Everywhere you go, you are being followed. Not by some creep in a raincoat, but by the advertisers wanting to sell you things.
The more advertisers know about you — where you go, which shops you visit, and what purchases you make — the more they can profile you, understand your tastes, your hobbies and interests, and use that information to target you with ads. You can thank the phone in your pocket — the apps on it, to be more accurate — that invisibly spits out gobs of data about you as you go about your day.
Your location, chief among the data, is by far the most revealing.
Apps, just like websites, are filled with trackers that send your real-time location to data brokers. In return, these data brokers sell on that data to advertisers, while the app maker gets a cut of the money. If you let your weather app know your location to serve you the forecast, you’re also giving your location to data brokers.
Don’t be too surprised. It’s all explained in the privacy policy that you didn’t read.
By collecting your location data, these data brokers have access to intensely personal aspects of your life and can easily build a map of everywhere you go. This data isn’t just for advertising. Immigration authorities have bought access to users’ location data to help catch the undocumented. In one case, a marketing firm used location data harvested from phones to predict the race, age, and gender of Black Lives Matter protesters. It’s an enormous industry, said to be worth at least $200 billion.
It’s only been in recent years that it was possible to learn what these data brokers know about us. But the law is slowly catching up. Anyone in Europe can request access to obtain or delete their data under the GDPR rules. California’s new consumer privacy law grants California residents access to their data.
But because so many data brokers collect and resell that data, the data marketplace is a fragmented mess, making it impossible to know which companies have your data. That can make requesting it a nightmare.
Jordan Wright, a senior security architect at Duo Security, requested his data from some of the biggest data brokers in the industry, citing California’s new consumer privacy law. Not all went to plan. As an out-of-state resident, only one of the 14 data brokers approved his request and sent him his data.
What came back was a year’s worth of location data.
Wright works in cybersecurity and knows better than most how much data spills out of his phone. But he takes precautions, and is careful about the apps he puts on his phone. Yet the data he got back knew where he lives, where he works, and where he took his family on holiday before the pandemic hit.
“It’s frustrating not fully knowing what data has been collected or shared and by whom,” he wrote in a blog post. “The reality is that dozens of companies are monitoring the location of hundreds of millions of unsuspecting people every single day.”
Avoiding this invasive tracking is nearly impossible. Just like with web ad tracking, you have little choice but to accept the app’s terms. Allow the tracking, or don’t use the app.
But the winds are changing and there is an increasing appetite to rein in the data brokers and advertising giants by kneecapping their data collection efforts. As privacy became a more prominent selling point for phone consumers, the two largest smartphone makers, Apple and Google, in recent years began to curb the growing power of data brokers.
Both iPhones and Android devices now let you opt-out of ad tracking, a move that doesn’t reduce the ads that appear but prevents advertisers from tracking you across the web or between apps.
Apple threw down the gauntlet last month when it said its next software update, iOS 14, would let users opt-out of app tracking altogether, serving a severe blow to data brokers and advertisers by reducing the amount of data that these ad giants collect on millions without their explicit and direct consent. That prompted an angry letter from the Interactive Advertising Bureau, an industry trade group that represents online advertisers, expressed its “strong concerns” and effectively asked it to back down from the plans.
Google also plans to roll out new app controls for location data in its next Android release.
It’s not the only effort taking on data brokers but it’s been the most effective — so far. Lawmakers are scrambling to find bipartisan support for a proposed federal data protection agency before the end of the year, when Congress resets and enters a legislative session.
Shy of an unlikely fix by Washington, it’s up to the tech giants to keep pushing back.