Data Brokers Secretly Track Your Location, Like Pretty Much All the Time

Your exact location is being tracked and sold behind your back.

Tracked within a matter of a few feet at all times. Location data can be combined with other sensitive online activity to create a detailed profile of where you go and what you do online and IRL.

As a spate of recent investigative reports make clear, there are no laws in the US prohibiting the sale of your location information. This report in The Markup illustrates how a lack of regulation leaves people vulnerable to location tracking and not surprisingly plenty of companies are taking advantage. In fact, the market for your phone's location data is estimated to be over $16 billion in 2022 and that market is increasing fast with an estimated compound annual growth rate of 15.6% from 2022-2030.

Just how many people are having their location tracked? Well The Intercept recently profiled a small company most people have never heard of, Anomaly Six (A6), that has boasted about its ability to track the real-time locations of 3 billion devices. Another little known location tracker, Near, says they have collected data on 1.6 billion people in 44 countries. Yet another obscure company, Mobilewalla, claims to have location data about 1.9 billion devices. These and many other data brokers claim they are able to track and save people’s precise location data within a matter of feet throughout their days, everyday, for years. So probably safe to assume if you have a smartphone, you're vulnerable to having your location tracked in ways you may not desire.

But how do these small, random companies get location information from your device? An excellent report in The Wall Street Journal illustrates exactly how. The WSJ story focuses on how analytic and ad trackers embedded in the gay dating app Grindr collected and then sold its users location data to data brokers.

Recent reports like the WSJ story highlight not just a vulnerability in one app or the ability for one company to buy location data, but a much larger and pervasive problem that we at Disconnect have been warning about for many years: the vast majority of apps integrate tracking technologies that expose user details to hundreds or thousands of unknown parties. Apps that encourage users to share their location information are able to harvest valuable data that often is core to how they make money.

Detailed profiles of individuals are being built, bought, and sold by companies you've never heard of all the time and much of this is accomplished through software development kits (SDKs). There are thousands of data sharing partnerships (the type which neither app makers nor data brokers rarely, if ever, publicize) to collect pinpoint location data on billions of devices through these SDKs embedded in apps. Many apps require location-based services to be turned on in order to function but do not explicitly inform people of the potential privacy implications.

This detailed location information can then be correlated with online activity and personal hard identifiers - email address, real names, home address, place of employment, etc. - presenting serious privacy and security issues. What’s even more concerning is that anybody can legally buy access to all of this very sensitive personal information, making it critical for users to protect themselves.

Tracking technology is getting more sophisticated with the ability to track people from their homes, to work, on vacation, everywhere. Even CIA and NSA employees are vulnerable.

Location data trackers continue to develop techniques that enable more comprehensive and invasive surveillance. Despite current attempts to regulate tracking, data brokers continue to collect and share information in ways most people do not understand and would not allow.

The Intercept report revealed that the data broker A6 uses a technique called "geofencing" to track devices at specific locations. Geofencing involves creating a virtual perimeter around a location and applying a specific treatment or ruleset to devices within the perimeter that have location-based services turned on. The vast majority of people using devices with location-based services enabled have experienced geofencing whether they know it or not. Airline apps may load boarding passes automatically based on your proximity to airports or security check points, hotel apps may load a digital room key when approaching, or specific geographically targeted ads will load when a device is in a certain place. All of these are based on tracking the device’s real-time location.

Through their use of geofencing A6 claims it was even able to identify potential CIA and NSA officials by drawing boundaries around their respective headquarters, seeing devices that visited both locations, and subsequently tracking them across the world, everywhere from the middle east all the way back to their individual homes.

This type of extensive tracking is not only a threat to national security but a threat to every individual and every organization. If data brokers can track trained security professionals in the intelligence community from their work and home locations, the average individual and employee is clearly vulnerable.

The potential for abuse is endless: for example, location trackers are selling maps of where abortion clinic visitors live, one data broker was even giving heat maps out for free

It has become trivial to tie location tracking data to an individual's home (e.g., where the phone pings most often from 11pm-8am), work, as well as other sensitive activities like health appointments, visits to financial institutions, and more.

According to a recent Vice report a tracking firm called SafeGraph was selling location data that tracked devices who visited a Planned Parenthood, where they came from and where they went. Vice also reported that another tracking firm, Placer.ai, was giving away free heat maps for Planned Parenthood visitors. In light of the recently leaked draft decision overturning Roe v Wade and indications that a few dozen states plan to ban or severely restrict abortion access, the ability of shady data brokers to track visits to abortion clinics should clearly be prohibited.

There are many examples one can imagine of how tracking a person's location could create serious privacy, security, and real world safety concerns for individuals and businesses. But as mentioned previously, and it's worth repeating, in the US it is currently totally legal for data brokers to collect and share location information tracked from your phone. Until lawmakers act, individuals and businesses must take steps to do what they can to mitigate this serious vulnerability.

What can you do to protect yourself?

Your location data is like a genie in a bottle, once its collected there's no great way to delete that information or get it back from the data brokers. While protecting against all forms of smartphone location tracking is difficult there are a few quick things you can do to better protect yourself.

Do not allow location access when apps ask permission

Unless absolutely essential for the app's functionality consider completely turning off location sharing, especially for apps you rarely use. Even if an app asks you to share location data only when the app is in use, there are recent reports of apps not honoring that limitation. The popular Tim Horton's app misled users to believe location data would only be accessed while the app was being used, but in reality the app tracked location data every minute of the day. So regardless of what an app says, it's probably good idea to give out location permissions very selectively.

To turn off location sharing for iOS devices see this Apple support page. https://support.apple.com/en-us/HT207092

To turn off location sharing for Android devices see the Google support page. https://support.google.com/accounts/answer/6179507?hl=en

Block SDKs and trackers across your entire device

Trackers embedded in websites, apps, and emails are able to correlate your location and device.

Virtual Private Networks allow users to mask their internet protocol (IP) address and encrypt device traffic. Since your IP address allows trackers to know your general location, in that sense VPNs can protect location tracking and are typically used to avoid geo-restrictions, e.g., if a Netflix user is in Europe or the US. A VPN without tracker blocking will not prevent the type of embedded and in-app location tracking that is the subject of the reports contained above.

Since 2011 Disconnect has been dedicated to helping people take control of their data and privacy by blocking unwanted tracking. Our solutions block thousands of invisible trackers including SDKs and domains associated with location trackers that are found in websites, apps, and emails. Check out our products to learn more about how we help protect individuals and employees against tracking.