A lengthy NY Times feature provides some stark illustrations of the extent to which potentially-identifiable location data is being captured, shared and retained by both iOS and Android apps, threatening user privacy.
The paper was able to identify specific individuals from some location patterns, and found that one iOS app was passing exact location data to a total of 40 different companies …
Location data is supposed to be anonymous, not tied to any specific individual, and used only to analyze overall patterns. But the paper found that it was possible to track location movements with enough precision to identify individual people – and to learn an alarming amount about them.
The NYT found that her location was recorded an average of once every 21 minutes over a four-month period, and that all that data had been retained. In another case, captured data appeared to be from a phone used by a child, as it went to a school, spent some time in the playground and then entered the school building where it remained from 8am to 3pm.
[One phone] leaves a house in upstate New York at 7 a.m. and travels to a middle school 14 miles away, staying until late afternoon each school day. Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher. Her smartphone goes with her.
An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin’s identity was not disclosed in those records, The Times was able to easily connect her to that dot.
The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.
“It’s the thought of people finding out those intimate details that you don’t want people to know,” said Ms. Magrin.
It says that while companies may not target specific individuals, the specificity of the data creates the risk of mis-use.
The majority of apps they tested tracked precise locations, not just general areas.
The NYT also found that privacy explanations were ‘often incomplete or misleading.’
Even IBM was found to be sharing location data with hedge funds without disclosing that fact.
The piece is likely to add to calls for federal privacy regulation along the lines of Europe’s GDPR. Apple is a strong proponent for such a law.
The app did not explicitly disclose that the company had also analyzed the data for hedge funds — a pilot program that was promoted on the company’s website.
The full feature is well worth reading.