Exposé Reveals Ongoing Smartphone Location Tracking Threats

Originally published at: Exposé Reveals Ongoing Smartphone Location Tracking Threats - TidBITS

Five years ago, the New York Times published an exposé on the location data tracking industry, which we covered in “The New York Times Reveals How Completely Our Every Move Is Tracked” (19 December 2019). Little has changed since then. At 404 Media, Joseph Cox now writes about Locate X, a tool from location broker Babel Street:

The demonstration, performed by a group of privacy advocates that gained access to the tool and leaked videos of it to 404 Media and other journalists, shows in the starkest terms yet how Locate X and other tools based on smartphone location data sold to various U.S. government law enforcement agencies, including state entities, could be used to monitor abortion clinic patients. This comes as more states contemplate stricter or outright bans on abortion.

…

The videos also show that while Apple and Google have taken steps either to stymie the flow of location data in general, or remove sensitive locations like abortion clinics from their own banks of data, the highly sensitive movements of visitors to clinics or essentially any other location are still exposed on a massive scale and finding their way into tools used by U.S. law enforcement. Through a complex data supply chain involving apps or ads on a phone, peoples’ movements are included in Locate X as a side-product of the mobile advertising system.

It’s not just law enforcement. The privacy advocates gained access to Locate X merely by saying they were “contemplating some government contract work,” and a private investigator source told 404 Media that similar capabilities are available in his industry.

Although Cox chose to focus on the hot-button topic of tracking people seeking or assisting with abortions, the privacy advocates exposing Locate X’s capabilities also showed it identifying devices belonging to jurors by linking them to a reserved parking lot, finding devices that appeared repeatedly at a synagogue in Los Angeles and a mosque in Dearborn, and collecting location data on children at a Philadelphia school. By tracking a particular device to known locations, Locate X could be used to stalk individuals.

According to Brian Krebs of KrebsOnSecurity, the privacy advocates confirmed this stalking capability by working with the consent of several individuals, including police officer Justyna Maloney. She faced online and physical harassment after interacting with a social media personality who posted a selectively edited video of the encounter. Her iPhone had nearly 100,000 hits in Locate X’s database, all seemingly triggered by an app from the department store Macy’s, which uses geolocation to provide “an enhanced shopping experience.” Macy’s said it has no direct relationship with Babel Street but shares the data with “a limited number of partners,” at least one of whom shared the data with Babel Street.

As much as we desperately need legislation to bury this industry, Apple and especially Google must do more to protect users, including their employees. How many devices in Locate X’s database can be tracked to Apple Park and the Googleplex?

If no app in Settings > Privacy & Security > Location Services is to Always, and the only app with the grey or purple arrow (indicating recent location use) is Wallet, does that mean I’m reasonable secure from location tracking threats?

And Ric Ford (MacInTouch) just posted a link to this story:

The 404 was in my mail this morning - disturbing. Drew my attention to the iOS “Privacy & Security / Tracking” setting on my new iPhone, which of course, was “Allow Apps…” by default. The only comfort was that it did not list any apps that had asked for permission.

Thanks again, Adam, for the earlier tip about 404.

Mine was off by default.

There are very, very few apps that I allow precise location on my phone.

Some sources of MAID data can be apps on your phone such as AccuWeather , GasBuddy , Grindr , and MyFitnessPal that collect your MAID and location and sell that to brokers.

I have been warning people about using AccuWeather, Weather Underground, and really any other weather app with precise location tracking unless you are absolutely sure that the vendor does not sell location data of its users - even anonymously. I’d often read about the terrible privacy policy of GasBuddy as well. So many weather apps I believe get most of their revenue not from ads or subscriptions but instead from selling data about their users.

The only weather apps I use are Apple’s stock weather app (not the greatest, but generally good enough for a widget), Carrot Weather, and I am testing Hello Weather’s next app. I won’t even bother installing a weather app that doesn’t have a clean app tracking policy in the App Store.

I’d say a lot depends on what you consider to be “reasonable”. For example, somebody who is a public figure or a political dissident probably wants much stricter management of location tracking than, say, a college student. In any case, apps are only one source of location data. Cell phone carriers and, yes, Apple itself are not affected by the restrictions in Settings.

Having set up a new phone in the last six months, where I had turned that setting off on my old phone, I am about 99% certain that the default is to have the option on, as it is turned on for the new phone (and the option is to allow apps to ask - it does not allow apps to track without the user specifically answering that it is allowed.)

I’ve left it on to see how often I get asked. I always say no. I may just turn it off to save myself the trouble.

This phone is two weeks old (iPhone 16) and the setting was off by default.

I wonder if it depended on the setting of the phone it was migrated from? My old phone may have had it on, I might have thought it can’t hurt to let them ask? Not feeling that way now.

Just to find out, I factory reset and set up my spare iPhone from scratch, logging in to a different Apple ID than my primary. This was the default.

IMG_0001828×1792 53.1 KB

I imagine that restoring or doing a quick start from an older phone brings this setting from what was on the older phone.

Interesting! Thanks for the investigation.

Settings > Privacy & Security > Tracking is not related to location tracking.

ArsTechica has a good summary as well.

I went through all my apps-none were Always, but I had a bunch that I deleted (old or no longer useful). The fewer the options the better.

Yes, but allowing tracking for apps gives these apps access to your unique advertising ID, and along with location access (and background app activity), it could allow the apps to report when you have been in a particular location.

The FTC is taking action against Venntel, the company that provided location data for tools like Babel Street’s Locate X. The proposal would prohibit Venntell from selling, disclosing, or using sensitive data, which would include information about individuals’ visits to health-related locations and places of worship. It’s a step in the right direction.