Thursday, December 19, 2019

Twelve Million Phones, One Dataset, Zero Privacy

Stuart A. Thompson and Charlie Warzel (MacRumors):

[The data] didn’t come from a telecom or giant tech company, nor did it come from a governmental surveillance operation. It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book. They can see the places you go every moment of the day, whom you meet with or spend the night with, where you pray, whether you visit a methadone clinic, a psychiatrist’s office or a massage parlor.

The Times and other news organizations have reported on smartphone tracking in the past. But never with a data set so large. Even still, this file represents just a small slice of what’s collected and sold every day by the location tracking industry — surveillance so omnipresent in our digital lives that it now seems impossible for anyone to avoid.


The companies that collect all this information on your movements justify their business on the basis of three claims: People consent to be tracked, the data is anonymous and the data is secure.

None of those claims hold up, based on the file we’ve obtained and our review of company practices.

Yes, the location data contains billions of data points with no identifiable information like names or email addresses. But it’s child’s play to connect real names to the dots that appear on the maps.


Update (2019-12-26): John Gruber:

What do we do about it?

Legislation? Make the collection of this sort of data highly-regulated? Is that even feasible with an internet that spans the globe?

Technical? Is there something Apple and Google can do?

I think Apple should empower users to see and control what apps do. Many apps don’t need network access for their core functionality. I should be able to block them from connecting, like I can with Little Snitch on the Mac. Other apps need the network to sync with iCloud, but I want to be able to enforce that’s all they’re doing—not accessing other sites or public CloudKit databases. For apps that need more connections, I should be able to see what servers they’re connecting to, and how often. This is not a solution, but it’s a first step. For example, having this information would make it possible to shame apps that are not well behaved. And apps that work well without making connections could be promoted, e.g. like games that don’t require IAPs.

Update (2019-12-27): John Gruber:

The Times needs to come to grips with the fact that they are a player in this racket.

4 Comments RSS · Twitter

The ability to prevent mass-tracking like this is one of the few legitimate advantages a strictly controlled app store can claim to provide for customers. Highly disappointing that Apple is either failing or choosing not to control this despite enforcing so many other rules. Particularly with their recent emphasis on privacy as well.

Not just phones, but vehicles, too!

But also have rules in place that make it impossible to artificially cripple apps if you decide to opt out. Right now there are a lot of apps out there that don’t technically require all the things they ask of the user, but if you block them, the app becomes unusable.

The Lockdown App ( blocks outgoing traffic to specified domains. I've had active for months now and it's staggering the amount of blocked connections that are caught on a daily basis. It's coming to the mac too.

Leave a Comment