Location Data Mishandling — A Reading List – FOAM

At FOAM we’ve been closely monitoring the news for examples of location surveillance gone wrong; what it looks like when the seams of this relationship between platforms and users tear open, and give us brief look into its extractive inner workings.

The tricky thing about news cycles is that they make it seem like data mishandling occurs in isolation; a groundbreaking report reveals this one app had opaque TOS around GPS usage, or a viral tweet shows how this one feature on a social media platform logged and shared IP addresses. But after tracking similar stories for several years now, what we’ve seen are not just individual data breaches, but an entire sector that is pinned upon distancing users from understanding the extent they are being tracked.

Thankfully, media outlets seem to be picking up on the systemic nature of the issue, especially in a post-Cambridge Analytica era. Matter of fact, there are so many reports of data mishandling that it is actually starting to become difficult to wade through and make sense of. Just in the past two months, not just Google, but nearly every tech giant has been implicated in some version of a data collection abuse.

And so we thought it would be a good idea to write this post as a way of providing a high level overview and jumping off point for the most significant of these findings.

We’ll start with the report of 2018 that made unquestionably the biggest splash — The NY Times’ investigation, “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret.”

Your Apps Know Where You Were Last Night, and They're Not Keeping It Secret
The millions of dots on the map trace highways, side streets and bike trails - each one following the path of an…www.nytimes.com

The reason this piece grabbed everyone’s attention is two sided. For starters, it contained all the elements that we have become familiar with in these location-data mishandling cases — ambiguous handoffs, poor permission, widespread impact, and little accountability — and as such was a nice singular case study for readers to weigh all these factors at once. The story itself was probably what made the piece though. The premise of article is sort of a dark bounty hunting test that asks a simple question: Can anonymized geolocation data be retraced and monitored close enough so that you can actually link a moving ‘blue dot’ on the map back to individual? The answer, unsurprisingly, was yes.

The privacy risks of compiling mobility data: Merging different types of location-stamped data can…
A new study finds that the growing practice of compiling massive, anonymized datasets about people's movement patterns…www.sciencedaily.com

If the NY Times article provided a personal anecdote that location data can be de-anonymized, this article by researchers at MIT proves in a more academic setting that this practice can be conducted on a wide scale.

I Gave a Bounty Hunter $300. Then He Located Our Phone
Image: Shutterstock. Remix: Jason Koebler Nervously, I gave a bounty hunter a phone number. He had offered to geolocate…motherboard.vice.com

The next blockbuster piece of reporting (that actually triggered 15 senators to demand an investigation into its findings) was from Motherboard, which asked a similar question of the Times investigation. If you wanted, could you track a random individual’s phone location through using readily available tools, services, or information? As the title to the article suggests, its reporting found that given just a modest amount of cash, you can hire essentially a bounty hunter to malevolently use first responder location services (provided by telcoms) to accomplish this.

Facebook Filed A Patent To Calculate Your Future Location
tech The methods described in three Facebook patent applications use your historical location data - and others' - to…www.buzzfeednews.com

So far these two reports have been about downstream data mishandling — what happens several steps after the origin protocols capture and digest location data before selling it off to third parties. So are the upstream players responsible for malfeasance as well? Sadly, they might be the biggest culprits.

Here, in a report by BuzzFeed, we see the pervasive desires of, not just Google, but for Facebook to capture as much information as possible about our location. They are not only interested where we are in the present, but also in the future.

Google's Sidewalk Labs Plans to Package and Sell Location Data on Millions of Cellphones
Most of the data collected by urban planners is messy, complex, and difficult to represent. It looks nothing like the…theintercept.com

Ah, Sidewalk Toronto. Everyone’s favorite smart city. There have been many strong reactions from urbanists and Toronto Residents throughout the past year of developments from this ambitious and controversial Alphabet project. In this report The Intercept did a good job of cutting past the tensions and brining focus to a very concrete location surveillance tool being considered for the project.

AT&T says it'll stop selling location data amid calls for federal investigation
AT&T said Thursday that it will stop selling its customers' location data to third-party service providers after a…www.philly.com

So if malpractice is now being found around data capture both upstream and downstream, what is being done about it? After the Motherboard investigation linked above, AT&T and other cellular providers responded by making steadfast claims that they would end the selling of location data from its phones.

“In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services — even those with clear consumer benefits,” AT&T said in a statement. “We are immediately eliminating the remaining services and will be done in March.”

This is no doubt a step in the right direction, but is it really what we’re asking for as consumers? Especially considering that the use case in question was about the type of location services used by first responders that have potentially live saving benefits. What this statement might have revealed is that consumers don’t think that all location services are bad. We don’t want the GPS on all of their phones turned off. Instead we want a better designed protocols that facilitate trust and incentivize the consensual handing off of location data when necessary.

A Map That Tracks Everything
Blockchain-based mapping hopes to replace GPS. Can it be trusted? Cryptocurrencies have had a rough year. Bitcoin has…www.theatlantic.com

This is why FOAM has been tracking these location data abuses so closely, because we think that we can design an alternative that can solve many of the problems present in our old location data protocols. You can read our white paper to get the deepest dive on why we think this, but this article recently published by The Atlantic does a good job of covering the basics.

The argument comes down to handoffs. When a location protocol is designed to be bidirectional — meaning that the end device speaks to the service provider, and vice versa — you can include checkpoints that ensure the subsequent location data handoff is in fact what the end device’s user desires. It’s not a stomping out of location data capture, it’s a refinement of the model that allows for the best of both worlds.

Similar Articles:

After broken promise, AT&T says it’ll stop selling phone location data

After broken promise, AT&T says it’ll stop selling phone location data

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret

Google confirms it tracks users even when 'Location History' setting is disabled

Google confirms it tracks users even when 'Location History' setting is disabled

Sprint to Stop Selling Location Data to Third Parties After Motherboard Investigation

Sprint to Stop Selling Location Data to Third Parties After Motherboard Investigation