Originally published at: Protect Yourself Against Location Tracking Abuses - TidBITS
News broke last week that a company has been tracking millions of smartphone users over long periods of time without any opt-in permission or notification, potentially violating state and federal laws in the United States and putting vulnerable people at risk (see “Exposé Reveals Ongoing Smartphone Location Tracking Threats,” 23 October 2024). This reported behavior by Babel Street’s Locate X makes me livid! Many of our online actions chip away at our privacy, but most are optional and offer something in return. Sometimes, we’re even told explicitly how our information might be used and can opt out or switch services. You can choose to swap the likes of Facebook, Instagram, and X/Twitter for Bluesky or Mastodon, and if you don’t want Google to see your Web searches, there’s always Brave Search, DuckDuckGo, Kagi Search, and Perplexity.
But no one intentionally shares their location with Babel Street; no one has granted permission in any way that could be construed as allowing it. I doubt any but a handful of people in specialized fields and law enforcement even knew who Babel Street was before last week. Although the company wouldn’t tell reporters how it comes by all its location data, it likely acquires it from the many data brokers that assemble the information from apps that track us. In short, we have no relationship with Babel Street, we’ve never given it permission to traffic in our location data, and we gain nothing from them. So how does this all happen?
Here’s where things get murky. To avoid uniquely identifying smartphones, Apple and Google use something called a Mobile Advertising ID (MAID) on iPhone and Android phones. MAIDs are unique, randomly generated, and don’t have to be persistent. Most importantly, they were supposed to be disentangled from personal identity, enabling advertising companies to distinguish individuals without relying on information such as a phone number or email address. The idea that a MAID can be kept separate from its user’s real-world identity turns out to be a fantasy. As Brian Krebs notes in his in-depth article about Locate X, there’s an entire industry devoted to selling “device graph data” that links people and devices.
Until iOS 14, Apple allowed users to reset the MAID, which the company calls the Identifier for Advertisers (IDFA), generating a new, random, but still unique ID. In that version of iOS, Apple removed the option to reset the MAID but added App Tracking Transparency, which required apps to ask for user permission before tracking their data across apps or websites owned by other companies (see Glenn Fleishman’s “Apple Unveils Stringent Disclosure and Opt-in Privacy Requirements for Apps,” 7 January 2021).
App Tracking Transparency seems to help, as the consumer privacy company exposing Locate X estimated they could locate roughly 25% of iPhones but 80% of Android phones. However, it’s not as effective as it could be. A study from Lockdown Privacy found that turning down apps’ requests to track made no difference in the number of active third-party trackers and had a minimal impact on the total number of third-party tracking connection events. Plus, a paper from security researchers at the University of Oxford said:
However, the number of tracking libraries has – on average – roughly stayed the same in the studied apps. Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting). We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple’s policies.
Despite the workarounds that scummy data brokers have found, you can still take three affirmative steps to protect your privacy while Apple works on its next generation of privacy lockdowns.
First, in Settings > Privacy & Security > Tracking, either turn off Allow Apps to Request to Track or, if you want to see which apps are evil, leave it on and manually block every app that requests permission to track you. (With prejudice and obscenities.) Even if App Tracking Transparency isn’t perfect, it’s a step in the right direction, appears to have a noticeable impact, and can only make things harder for the data brokers.
Second, go through every app in Settings > Privacy & Security > Location Services and reduce the location access to the minimal level necessary. If you’re unsure, choose Ask Next Time or When I Share.
What counts as the “minimal level necessary” varies by app. Navigation apps need location access to work at all. Camera apps need it to geotag your photos. Many other types of apps have legitimate reasons for accessing your location; they should explain that appropriately in their detail screens. When in doubt, remove permission and see if an app stops working or complains about its tracking capability. (Developers often use so many third-party libraries that they don’t even know why all the permissions are requested, and such permissions often aren’t core to an app’s purpose.)
There are six settings for location access:
- Never: Choose Never for any app with dubious explanations of why location access is requested. Canon Print app, take a flying leap. “Enabling the use of precise location information may help when trying to solve printer connectivity issues.” No, it won’t.
- Ask Next Time or When I Share: If you’re unsure if you want to allow or deny location access for an app, select this option. You’ll get a prompt the next time the app wants your location, enabling you to make an informed decision based on your actions. I’ve set most of my apps to ask the next time they want access so I can be sure the reason is legitimate.
- While Using the App: For nearly all apps for which you want to allow access, choose While Using the App. It’s entirely reasonable that a location-requiring app be allowed to determine your location while you’re using it.
- While Using the App or Widgets: This option only appears for apps with widgets; choose it only if you use a widget that needs location access.
- Always: Limit Always access to the very few apps you want to provide location-based notifications whenever the app generates them. The only app to which I grant Always access is CARROT Weather, so it can notify me about incoming storms.
- Precise Location: If you allow location access for an app, turn on this switch only if the app needs your location within a radius that various sources claim is between 5 and 60 meters (15 to 200 feet). An Uber or Lyft driver will need to know where you pick you up, for instance, so those apps should have Precise Location turned on, as should navigation and camera apps. For most others, turn off Precise Location. Your approximate location—sources suggest a variable radius between 4 and 20 kilometers (2.5 to 12 miles)—is sufficient to locate you in the right part of the world.
If you’re on the fence about whether or not to grant location access to an app, you have one more way to determine if doing so will leak your location to data brokers: check the app’s App Privacy disclosures and read its privacy policy.
Take the NBC Sports app. It claims to need location access to show the correct live stream for your city. That sounds plausible (and is, in fact, true), but its App Privacy section on the App Store reveals that it will also track your location. Reading its linked privacy policy clarifies that NBC absolutely plans to sell you to data brokers. I couldn’t care less about live streams, so I relegated NBC Sports to Never. With prejudice and obscenities.
Third and finally, while you’re in Settings > Privacy & Security, look through the apps that have requested permission to use Bluetooth and Local Network. Apps can use these permissions, particularly Bluetooth, to engage with other devices for location and tracking purposes. Revoke permissions for any app that doesn’t obviously require them. At worst, the app will ask you again later. I can’t see why NBC Sports would need Bluetooth permissions (nor can I imagine having granted them, which makes me wonder how it was enabled by default).