The notion that governments and corporate giants are capable of exercising their technological might in order to monitor the behavior of ordinary people is nothing new. However, the notion that smaller, lesser-known companies — whose sole purpose is to collect, analyze, and resell location data — are doing precisely the same thing using smartphone tracking technology seems to be something entirely new indeed.
Strong evidence of mass smartphone tracking taking place on an unparalleled scale first hit the press back in December 2019, when the New York Times published an exposé on the subject as part of their ongoing Privacy Project. According to Opinion section writers Stuart A Thompson and Charlie Warzel, who combed through a leaked data set dating back to 2016 and 2017, concerns around smartphone tracking have gone significantly underreported.
The data set, which included more than 50 billion location pings from 12 million people across the United States (US), revealed a trail of surveillance at the hands of location data companies. These companies — which include the likes of Foursquare, Skyhook, and Cuebiq — use location pings given off by smartphones in order to track their users. By providing consent to phone apps, users of mobile phones allow their location to be accessed, oftentimes without an understanding of where their personal information will end up. In turn, this allows data companies to track unwitting users by means of their smartphone’s GPS sensors and Bluetooth signals.
In effect, this leads to a person’s cell phone becoming their permanent tracking device.
Smartphone tracking takes off
This is a phenomenon which has far-reaching implications. Google Maps, for example, is the most popular location-based app on the globe, clocking-in at over one billion users in total. As a company, Google itself is probably not actively committing espionage on its users via smartphone tracking. However, Google does use sophisticated web infrastructure, known as a software development kit (SDK), built into a device’s operating system, to more easily receive user data such as location data.
In essence, smaller companies and phone apps are able to “piggyback” off of this type of SDK infrastructure, and subsequently sell the relevant data to location data companies, who in turn analyze it and resell it on to advertisers.
The New York Times report goes on to suggest that a considerable proportion of the location data companies in question do, in fact, end up reselling the analyzed location data to advertisers and marketing technology (‘MarTech’) companies — an industry that has witnessed a near 5,000% growth in the number of companies since 2011.
Although many location data companies claim that the data they collect is not resold, there is little doubt that in many cases, it is. This arises from the industry being largely self-regulated, owing to the fact that there are no federal laws in the US that govern the manner in which companies ought to operate regarding smartphone tracking technology.
In the European Union (EU), the General Data Protection Regulation (GDPR) — which came into effect across all member states in 2018 — introduced new privacy protection measures which extend to companies that make use of smartphone tracking. These measures are designed to make it obligatory for companies to clearly stipulate how location data is going to be used in order for smartphone users to be able to provide consent. At this point, however, it is unclear as to whether or not the GDPR has had any significant effect on smartphone tracking by companies within the EU.
The flip-side of location data
According to Thompson and Warzel, the most severe concern with the location tracking activities of data companies relates to the precedent that is being introduced. Smartphone tracking and data collection by small, unregulated firms poses a field of potential risks, even if the firms in question are indeed as benign and virtuous as they claim to be.
Location pings that are used by data companies — although anonymous in theory — can be used to track with pinpoint accuracy the real time whereabouts, routes, habits, and behaviors of smartphone users. With this information already on the table, it takes only a small amount of detective work to be able to piece together a picture of a person’s real-world identity, as the New York Times reporting clearly demonstrates.
This is a territory that comes with considerable risk. Should such information be bought, hacked, or strong-armed away from data companies by hostile actors, it can be used to reveal sensitive real time information about the precise location of private individuals and public officials alike. And due to the lack of regulation in the industry at present, there is little to bar a location data company from doing whatever it pleases with the information it obtains.
In essence, the risk faced by ordinary people is further amplified by the uncharted waters in which data companies find themselves operating. The question for policymakers then becomes one akin to a balancing act. To find the line between consumer privacy and market freedom, based on the understanding that companies which profit from sensitive information of this nature cannot, in all cases, be reasonably expected to limit themselves. Only with this understanding can effective steps to protect user privacy be taken.