Like many people the world over, you’ve probably used GPS before. You may even have used it today, navigating your way to work with Google Maps. Our smartphones can precisely pinpoint our location, allowing us to get everything from local news, to restaurant reviews, in a matter of seconds.
But this convenience comes at a cost: privacy. The companies who provide so-called free services are constantly mining the data generated by your devices, and not to your benefit. Smartphone location tracking is one of the ways they collect your data.
1. Location Tracking After Watching Movies
MoviePass is a movie ticketing subscription service, offering members the chance to see one non-3D movie a day for just $9.95 per month.
The service was first launched in 2011, but really began to gain traction after the appointment of former Netflix executive Mitch Lowe as CEO in 2016. They began to experiment with Netflix-style tiered subscriptions, with a premium tier offering access to 3D movie screenings too.
Netflix’s phenomenal success is often credited to its use of big data, and Mitch Lowe was quick to import this into his new role.
While MoviePass has data-sharing agreements with theaters about how tickets are used, in March 2018, Lowe claimed that the company had added a new string to their bow: background location tracking. During a keynote at the Entertainment Finance Forum, Lowe said:
“…we watch how you drive from home to the movies. We watch where you go afterwards, and so we know the movies you watch. We know all about you.”
After a week of not-entirely addressing everyone’s concerns, Lowe eventually issued an open letter, where he explicitly stated MoviePass does not and has not used background location tracking. He also took the opportunity to reiterate that “we take customer privacy extremely seriously”, which may be hard to take at face value given his comments during the keyote.
2. Location Tracking When Ordering Food
Finding yourself nominated for the office coffee run can be a pain, having to remember everyone’s orders then spending countless minutes reciting the order to your server.
Ritual, the food ordering app, helps you out by letting you only order ahead for yourself and allowing others to piggyback on your order so that only one person needs to go and pick up. To get started, all you need to do is join a corporate team, add a floor and location in your office, and you’ll get push notifications every time someone in your team places an order.
Bad data privacy: On the "social [meal] ordering app" Ritual, you can join any company without email verification and see which office floor users work on at places like @DHSgov, @LockheedMartin, @PalantirTech, and the Pentagon. pic.twitter.com/fZrwPCGJaw
— Caitlin Tran (@caitlinsays_) March 16, 2018
The thought might have crossed your mind that Ritual sounds like the perfect way to usher in a new era of office dining… except for one small problem.
As Caitlin Tran pointed out, you can join any team without verifying that you actually work there. This lets you see who works for which companies, in which offices, and their exact location in the office.
Tran was able to join corporate teams of government agencies, including the US Department for Homeland Security, and the Pentagon. Instead of being an incredibly convenient tool for the office, Ritual turns out to be a social engineer’s dream.
3. Location Tracking After Leaving an Uber
Uber is the ride-hailing app that everyone loves to hate, and for good reason. They have been embroiled in more controversy then almost all of their peers since they launched in 2009.
However, their potentially illegal and unethical business practices did manage to secure them a market-leading position, and by 2015 Uber had completed its one billionth ride. Uber also reported that in October 2016, 40 million riders used their service in a single month.
In late 2016, Uber introduced a new feature to their app, enabling them to track customers for a full five minutes after the ride had ended. Understandably, Uber’s users were not altogether pleased about this change, given that Uber was already one of Silicon Valley’s most controversial and least trusted companies.
The Electronic Frontier Foundation (EEF) even filed a complaint to the Federal Trade Commission (FTC) over the change. Uber’s response was that as they technically asked users to opt-in to this change, they were operating within the law.
However, Uber’s aggressive business approach finally backfired on the company in 2017. Investors piled onto then-CEO Travis Kalanick after a series of legal troubles hit the company. This led to Kalanick being forcibly ousted from the company, and replaced by Expedia’s Dara Khosrowshahi.
Khosrowshahi had the unenviable task of regaining the public’s trust. One of the first decisions he took was to put an end to post-ride location tracking. This was a seen as a victory by privacy advocates and the wider-public. However, its still unclear how much data was gathered during their year-long experiment, and whether it’ll ever be deleted.
4. Location Tracking While Exercising
Smartphones have many uses, but one of the most popular is to monitor our exercise routines. Stand-alone fitness trackers have security problems of their own, so many people choose to stick to app-based trackers instead.
The fitness-tracking app Strava is among the most popular, using your phone’s GPS to log your daily exercise. It is estimated that over 8.5 million of us have signed up to their fitness tracking service. We collectively generate a lot of data through the app, especially information about where we choose to exercise.
Towards the end of 2017, Strava updated their global heatmap with one billion public activities tracked through the app. This was gleaned from 10 terabytes of data, and accounted for a total tracked distance of 27 billion km. The heatmap is an interesting look into how and where we work out across the world.
Well, it was, until security researcher Nathan Ruser showed just how easily the heatmap exposed the workout routes near military bases around the world.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
Of course, Strava didn’t expose the locations of military bases; Google Maps did that. However, all exercises tracked in Strava are public by default, unless you intentionally opt-out. This leads to many users mistakenly, or unknowingly, sharing all their workout information with the world.
Knowing exactly where military personnel workout is clearly a security problem. However, public-by-design location tracking also puts your own security at risk.
How to Protect Your Location-Based Privacy
Of course, these privacy-eroding behaviors may not surprise you. After all, you’ve heard the phrase “if you’re not paying for it, then you are the product” often enough. That doesn’t prevent people holding the reasonable expectation that their private data will remain that way.
Unfortunately many companies don’t see it that way. All data is theirs to do with as they please. Some people don’t see this as a problem as you do have a choice whether to use the app. For many though, the idea that their every move is being surveilled is off-putting at best.