Your mobile data sold, without your knowledge
translate.googleusercontent.comThe article assumes that the location data must have been collected because he gave an app permission to access his location. I bet they couldn’t figure out which app it was because it wasn’t an app.
Cell service providers can and do track your cellphone location. All they have to do is measure the signal strength of your cellphone at different towers, and they can triangulate its position.
https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...
I’m not familiar with other locations, but in the US, you only have the choice between three cell service providers. All of them admit to selling their own customer’s location data to third parties in their Privacy Policies.
AT&T https://about.att.com/csr/home/privacy/full_privacy_policy.h...
Verizon https://www.verizon.com/about/privacy/full-privacy-policy
T-Mobile/Sprint https://www.t-mobile.com/privacy-center/our-practices/privac...
Remember, you’re paying for these services. But they still sell you out.
I seriously recommend you read the privacy policy for your provider. It seems they collect as much data as possible (not just location, also browsing history and a whole host of other metrics) and share it with as many different parties as possible.
If you are using a cellphone, your location is being tracked. Period. You can’t avoid it. Even TOR isn’t gonna help you.
> The article assumes that the location data must have been collected because he gave an app permission to access his location. I bet they couldn’t figure out which app it was because it wasn’t an app.
I worked on this story (and the others, we're still publishing [1] [2]).
The dataset we bought from Tamoco didn't contain an app name for most of the data. So instead of guessing, we're open about the fact that we don't quite know. Which is sort of the issue here – there's not a lot of transparency around what is collected and by whom.
The Norwegian Data Protection Agency (DPA) has opened an investigation into Tamoco [2] after our first story, and they want to cooperate with the UK DPA.
[1] https://translate.googleusercontent.com/translate_c?depth=1&...
[2] https://translate.googleusercontent.com/translate_c?depth=1&...
You should search the dataset for government building coordinates to deanonymize politicians and that ought to really be a scandal worthy of legislation against mobile tracking once you air their dirty secrets e.g. suspected infidelity, leisure trips to brothels, etc.
It could be an app - we've had startups approach us to sell location data collected from apps so I wouldn't rule anything out at this point.
Feel free to contact me if this is something you want to talk about!
> I worked on this story
Having access to original NRK data, is it possible to deanonymize more people (try to check your home address, NRK HQ, etc), and ask them for a list of installed apps to check if all have one in common? Although it's questionable from privacy point of view, so probably better to pursue it in legal ways.
> is it possible to deanonymize more people
There are more stories coming in the next days and weeks which will touch more on this topic.
I’m cautious about what apps and services get access to my location and I feel like I have good control, but I don’t really have any idea of how carriers like Telenor and Telia handle my location data. Are you planning to touch on this or investigate it in the upcoming articles?
Not at this point, no. We went into detail on Telia and Telenors analytical platforms last year, though. Should still be up to date: https://nrkbeta.no/2019/10/11/telia-og-telenor-selger-analys...
From Verizon:
>We may de-identify or aggregate information so that Verizon or others may use it for business and marketing purposes. For example, the data we aggregate might be used to analyze, personalize and improve our services, to provide business and marketing insights to others and to help make advertising more relevant to you. You have choices about some of these uses
From AT&T:
>Equipment Information includes information that identifies or relates to equipment on our networks, such as type, identifier, status, settings, configuration, software or use. Location Information includes your street address, your ZIP code and where your device is located. Location information is generated when the devices, Products or Services you use interact with cell towers, Wi-Fi routers, Bluetooth services, access points, other devices, beacons and/or with other technologies, including GPS satellites. [...] We may share information with AT&T affiliates and with non-AT&T companies to deliver or assess effectiveness of advertising and marketing campaigns
That kind of triangulation is nowhere near precise enough to reveal the data shown in the article. This is GPS data which the provider does not get.
Remember that many people ‘have nothing to hide’ so they turn on services like Google Latitude. Then later they’re al surprised when their data is sold to the highest bidder.
>>> That kind of triangulation is nowhere near precise enough to reveal the data shown in the article.
Here, have a read at this article on how cell phone operate and how to track them. Wrote that a few years ago.
https://thehftguy.com/2017/07/19/what-does-it-really-take-to...
And the HN discussion, where developers admit they've been developing that for real for years: https://news.ycombinator.com/item?id=14803443
Your link describes accuracy in an imaginary, optimal case to be ‘can see which block you’re in’.
Sorry, that’s not even close to the data they show in the article, where they can pinpoint the cage someone is watching in a zoo.
Makes sense of course, otherwise, why even have a GPS receiver in the phone?
This describes how mobile communication work, since mobiles appeared in the 1990s. The phone network has to have (at least) block level accuracy on every phone, otherwise it doesn't work.
Of course it can do much better than that (building level is definitely trivial). The previous comments thread on Hacker News has more details, including some explanations on correlating movements of people to trace every individual one came across and the relations they have. Scary stuff.
GPS is more accurate of course (10 meters or less), but it requires the phone to run a spyware application and drains the battery, unlike simply having a phone that's on.
> That kind of triangulation is nowhere near precise enough to reveal the data shown in the article
You don't have to speculate, the article does state the method:
>> All modern mobile phones have a GPS receiver, which with the help of satellite can track the exact position of the phone with only a few meters distance.
>> The position data NRK acquired consisted of a table with four hundred million map coordinates from mobiles in Norway. A number in the table led us on the trail of Karl Bjarne Bernhardsen.
I think the general observation is that they (government, cell providers, 3rd parties to whom this is sold) have access to most GPS data and all cell tower triangulation data; the latter they have however often it is set up to be recorded.
Do you really propose a manufacturer like Apple is going to grant continuous access to the GPS receiver in their phone to the providers?
I am not sure what you are asking. In the OP article they plot each point so that you can see them explicitly. They then mention these are GPS points.
Cell triangulation needs no client side data; it uses only signal strength and three or more towers.
So what is the connection between the GPS points and the cell triangulation? How does having the cell triangulation data lead to having the GPS points? The parent claims the providers can magically access the GPS receiver in the handsets. But they really cannot, so the providers only have coarse data that cannot be used to track people on this level. The data is from another source, not the provider.
It’s much more likely the user agreed to install an app that is recording his location information.
Oh, that is false of course. If you want GPS data you need access to the phone's GPS, as you are pointing out.
I think the original point about triangulation was just that even if you are as careful as possible, then people can still track you via cell towers.
Not exactly. In cities more towers are placed together to give better coverage (for 5G this is a must). Triangulation can then be as accurate as 30 meters.
If you then have a dataset of lets say 100 points around a location you can estimate the exact location even better.
> Remember that many people ‘have nothing to hide’ so they turn on services like Google Latitude. Then later they’re al surprised when their data is sold to the highest bidder.
Do you have any proof that Google does exactly this?
I don't like Google at all (anymore) but I thought Google was somewhat ok in that they never sold my raw data points even if they would sell accesss to place an ad to "visitors who have been at this geographic location recently".
Yes. I had it more than once where I purchased an item from a store and, about 10 minutes later, I received a coupon for a discount at the very store I just made the purchase. It happened to my wife as well.
After the second time that happened, I disabled location in my phone settings and only enable it if I have a specific need for it. I have not received any "spontaneous" coupons since disabling locations.
Still possible without Google dumping your raw location history, but still interesting.
> even if they would sell accesss to place an ad to "visitors who have been at this geographic location recently
So if I click on the ad, the company behind it knows I was on that geographic location recently. This is how Google leaks data.
Yep, but that is still on a vastly different scale than what this article is talking about where raw data points are dumped.
I'm not saying that the case you mention isn't problematic but there's still a not the same as being able to follow you around the city.
The example is to illustrate that people are fine with giving away their data. Google Latitude no longer exists and I don’t think Google sells data like that, they analyse it themselves. But other services do.
1. Fine. But then one shouldn't single out one company that maybe doesn't do this. I was honestly interested in knowing if they were caught red handed but so far no references to that.
2.The function (at least the parts I used) now exists as part of Google maps.
I’m not sure if Google would sell user’s location data to advertisers since Google is an advertiser. But they definitely record it for themselves, and the government has access to it as well.
This is what always bothers me in movies. There is a secret meeting. Everybody pulls out their sim because they don't want their location to be known.
Well.. no, you already revealed where you were going.
Even pulling out the sim wouldn't help. Without sim the phone can do emergency calls, so the phone is still connected to a network (afaik).
My paranoia is fulfilled with switching the phone off (before leaving home), but others would rely on removing the battery. Snowden recommended putting it in a fridge.
It is illegal to not track and save this data in the EU.
> If you are using a cellphone, your location is being tracked. Period. You can’t avoid it. Even TOR isn’t gonna help you.
It is still possible to buy an anonymous SIM in a few countries.
Tracking it and disclosing it only upon a valid court order is one thing. Selling it to anyone who asks (or even leaking it for free) is another thing.
Even if the SIM's anonymous, as the article demonstrated, it would be easy to de-anonymize it.
There are ways to try to stay hidden, like having one stationary and VPN to it from the second one; using a burner second/third/fourth/...-hand phone for the second, etc.
In order to connect to the VPN, you must connect to the cell towers, which reveals your location.
And no matter how many burner phones you use, as soon as you visit your home address, your identity is compromised.
> In order to connect to the VPN, you must connect to the cell towers, which reveals your location.
It reveals the location of an anonymous SIM with no readable traffic, connecting to an unknown (if you use Tor) and also stationary and anonymous device, which might be planted in any random school, library, workplace...
> And no matter how many burner phones you use, as soon as you visit your home address, your identity is compromised.
Of course - don't do that with the phone on :) that's the basics, isn't it?
I don’t understand how connecting to the stationary device helps if you still have to connect to the cell towers.
I don't know if that is true. But the issue here is that the data is being sold to others for other use cases.
You used to be able to be an anonymous SIM in the UK. (No clue whether that's still the case.)
The SIM would still be tracked.
Don't think whatever EU laws allowed the UK to keep some SIMS anonymous have changed since they left?
The country that still allows it is Czechia. So it's probably not an EU law that requires it.
Thanks!
That figures. They are also pretty liberal on their citizens owning guns.
Indeed we are, and the gun ownership is not minor as well (every twelfth adult normally carries a weapon).
Interesting twist on that - the EU has gun regulations, but Czechia made a law that every licensed gun owner in Czechia constitutes a part of the national defense. Sweden has a similar thing, where people in the reserve can have a fully automatic submachine gun. But it's limited to people with an explicit reserve status and the proper training, gun safe etc and further limitations, plus in practice it's not common anymore.
Trust me, if the EU was to interfere with gun ownership here, Czechia would be out the next day. There was a little sign of such thing and a huge protest was planned within days, forcing the politicians to consider protecting gun ownership/carrying in the constitution (not yet done, but still on the table)
Also Sweden
As the article demonstrates, it’s easy to de-anonymize the data.
Many of the apps that sell your location use location as a critical component of the experience. Apple and Google added a permission last year - only allow access to location when app is running (in the foreground). That change has made a dramatic reduction in the amount of location data available.
Ultimately, free is the culprit. People like to navigate, buy stuff online, see things on a map, get local weather, and so on - especially if it is free. The old adage about if it is free, you are the product probably applies.
"Ultimately, free is the culprit. "
False... Plenty of companies take your money and still sell your data.
Airnb and the cell provides are good examples [1],[2].
The cell provider location data is the most insidious. They add noise to it, but the central limit theorem is a real thing and people who buy the data are aware of that.
[1] https://www.nytimes.com/2020/01/15/technology/data-privacy-l...
[2] https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...
I’m aware of what the central limit theorem is, but I’m confused as to what you mean here. Do you mind clarifying? It sounds like you’re saying the CLT leads to deanonymization. I don’t see how the two are related.
Take several measurements and average them. The variance scales like 1/n_samples, which can take you from city-block resolution to building resolution quite rapidly.
There are conditions for the central limit theorem to hold though. One can generate random noise which violates them. It's certainly hard to guarantee privacy, but it's not trivially easy to hack if they're halfway smart about it.
Correct. This "if the product is free, then you're the product!" thinking needs to go away. The reality is numerous companies sell your data today, regardless if you're paying for the service or not.
No, that thinking is correct. What isn't correct is when people think this has some bearing on when the product isn't free.
Most free as in freedom software are free as in beer and are not packed with anti-features.
Most cloud / Android / iOS software which is free as in beer isn't libre. Which is where the consumers are the product.
...such as cell service providers. All of them (in the US, at least) sell your location and browsing data to advertisers.
I would happily pay for a provider that doesn’t triangulate my location 24/7, but none exist.
(not defending their practices at all...)
They are required to for 911 support.
Obviously they are not required to keep the data, and especially not sell it.
(Minus maybe a sealed NSA directive, though that is pure speculation on my part)
In the EU they are required to keep some data by law. No clue about the location data, though.
Right? Seems like enough people are willing to pay for their privacy, the demand is there.
It is possible for two things to be true at the same time. You are right, there are paid apps that sell location data to brokers... but the vast majority are free apps that rely on mass monetization of users for their income.
And I'm not sure I need to say it on here but OSS exists, of course.
Being a user of free applications and services does not automatically give corporations the right to exploit people by collecting and selling their personal information without consent.
Ironically, the data of paying customers is even more valuable. Spending money on these things is probably a great way to make them pay even more attention to you. For example, mobile game companies seem to know everything about their big spenders and I've read that some are in direct contact with those players.
> without consent.
that's the point, they "gave consent" via the terms and conditions checkbox, and this is upheld in court since the user knew they were getting the service for free. Few countries have kept up with their laws to protect consumers from this.
> Few countries have kept up with their laws to protect consumers from this.
Seems to be a US thing. Apparently people can give up their rights and consumer protections by agreeing to a contract. Naturally, these "you agree to not exercise your rights" clauses have become standard in privacy policies and terms of service. In many other countries, a judge would simply invalidate the abusive clause.
Very few people are going to take this to court though. Regulators need to establish rules and proactively enforce compliance in order to bring about change.
>> Few countries have kept up with their laws to protect consumers from this.
> Seems to be a US thing.
This article was written about data collected in Norway by a data broker based in the UK.
The US has no meaningful consumer protections to give up. Abusive agreements don't make things appreciably worse.
Then allow me to pay if I want to?
I don't get this argument when an alternative doesn't exist.
And even if you are able to pay and choose to do so, do you think this means they stop collecting your data? I very much doubt it.
I think the problem is developers/companies only have so much time/resources, and figure that x people might pay for an app/service, but 100x will use it if it's free (with other monetisation strategy), then why bother coding & interfacing with a payment system (and this starts to get convoluted and require and entire department handling payment and tax issues across different countries and jurisdictions) for just 1% of likely users?
Not saying that's the right approach, but that's probably how the thinking goes. Billing is certainly easier than it used to be (that's what the 30% app store cut is for), but can still get convoluted, and might have the perception of being convoluted.
Then allow me to pay if I want to?
If you pay then you signal that you have disposable income and your data becomes even more lucrative to sell. It’s a no-win situation.
Some do. I pay to remove ads from the wunderground app which IBM claims means they don't sell my data. Not sure if believe them, but at least I don't see ads.
> Ultimately, free is the culprit.
No, it isn't. Consumer data being sold in a completely unregulated manner is the culprit.
Paying for the product or service has nothing to do with whether or not your data is being sold.
Ultimately, free is the culprit.
Sort of. The real question is: how much does Google make with their free ad-driven model? You'd have to beat that with a paid model (taking into account the reduced userbase as a result of increasing the perceived price).
Also there is genuine value to having $0-cost high-quality maps, Internet search, translation, and many many many other things available to the general public, worldwide. I don't think you could match that same level of public benefit with a paid-only product.
Letting an app use your location and allowing it to sell that data should be mutually exclusive opt-ins in my opinion instead of just one setting
The problem is that Apple has no way of truly controlling what someone does with data once they have it.
This is one of the reasons why I'm generally not OK with "anonymized" data collection without an explanation of how it's being anonymized. It's almost always easy, often trivially easy, to correlate the data together and basically get a perfect recreation of whatever the original data was back.
Anonymization in the data reselling industry is often some form of md5(lower($email)). It's a joke. They even do that for extremely small search spaces like phone numbers. It's still provided at the individual user-level and even if the anonymization is done in a way that's irreversible, you only need to know a single event for a given person and you now have their entire history.
For example, there's a popular email client that scrapes people's inboxes and sells their purchase history to anyone willing to pay. That purchase history is provided on an individual email level and is "anonymized". But if you know your target has this email client installed and you know a single purchase (e.g. a coworker saying "Oh, I bought this awesome coffee maker on Amazon last night!") you can now access their entire individual purchase history backward and forward.
> coworker saying "Oh, I bought this awesome coffee maker on Amazon last night!"
This x1000.
I have seen people invite others to eat lunch at restaurants that only accepted credit cards in order to elicit such a data sample.
Yeah, it's not just emails of course. You can do it with web traffic data. You can do it with credit card data. You can do it with geolocation data. You can do it with TV viewing data.
Wait, what? Please tell us more
Wait... WHAT?!?! I mean if I think about it, yeah that makes sense to have been built but WTF?!?
Care to share which email client it is? It should be killed with fire!!!
Assuming you're asking a genuine question, it's Gmail.
Do you have a source for claims that (a) google parses emails for purchase histories and (b) sells it?
https://myaccount.google.com/purchases is empty for me, and I sure do have a lot of email receipts on my gmail. It also says "Purchases made using Search, Maps, and the Assistant are organized to help you get things done, like tracking a package or reordering food".
https://www.cnbc.com/2019/05/17/google-gmail-tracks-purchase... "Google says it doesn’t use this information to sell you ads."
Google used emails for ad targeting which was mentioned in Microsoft "Scroogled" ad campaign in the US. But Google says it stopped doing so years ago.
Do I miss something?
No, no, Google doesn't read your emails (any more); they just give access to them to certain "developers" (read: arbitrary paying third-parties).
I believe that GP is talking about the unroll.me service which was caught selling purchase receipts to companies like Uber a few months ago.
I was referring to https://mail.edison.tech/, but they compete with unroll.me (rakuten intelligence) in selling people's emails.
That's pseudonomization, not anonymization. The former is generally not GDPR compliant.
"Anonymized" has become a marketing buzzword.
Wow, this article is really interesting, but one thing I noticed is that the translation is generated and perfect! In fact if the header weren't there I'd have thought it was written by a native english speaker.
It's alright but it's definitely not perfect. See the italics (emphasis mine) for a few quick examples in the first few sentences of the article.
"Over the past year, his cellphone has revealed where he has been for almost 24 hours."
"Nor do tens or thousands of other Norwegians."
"Just before eight o'clock in the evening, a perfect little boy comes to the world at Stavanger University Hospital."
EDIT: The rest of the article is littered with these minor errors every few sentences. I didn't bother including any more quotes here.
It’s secretly an ad for Google Translate.
That is actually a pretty good translation with few mistakes
In Soviet Russia, your cell provider sells this data.
Wait, no, that's America. I was thinking of America.
In soviet russia, cell phone data sells you
Gramma nazi on: you mean Russia or the Russian federation if you want to be precise. The Soviet Union collapsed almost 30 years ago.
"in Soviet Russia" is a meme format
gramma as in grandma, or grammar? ;)
Why would they sell data in Soviet Russia, when that data belongs to the people and the people’s secret police?
Most likely the users installed one of those free apps that ask for location access. Those apps collected the location, even when not ruining and uploaded for sale.
It is a pity they did not do better forensics on the installed apps. One or more were revealing the location.
I don’t know if AccuWeather is available in Norway, but in the US at least, it (in conjunction with location data company Reveal Mobile) has been one of the leading location-data trojan horses: https://www.zdnet.com/article/accuweather-caught-sending-geo...
It would be really interesting if each app was fed a slightly modified location as steganography. Then the sold data could be cross-referenced to determine which companies are selling the data.
Sounds like a waste of time to me. If you feed 5 different location streams, you'll just find those same 5 streams for sale.. What a f---ing nightmare we're living in
More than likely, we'd have five companies selling the same original data.
This isn't likely news, for most here.
But it can't be reported enough, for the general public.
Yeah, I think this is one of those things where, when the normals catch on, there's gonna be pitchforks and torches.
Indeed, but what would it take?
I gather that NRK is the BBC equivalent for Norway, so it's not surprising that Tamoco sold so much data to it. But I wonder how selective Tamoco and its competitors are.
In particular, I can imagine that there's a substantial market for data that facilitates tracking people. Bounty hunters. Repo agents. Private investigators.
But also people who want to stalk others for whatever reasons. If someone could document that application, perhaps there'd be "pitchforks and torches".
I don't know what it would take, if anything. I was talking to some twenty-something folks in Berkeley about a decade ago and asked them what they thought of Snowden. They didn't know who he was. When I explained, they dismissed the whole thing. It turned out that they assumed the government was spying on everybody anyway. I don't know what to make of that, I'm just passing along the anecdote.
Anyway, from what I've heard these marketing companies are not very selective at all. More precisely, they are selective but don't dig too deeply. But this is just my impression, not fact.
> It turned out that they assumed the government was spying on everybody anyway.
I've assumed that since the 60s :)
Anyone remember "The President's Analyst"?
The NY Times had a similar article recently: https://www.nytimes.com/interactive/2019/12/19/opinion/locat...
Previous short discussion about a "foot traffic" vendor https://news.ycombinator.com/item?id=22704138
A vast unaccountable ecosystem of data brokers simply cannot be the way society is forced to feed app developers.
Despite the title, it was mostly an article about location data being (no surprise) identifying information.
A question for the Android experts: is it possible to block or spoof location data, through a custom build?
Could I have an Android phone running a program that spoofs a long steady drive from Tampa to Butte?
Yes, but that does not stop the cell providers from selling your location [1].
You could also run an Android VM in the cloud and RDP to it when you want to use sketchy (edit: free) apps. This approach could have saved Bezos some trouble [2].
[1] https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...
[2] https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hac...
> You could also run an Android VM in the cloud and RDP to it when you want to use sketchy (edit: free) apps. This approach could have saved Bezos some trouble
The article also points to WhatsApp as the infection vector.
I agree that anything Facebook produces is fair game as far as being sketchy goes, but it’s not the only messaging platform to have been exploited.
Do we run all messaging services in independent sandboxes in VMs?
[2] says Bezos' iPhone was hacked via WhatsApp with the NSO Group-developed exploit. It is not possible to run iOS VM in the cloud, and even for Android it does not sound practical at all.
I had the option to spoof location data under "Developer options" in Settings with the original OnePlus ROM, but it's even easier to accomplish now that I'm running LineageOS.
In short, yes.
Yes, it’s very possible, I did similar work years ago patching functions on jail broken phones for seamless encryption.
Why bother spoofing when you can simply turn location permission off ?
Spoofing adds noise to the data, making it worth less.
If enough people do it in a way that cannot be easily detected, the market for this sort of data will shrink quickly.
I don't see how spoofing is better than blocking. If enough people block it, the market will shrink even faster. It's also much easier for people to block than "spoof". Spoofing seems practically pointless and academic compared to blocking.
On a custom ROM, sure. That's why games like Pokemon Go blocked them.
Using it as a daily driver is not advisable though.
At worst, having root should be the most that's required, which only on some phones requires a custom rom.
Android has built in support for location spoofing with the developer mode option, select mock location app.
Other apps can easily check whether the location comes from a mock source and discard such data.
https://developer.android.com/reference/android/location/Loc...
These type of security vulnerabilities are due to the core OS/APIs being developed by a surveillance company that isn't concerned with user privacy, and they're countless.
There isn't enough will in the Free world to mitigate even the most glaring ones either, such as LineageOS not incorporating the MicroG patches. The end result being more forks, more confusion, and groups of users remaining unprotected.
Commoditize your complements, indeed.
When I saw Foursquare transition from a B2C to a B2B focused company that is when I finally deleted the Swarm and Fourquare Apps. I still don't fully understand their decision to split Foursquare into 2 apps, but what I did/do understand is that there is alot of money to be made in location data. You just hope that the people in these businesses are ethical people.
Isn’t data this granular illegal, at least in the US? Obviously trying to make the data anonymous does nothing if you can still see the same user over time - I’ve only ever seen this data with users put into groups, and data points fuzzed.
>is granular location data illegal
Generally speaking, there are no laws against merely possessing data, unless the data itself was the result of a crime.
Maybe you mean selling the data? That's nuanced. It seems to be illegal for phone-companies to sell your real-time cellphone location... but historical data? App developers instead of phone companies? The devil is probably in the details in terms of what constitutes a crime and what is just shady business. See [1] where AT&T sells your location data but insists it's not technically illegal (but claims they stopped selling it anyway).
Many companies try to anonymise this data anyway because it's good business to not piss off your customers.
[1] https://www.theverge.com/2019/5/17/18629553/att-t-mobile-spr...
The article is about Norway, and there are laws against merely possessing data, namely the GDPR. To be specific, "merely possessing" private data (the granular movement data would qualify) by companies for business purposes is illegal by default - there are many options that give a legal basis for processing, and many of them do not require the user's consent, but it's upon the company to demonstrate what gives them the permission to do that, and having no justification (if the company "just has it") means that the processing is illegal. And even if the company has a legitimate reason for processing as such, doing so "without your knowledge" is generally illegal, as even where consent is not required, they are required to inform the data subject about the purposes of processing their private data.
It's not about selling data - purchasing the data or having it or using it also are covered.
The above poster's question was specifically about the US.
GDPR does not cover the US. Europe has more privacy laws than the US does.
Link in the original language: https://www.nrk.no/norge/xl/avslort-av-mobilen-1.14911685
Can I legally purchase the anonymized location data of a few thousand Americans, run that through a script which associates coordinates with addresses, and publish the deanonymized results as an art piece like this?
If so, this could be a lot of fun. It would be interesting to see the political backlash, especially if the published dataset includes politicians. Perhaps, in the name of ethics, it should include only politicians, and only those who have voted against privacy legislation. Maybe we'd finally end up with something like the GDPR here in the States.
You'd presumably get in trouble because legality is only part of the equation, the other part is how big/powerful you are and whether you have connections in the right places.
Big companies can get away with crimes while the same thing would result in successful prosecution if a little guy does it, so you might very well get in trouble even though you're doing exactly the same thing as an existing company that manages to stay out of trouble.
I however support your idea regardless of its legality (and especially if the data happens to contain details on politicians, the majority of which are responsible for the situation being as-is) and suggest you publish it anonymously (through Tor).
The real question is if you gave people a choice of paying an extra $100 a year or having apps send tracking data, most people would pay the latter.
Looks like we're moving to a Watch Dogs 2 era faster each day
At this point, most people seem to know that their mobile data is being used. And, interestingly enough, they don’t seem to care.
They have no power to change it and no credible alternatives.
Apple and Google create systems that make it possible to harvest data with no user control possible. Neither provide the ability to see or stop data leaving your mobile device.
They do this so they can attract developers to their platform.
They do provide "controls" to prevent some sort of data access to prevent mindful users from leaving the platform.
It's just that the control have the same sort of ambiguity as a privacy policy. Many people still don't understand that "location services" really means two-way, or that bluetooth can be a proxy for very fine-grained location tracking.
I hope that we finally get alternative phones (say pinephone or purism) because I firmly believe there's a HUGE market opportunity for this sort of thing.
Your cell phone service provider can collect and sell this data as well, its not just Apple and Google.
A broad statement. I’d like to see the evidence that they don’t care, especially when faced with the level of detail collected.
I’d say they don’t care to know, not that they don’t care. Ignorance is not a defence, even if it is temporarily a business case.
Almost everyone, I've spoken to about these (including software engineers), know they are being tracked and they don't care. Actually, you know what, not almost everyone, everyone I've spoken to about this.
I've got the reply "if you don't like it, stay off the internet". Well.
I do care. More must be done to protect consumers. I have spoken.
I agree. I find it utterly disrespectful for all the engineers who are working their asses off to save the free internet when someone tells me to stay off the internet if I don't want to use a Google service. It's that bad.
I can't point you toward public data, unfortunately. But, I work in this space.
Does anyone know what web framework they’re using to get the scrolling storytelling effect? Is this just parallax scrolling?
You have to be a special case of naive for the collection and sale of data to be a surprise. Talk about living under a rock. As for mobile apps, specifically, you think these shitty apps make money off ads? No, the business model is data. GPS data alone is a multi-billion dollar industry that is growing very fast.
What I don’t get about this kind of thing is that it’s not just shady data resellers you’ve never heard of. It’s also overt, high profile, branded tech companies like Foursquare and Yelp, with huge amassed data sets of foot traffic, wifi scans, battery status, often paired with demographic info or data that can be joined by ad IDs or commercial device graphs.
If these companies are able to keep on truckin’ with massive user bases who don’t seem to care that the entire business model rests on flagrant violation of data privacy and data reselling, why would you ever expect anyone to care about the long tail of scammy lesser known data resellers?
Companies like Yelp or Foursquare are essentially as scammy as it can possibly be, with the scamminess shoved right in users’ faces, with lots of middle fingers and half-hearted sound bytes about respecting data privacy. If users don’t react in horror and delete accounts / stop contributing en masse in response to that, why would you ever think an expose about something a further ten degrees removed from the user’s immediate experiences is going to cause any reaction?
People just don’t care.
When someone uses an app such as Yelp it's like valet parking. They know they're handing over something vital, but its with the expectation that the company will provide something of value in exchange, and trusting that they won't use it for more than that. Yes, you're allowing a company to track your movement (for the purpose of grading restaurants). And yes, you're allowing someone else to drive your car (for the purpose of finding a parking space). If you find out a third-party is tracking your location though, that would be as if someone other than the valet were driving your car. And when they use it for their own gain in a way that doesn't return anything of value to you, that would be considered joyriding.
“I hand over my data in exchange for the app handing over a valuable experience or service” is the hugest lie in the business. This is exactly what the disingenuous marketing doublespeak of Yelp and Foursquare says.
In reality, most users really do not understand or consent to the level of data tracking and are very confused about terms of use or privacy settings in the app or just on their device.
The big problem is that it is just not possible for the vast majority of people to have enough expertise or technical know-how to give anything resembling informed consent. Whatever the user is agreeing to, it emphatically is not anything like consent.
The fact that Apple Maps integrates Yelp is a big red flag for me, and I think a big hole in their privacy story. It's why I am more comfortable using Google Maps than Apple Maps.
The data doesn't come directly from Yelp AFAIK. It goes throught Apple's servers. Yelp isn't queried directly.
Again this is from my memory of MITM proxying iOS.
They are still promoting that garbage company though (for a lot of other reasons besides privacy).
Try Google Opinion Rewards and see if you still have that...opinion.
How are Foursquare and Yelp collecting wifi scans?
-> ok so yelp bought "Turnstyle WiFi" which runs wifi hotspots at businesses like Burger King and collects client data ...keeps reading... oh god their wifi is worse than their burgers this is sickening