For years, companies in and around the wireless industry have pre-empted privacy concerns by claiming that users' location data is secure and "anonymized."
The word "anonymized" means that you shouldn't be able to track individual users via the location data derived from cellphones.
But a new report from the New York Times completely blows that argument out of the water.
Using data obtained from an unnamed source comprising 50 billion location data points across 12 million Americans collected from 2016 to 2017, the publication was able to discern an enormous trove of very specific, distinctive information on identifiable users -- basically the exact opposite of "anonymous."
- "In one case, we identified Mary Millben, a singer based in Virginia who has performed for three presidents, including President Trump," wrote the Times Opinion editors.
- "We spotted a senior official at the Department of Defense walking through the Women's March, beginning on the National Mall and moving past the Smithsonian National Museum of American History that afternoon. His wife was also on the mall that day, something we discovered after tracking him to his home in Virginia. Her phone was also beaming out location data, along with the phones of several neighbors," they wrote.
- "In one case, we observed a change in the regular movements of a Microsoft engineer. He made a visit one Tuesday afternoon to the main Seattle campus of a Microsoft competitor, Amazon. The following month, he started a new job at Amazon. It took minutes to identify him as Ben Broili, a manager now for Amazon Prime Air, a drone delivery service," they noted.
The NYT did not reveal exactly where it obtained its data. "The sources of the information said they had grown alarmed about how it might be abused and urgently wanted to inform the public and lawmakers," the editors wrote. But the publication rightly noted that dozens of companies play in this space, including companies that are relatively well-known in the wireless industry: Tutela, Foursquare, Skyhook, Groundtruth, Reveal Mobile and others. Such companies either collect data directly from users, like Foursquare, or insert tracking software into other apps, like Tutela. Some companies keep the location data they collect internal, while others sell it for things like advertising.
And this is all completely legal, by the way. "By law, companies need only describe their practices in their privacy policies, which tend to be dense legal documents that few people read and even fewer can truly understand," the NYT notes.
What this means
This all undoubtedly comes as no surprise to most executives in the wireless industry. Nor is it likely to surprise many regular cellphone users, considering they often must overtly agree to share their location information with individual smartphone apps.
Indeed, it probably won't even cause much of a stir, given some other dramatic news events that have happened just this week alone.
But what it does do is again shine a light on the fact that users' cellphone location data just doesn't seem all that secure or anonymous. After all, earlier this year, several publications reported on a hack into the website of a company called LocationSmart that allowed anyone to obtain real-time location information for any mobile device from AT&T, Verizon, T-Mobile and Sprint.
And then, just a few months later, an investigative report from Motherboard found that LocationSmart was selling data from T-Mobile, AT&T and Sprint to a company called CerCareOne, which was then selling that data to bounty hunters and bail bondsmen.
Partly as a result of these discoveries, wireless network operators have indicated they stopped sharing real-time location data with data aggregators like LoctationSmart.
Yet here we are again, with more evidence that our location data is neither secure nor anonymous. Indeed, NYT was able to use its data to find the homes of two police officers who dealt with protesters on Inauguration Day.
Such reporting only further raises concerns about companies like AT&T, which openly touts its ability to track users across its wireless, wireline and streaming video services via its Xandr advertising business. "Mobile, TV and broadband customer relationships create a holistic view of consumers and their various touchpoints," the company boasts on its website. "By continually cleansing and normalizing IDs across channels we maintain a high-quality data set. This process provides deterministic household and device mapping with the ability to add probabilistic scoring to expand reach."
In plain English, that means AT&T knows what its customers are doing and what they'll probably do next.
Let's just hope that those Xandr "data sets" are stored in a secure locations, and that Xandr employees are well paid. After all, AT&T has a history with unsecured user data and employees stealing and selling personal information on its customers.
Concludes the NYT: "The companies profiting from our every move can't be expected to voluntarily limit their practices. Congress has to step in to protect Americans' needs as consumers and rights as citizens."