A New York Times feature on Monday offers some unsettling information about the location data being captured, shared, and stored by some iOS and Android apps.
The publication was able to identify specific users by viewing their location patterns. The investigation found one iOS app was sending exact location information about users to 40 different companies.
Although location information is supposed to be anonymous, but the paper found that it could track location movements precisely enough to identify an individual user, learning an alarming amount of information about the user.
[One phone] leaves a house in upstate New York at 7 a.m. and travels to a middle school 14 miles away, staying until late afternoon each school day. Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher. Her smartphone goes with her.
An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin’s identity was not disclosed in those records, The Times was able to easily connect her to that dot.
The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.
“It’s the thought of people finding out those intimate details that you don’t want people to know,” said Ms. Magrin.
The report indicates that Magrin’s location was recoded an average of once every 21 minutes over a four-month period. All that data was being retained by the apps.
Although companies may not be targeting specific individuals, the data provides an opportunity for mis-use.
Those with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.
In addition, the NYT found the apps’ privacy explanations were “often incomplete or misleading.” Even an IBM-owned entity, (The Weather Channel) was found to be sharing its app’s users’ location data with hedge funds, without informing users.
The full feature is recommended reading.