Your smartphone is probably sending your precise location to companies right now. Their job is to turn your shopping trip or doctor’s visit into “Big Data” — another term for corporate intelligence. So far, the companies and individuals profiting from your everyday movements have mostly evaded scrutiny.
As Times Opinion continues reporting on a giant trove of mobile phone location data, the companies and people profiting from the privacy invasion are coming into focus.
So who, exactly, is watching, and why — and where is all that information going?
The Players
Google Maps is possibly the most popular location-based app in the world, with over one billion users active each month, most of whom are most likely enabling location tracking. Large tech companies like Google and Facebook are more likely to keep the invasive data they collect to themselves for their own internal use, repurposing it to improve their products, for marketing and other analyses.
But many other location data companies aren’t household names. Smaller players mostly operate behind the scenes on many of your favorite apps, using software designed to quietly collect location data from your phone’s sensors after you consent (more about that in a minute). Many have labyrinthian privacy policies vaguely explaining their permissions but they use technical and nuanced language that may be confusing to average smartphone users.
The industry has evolved to sprout even more companies, specializing in monitoring phones via Bluetooth signals or improving the technology that lets it all happen. In other cases, location data is funneled into marketing companies and used to create targeted advertising. (Companies can work with data derived from GPS sensors, Bluetooth signals and other sources. Not all companies in the location data business collect, buy, sell or work with granular location data.)
By design, it’s often nearly impossible to know which companies receive your location information or what they do with it. Some are startups with only a few dozen employees and modest funding. Others are established players with significant investment.
Because the collection of location data is largely unregulated, these companies can legally get access to phone location sensors and then buy and resell the information they gather in perpetuity. Not all companies do that, but some do. The business opportunities are vast. And investors have noticed. Many advertising executives have independently described the location data industry to us as “the Wild West.”
The advertising ecosystem is also incredibly complex. The number of companies has grown from about 150 in 2011 to over 7,000 this year, according to Marketing Technology Media.
That complexity, according to an ad industry veteran, is by design: “Everybody knows their one little part and basically nothing more. Every company is just one micronode of the ecosystem. Nobody can see the whole thing.”
The Tech
It’s costly and challenging to build apps and large audiences from scratch. To get around this, smaller companies piggyback on bigger app developers, inserting their tracking programs into established apps via something called software development kits (known as S.D.K.s).
Companies often pay the apps for access, doling out as much as $20 per 1,000 unique users each month or as little as $2 per 1,000 — depending on how eagerly data companies want the data and how much value they expect to derive from it — according to a former employee of a location data company who was responsible for recruiting apps to use its S.D.K.
“A lot of them were small application developers,” the former employee said. Deals with small companies could be struck in less than a week, with the negotiation focusing almost entirely on the financial compensation, the person said. “They were just cash-driven companies where any incremental amount of revenue was helpful.”
Many S.D.K.s provide useful and sometimes vital services, like login integration or mapping technology. Facebook, Google and Amazon have S.D.K.s inside all kinds of apps. In the case of these tech giants, the S.D.K.s help provide web traffic analytics, facilitate payments or run ads.
In either case, the S.D.K. makers receive user data from that app — potentially over a billion datapoints each day. And once the companies have legally obtained it, there are few legal restrictions on what they can do with it. Some turn around and sell that data for profit.
“It’s the industry standard,” an online ad industry veteran told us, speaking on condition of anonymity. “And every app is potentially leaking data to five or 10 other apps. Every S.D.K. is taking your data and doing something different — combining it with other data to learn more about you. It’s happening even if the company says they don’t share data. Because they’re not technically sharing it; the S.D.K. is just pulling it out. Nobody has any privacy.”
How is this all allowed? Technically speaking, you consented. Location data companies rely on those “I agree” screens and privacy policies to create the legal and ethical basis for their business. The companies justify owning and monetizing the most intimate details on our daily travels by suggesting our movements are anonymous and impersonal.
“We don’t have a direct relationship with the app user or the consumer,” said Brian Czarny, chief marketing officer of Factual, a location data company based in Los Angeles, which says it doesn’t sell any of the raw data it collects.
He added: “We don’t even look at it as a user. We look at it as a device.”
The Apps
It’s hard to know exactly which apps are sharing and profiting from your location data. Even apps that work with location data companies might have specific arrangements that limit how it’s resold or used for analysis and advertising outside the app. This chart, using data from the S.D.K.-tracking company MightySignal, shows the categories of apps most commonly working with S.D.K.s.
While this list includes more than 3,400 titles, many apps that collect and share location data don’t send it directly to third parties within the app. It’s ultimately impossible to identify all the apps involved.
Simply by downloading an app and agreeing to the terms of service, you’re potentially exposing your sensitive information to dozens of other technology companies, ad networks, data brokers and aggregators.
The Business
Sharing your location data isn’t always bad. Many apps that use location do so with clear disclosures and provide useful services. Yet in some cases, companies collect the data seemingly for one purpose but can use it for another.
In a test by Times Opinion earlier this year, the music and podcasting app iHeartRadio asked for location services to “get your favorite DJs.” But the app quickly sent the phone’s precise geolocation to the data company Cuebiq via its S.D.K. Like other location data companies, Cuebiq uses location data to fuel analysis, like measuring whether people visited a store after seeing an online ad or helping marketers build more detailed profiles for targeted advertising.
In an emailed statement, iHeartRadio said that it complies “with all applicable laws in connection with its use of location data” and that “our privacy policyincludes fulsome disclosure around location use.” In the latest version of the app, the consent screen includes more details, adding that the company “may also use or share location for advertising and analytics.”
In another test, the popular weather app MyRadar sent the phone’s precise location to Cuebiq about 20 times while it was open during an eight-minute walk in Brooklyn. While the app included clearer details on its consent screen detailing how location data would be used, it’s difficult to evaluate the trade-offs without being able to see how frequent and precise the tracking really is. MyRadar did not respond to a request for comment.
Another example is OneSignal, which specializes in mobile and desktop notifications but built a side business by collecting and selling location data. If users agreed to share their location with an app for a local notification, OneSignal could collect it via its S.D.K. and then make money by selling the data to third parties.
The day before we were scheduled to speak with OneSignal about these practices, it announced it would stop reselling data. (In an interview, it said the change had been planned for some time.) The company’s co-founder and chief executive, George Deglin, said that revenue from reselling was relatively small and that the public “is leaning more negative now” over companies profiting from their users’ data.
That negativity has grown as Facebook scandals, data leaks and security breaches have made Americans more concerned than ever about what is happening to their data. People might have felt comfortable giving up their location before these breaches, but would they consent today?
Once you’ve entered the location data marketplace, you’re there forever.
New York Times