but gives each installed app the opportunity to request access to it.
Some apps are given permission to access a phone's location and then sell the device's location to consumer data brokers. The data can also be made available through the web ad ecosystem. While an ad-supported page loads, the advertising network holds an auction in real time to sell a personalized ad to the highest bidder. A key piece of information bidders use to set a price is—you guessed it—the location of the device running the browser. Advertisers generate additional revenue by selling that history to the likes of Location X provider Babel Street.
TFA also provides information which can limit your exposure:
There are multiple settings that phone users must choose to close off the constant leaking of their locations. For users of either Android or iOS, the first step is to audit which apps currently have permission to access the device location. This can be done on Android by accessing Settings > Location > App location permissions and, on iOS, Settings > Privacy & Security > Location Services.
For most users, there's usefulness in allowing an app for photos, transit, or maps to access a user's precise location. For other classes of apps—say those for Internet jukeboxes at bars and restaurants—it can be helpful for them to have an approximate location, but giving them precise, fine-grained access is likely overkill. And for other apps, there's no reason for them ever to know the device's location. With a few exceptions, there's little reason for apps to always have location access.
Not surprisingly, Android users who want to block intrusive location gathering have more settings to change than iOS users. The first thing to do is access Settings > Security & Privacy > Ads and choose "Delete advertising ID." Then, promptly ignore the long, scary warning Google provides and hit the button confirming the decision at the bottom. If you don't see that setting, good for you. It means you already deleted it. Google provides documentation here.
So is this just good old American ingenuity at its best? An unacceptable invasion of privacy?
Speaking of such things, how (if at all) does this comport with the Fourth Amendment?
What say you, Soylentils?
(Score: 2, Insightful) by Anonymous Coward on Sunday October 27, @08:43PM (1 child)
"Some apps are given permission to access a phone's location and then sell the device's location to consumer data brokers."
so the next time your favorite retailer REALLY wants you to download their app, tell 'em to fsck off.
(Score: 5, Insightful) by aafcac on Sunday October 27, @09:41PM
The big issue I take is requiring location services for bluetooth pairing. That should be a separate permission from general location permissions.