Limiting your exposure to location data resellers

Location data is valuable, just ask Huq Industries, who make a living out of selling your location information, then found that the apps they bought it from hadn’t asked the end users permission to have it! Naughty! The organisations they sell it to use it for better marketing, to get a better understanding of how many people are in places at a certain time, or forecast the future based on historical data. I have also heard that news organisations used it to map the increase in drivers panic buying fuel last month.

We found examples of this data reselling when we looked at dating apps, along with finding we could locate users of those apps in real time, we also found one app Grindr was sending your location data to and agency called Braze. Its not clear what for, the Norwegian Consumer Council found the same(PDF).

The data was highly specific, down to exact geographical position. Although, this data is anonymised (with a unique Braze ID and not the device advertising ID that a user can change) before it is sent to the resellers, so what’s the risk?

The problem is one can infer information about the user of the device from the location. Let’s say a phone is always present in the same location overnight, could that be where the individual lives? Or a device spends the entire day in an office, could that be a place of work?

Using other data sources in combination, one could deanonymize the anonymous location data, electoral roll information for a particular house could reveal all adults who live in the house. The office location could be used to look up individuals who work at that company. Combine the two and it would be trivial to deduce the owner of the mobile phone, which could reveal much more about the persons life. Where do they go at any point during the day, do they go near a school in the morning – is that where their children go to school. Do they visit a gym at the same time every week? What route do they take to get to work? All can be revealed from this information.

The New York Times showed in 2019 how this data could be deanonymized to reveal where children lived and went to school, they showed how they could track then President Trump and how normal individuals personal lives could be invaded.

So, with this seemingly high desire for app developers to sell your location information (and often bury the information in the T&C’s), what can you do about it?

Protecting yourself

Fortunately, phone makers are giving us more control over our privacy. iOS especially has had the ability to modify your location settings per app since iOS 14, by changing your location to either precise or coarse location.

This is really important to set. You can do it from either the privacy settings or when first using a new app.

On Android you are slightly limited, the developer needs to request a location setting (coarse or precise), you essentially say yes or no to what they ask. But what if the app is a weather app. You need location information for that to work, and so you will accept it. Potentially giving away your precise location to a reseller. Not good!

Since Android 12 you can now enable the same setting as iOS. Either when first running the app or from the setting.

If you can upgrade to Android 12 then look out for this setting and take advantage of it.

Other location settings

It’s also worth on both Android and iOS to only grant location information for apps that actually need it and then if possible, only “while using the app” rather than all of the time. This helps limit the data that these apps can collect from you when you aren’t using the app.

A great demonstration of where people have turned location services to ‘always’ is the Strava heat map. When zooming in on places where phones typically wouldn’t be being used for exercise we can clearly see traces from people who are uploading data to Strava as if they are exercising.

This is Heathrow airport and its possible to see tracks from people using it onboard airplanes as they are taking off or moving around the runway area. It seems improbable that they are exercising and using Strava to track that exercise while onboard a plane and therefore one can presume that this is people who have left Strava to work as both a background app and have always on location data.

Exceptions to the rule

By forcing the coarse location you help protect your privacy from location resellers as they will only be able to collect that a device was in a rough area rather than the exact location. This will help protect your privacy and reduce the ability of apps tracking your every move.

However, there are going to be exceptions.

A mapping app for example really will need your exact location, otherwise it is not really that valuable when used for navigation. Dating apps likely don’t need an exact location. Weather apps don’t need an exact location. Use the settings to benefit you, don’t just accept the defaults when installing.

I would also suggest you see how well apps work with the least amount of access before upping if they don’t work. This is a security concept called ‘least privilege’ and helps ensure services have just enough access to work, but not too much that they can leak data.

Conclusion

Location information is incredibly valuable, there are many companies approaching popular app developers to include their location reselling code in the developers’ mobile apps for a fee. This often helps keeps apps free, however, that trade off means you pay for it with your information.

Fortunately, phone software manufacturers have given us the ability to control this. So, exercise your rights and take advantage of the controls available to you.