
An investigation into the smartphone tracking industry - danso
https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html
======
K0nserv
I encourage everyone to try routing your own device's traffic through
mitmproxy and observing this in real time. It's eye opening.

Apps like Deliveroo, which have legtimate reasons for high accuracy location
access, send your data to marketing companies on every launch with very high
precision.

I've written a guide[0] about how to use mitmproxy to look at the data
escaping your device.

0: [https://hugotunius.se/2019/01/23/going-spelunking-with-
mitmp...](https://hugotunius.se/2019/01/23/going-spelunking-with-
mitmproxy.html)

~~~
colesdefectum
While it may not catch _everything_ , another way I've picked up on various
tracking services is simply running pihole and customizing the lists based on
permitted dns lookups. It's interesting and troubling just how much of my
internet browsing is blocked at the DNS level on a day to day basis with no
perceivable impact on what's being viewed. I do wonder how many services might
start trying to hardcode IP addresses to get around such things in the future.
I'll have to try mitmproxy and see what I might be missing.

~~~
K0nserv
Yup I do this too and I agree with your observations, about one third of my
home network's DNS request are rejected with nearly no impact on my internet
browsing. I've also observed the same thing when browsing the web with uBlock
Origin set to block third party scripts by default. On most sites whitelisting
~20% of scripts is enough to make the site functional, the other ~80%
apparently being redundant for the purpose of the site's core functionality.

------
mfer
One of the things I appreciate about the iPhone is the fine grained settings
for location tracking. I have had to turn off access to numerous apps and have
limited other apps to only using my location when I use the app.

To limit the tracking I had to personally do an audit. I noticed the location
indicator was on most of the time and it annoyed me. I found too many apps
using location tracking that just did not need it.

Most people will not do this. We need better laws.

~~~
bilekas
Its amazing when you hear people say they appreciate being able to stop
individual tracking after its defaulted.

Instead of expecting that nothing tracks you until you permit it.

FWIW: This 'ability' is not specific for Iphone

~~~
john_minsk
Then it works as expected. It doesn't track you before you approve it. Which
99% of us do when opening an app.

~~~
bilekas
No application should `require` location services to start/let you in.

If you have `Facebook` app installed first time, upon opening the app, there
should not be any requirement to access location data.

Only at the point of posting with a 'Share Location' the app should request
the Location tracking. And I don't see why it then needs to be permenantly
permitted from then on. (Unless manually remove again)

They are scummy tactics and I agree, people just click okay to remove the
inconvenience, but the creators are creating problems in order to get those
'Allow access'.

Its gross. Almost like selling a solution to a problem you created.

~~~
zo1
> _" No application should `require` location services to start/let you in."_

Exactly this. Rejecting apps from getting into your store ecosystem that
request permissions that they can't justify based on the purpose of the
application should be one of the first and major things app-store curators do.

Now to enforce this with browsers as well and include things such as "push
notifications".

------
sithadmin
There was a pretty interesting talk presented at DefCon this year on tracking
and other personal data being exfiltrated from mobile devices over Tor (in
plaintext!!!). After noticing this activity on some end user devices, the
presenters set up some exit nodes and started looking for similar traffic, and
uncovered a shocking amount of data being moved about in this manner from a
variety of mobile applications. Unfortunately, the presenters didn't name and
shame (though they did imply some well-known brands were guilty), and it was
presented at the SkyTalks venue, so no recording was allowed and the slides
won't be published. But given the data that they were collecting and where the
impacted users seemed to be located, it appeared like a majority of the
tracking traffic they were intercepting was coming from users in China,
Russia, and other states with civil liberties issues.

------
baybal2
One more reason to fight for the right to anonymous SIM cards.

No way to underestimate how important this is.

Second to it, you guys need to push for removing tracking infrastructure that
Google shoves into Android.

Not a single application should be allowed access to anything amounting to a
"Device ID" or fingerprinting method, implicit or explicit

~~~
dopylitty
One of the key points of the article is that location data itself is nearly
impossible to anonymize.

Even if person had an anonymous SIM it would be trivial to identify them by
the locations where they spent most of their time.

~~~
baybal2
Yes, but you will need to first correlate connection data from a ton of
anonymous IPs, and then send tough guys to the site to check everybody's
passports at a gunpoint.

Not something automateable.

~~~
dopylitty
Or you just correlate the data with known locations as the NYT did in the
article when they tracked the inauguration singer by knowing where she was on
a single day.

------
john_minsk
1) There is no Facebook, Apple and Google on the list of "location data"
companies. These guys have records on you for years of tracking and it didn't
cause nytimes to create a fancy article on them?

2) Funny how the only big company mentioned in the article is Apple, while iOS
is far more difficult to convince to share location data with 3rd parties
compared to Android.

~~~
danso
The story discusses the provenance of the data after the opening paragraph:

> _THE DATA REVIEWED BY TIMES OPINION didn’t come from a telecom or giant tech
> company, nor did it come from a governmental surveillance operation. It
> originated from a location data company, one of dozens quietly collecting
> precise movements using software slipped onto mobile phone apps. You’ve
> probably never heard of most of the companies — and yet to anyone who has
> access to this data, your life is an open book._

Is your suggestion that the NYT wait until every large tech company leaks
their databases to their reporters?

~~~
criddell
Facebook, Apple, and Google don't have to leak anything. They don't conceal
what they collect.

If you haven't looked at it yet, Google's dashboard is pretty eye opening. You
can see where you were every minute of the day years ago.

~~~
danso
Yes, I know of these systems and have been downloading/analyzing my personal
data for years. And the press has written on the implications and risks of
this data for years. I guess I don't understand what you're getting at? The
NYT is not entitled to my or anyone else's data unless I give it to them.

Ostensibly, the story under discussion is interesting because it _is_ personal
data for millions of users who have consented (via agreeing to terms of
services) to the collection, but haven't fully grasped what happens when that
data can reveal to a third party.

------
CuriousReader13
This data seems highly valuable to hedge funds: if a fund could pin the
devices of well-known bankers and executives of potential acquisition targets,
it could see deals coming before announcements. Is this legal?

~~~
7373737373
Hell, track their social relations, and the same for all of their employees,
estimate their personal relations with social models, quantify and predict
their mood on an organizational level. Then go long or short on the company.
Rinse and repeat for everything on this planet.

------
throwaway8291
As a thought experiment: Imagine all that data was open and everybody could
query and use it.

Because my gut tells me, it will be in a decade or two.

------
mmjaa
I wish I had this data, myself. I mean, my own personal data - it would be so
incredibly useful for me to be able to go back through the last years and see
my location and tracking data. I could finally get those timesheets updated
with correct details ..

But, alas, no. Its not available to me. Only third parties can access it.

This is a terrible situation.

~~~
worldsayshi
You can download your google data at
[https://takeout.google.com/](https://takeout.google.com/)

Not sure if this is only for EU citizens.

~~~
mmjaa
Yeah, its better than nothing but that's still not quite as simple as just
having a database I can copy off my own phone with all the details.

~~~
danso
If you have an iPhone, you can use a utility to extract the location database:
[https://reincubate.com/support/how-to/export-view-iphone-
loc...](https://reincubate.com/support/how-to/export-view-iphone-location-
data/)

If you have an Android, using Google Takeout would likely be the easiest
route:
[https://takeout.google.com/settings/takeout](https://takeout.google.com/settings/takeout)

------
ENOTTY
My questions for any company that collects location data or receives it from a
third party would include:

Do you associate the geo data with individualized identifiers? In other words,
can individual data points be linked to one another (linkability)? (Obviously
the answer is yes for whichever company this dataset came from)

Do you resell the raw data to other third parties, and if so, what kind of
vetting and data controls are levied upon them? Where are these customers
located? Let us see one of your contracts.

I generally think this story would have be more impactful if the Times tried
to pose as a customer and bought the data from a company to expose flaws in
that system. As it stands, the location companies are very willing to admit
they sell this data, but they would claim that nothing bad will happen to you.
Disprove that and now there’s a cause for action.

------
34679
The US government has agreed with the US government's argument that any
information transmitted over a 3rd party server is not protected by the 4th
Amendment. This is why the US government will not do anything to stop or slow
the mass collection of private data. They have asserted and affirmed their
right to Hoover that shit in tandem.

The best way that I can see to force the government's hand on this issue is to
use a dataset like the one the NYT obtained to expose a few politician's
extramarital affairs. Once they realizes this information can be used against
them, they'll suddenly consider it to be a very big issue.

------
john_minsk
This page doesn't work for me and it doesn't show any errors...

Update: Firefox fixes it...

------
prolonge
Think of the modern Truman Burbank. The next step is to assume everything is
live at all times and behave as such. Stop trying to prevent everyone being
aware of each other.

Scheming is irrelevant now and if you are reversing the progress of the tribe
then you should spend your days on your computer trying to come up with a new
Tor and then you'll approach the end of your life knowing that all you did was
try to avoid everyone's gaze so you could "get ahead."

~~~
jc01480
Assuming everything is live presumes that we should have to care about what
others think about any given conduct. Social justice is what this is plain and
simple. Rule of law (or the absence thereof) is meaningless in modern society?

~~~
prolonge
I've heard the "eye of Sauron" metaphor in a few podcasts that commentate on
the ease of mass surveillance. This has less to do with individual smartphone
tracking - individual smartphone users have the power to zero in on certain
topics and ideas (viral) relatively instantly since news can travel along a
global internet unhindered.

Chinese Social Credit automated aggregation of all citizen smartphone activity
feeds is the "rule of Law". We will be economically limited by our inefficient
(bad) deeds.

------
bilekas
> Work in the location tracking industry? Seen an abuse of data?

I would have thought those things go hand in hand no..

Kind of like the oxymoron: A privacy conscious social media company..

~~~
jc01480
Funny you mention this. Outside the Guantanamo prison complex is a sign
bearing the unit symbol of the military branch operating the facility. This is
affixed to a fence bearing “maximum security” signage, etc. Displayed on this
sign was their motto which contained verbiage about defending “freedom”. I
found this ironic as there was a prisoner staring out through the fence
standing next to the sign.

------
adam0c
there's a very limited amount of people around the world that actually care
about this those of us do our best to not allow this to happen but then there
is the others, the people that don't read terms, that live for the gram etc
these are the main demographic target because they're quite simply dumb.
People constantly make jokes at me for wanting to be off the grid for trying
to keep a low profile etc for complaining about having to accept cookies for
any website you want to use these days. data mining has been big bucks for far
too long and will remain that way until the masses join us which I sadly fear
they never will along with the fact that these big data companies are all
working with bigger government and political groups. its been this way for a
long time as others have pointed out and its a sad fact that it will remain
this way for the foreseeable future unless people educate themselves on these
matters because the companies getting away with it will continue to and not
educate the masses as that means a loss of profit.

------
ng7j5d9
I'm waiting for instant decisions about my service worthiness based on
algorithmic analysis of my data points.

If the data know that I live in a nice neighborhood and commute every day to a
office park job then Facebook will expend compute cycles on showing me things
of interest to me. If an inner-city poor tries to get on Facebook, it can just
show them a blank page. No money to be made there.

------
chrisMyzel
So can once and forever tell me someone why I can be tracked by a 3rd party
app when I explicitly disable location services in my android phone? I'm
not.talking about the device vendor or OS maker.

Can it really be so many people are so god damn stupid to leave that service
on all the time or is it me here being goddamn stupid and naive :)

------
foreigner
I was about to shrug this off but quickly checked my phone - _25_ apps have
access to my location?!!

------
bilekas
It would have been nice if the report listed and documented all the mobile
services that were doing this and stept to clean it up as best as possible.

~~~
boring_twenties
Wouldn't it be more tractable to list the few that _aren 't_ doing this, if
there even are any?

~~~
bilekas
Hmm, yes, but then you're in the realm of trying to convince non-privacy savy
people to use other services that replace the tracking ones.

Its all extremely frustrating and does nothing to ease my anxiety!

------
bytematic
oh yeah, I'm suprised nobody is talking about Pilgrim.
[https://enterprise.foursquare.com/products/pilgrim](https://enterprise.foursquare.com/products/pilgrim)

~~~
adrianpike
Wow, Foursquare. There's a company I haven't heard about in a hot minute.

~~~
bytematic
They figured out that they can make a lot more doing enterprise-level tracking

------
wrkronmiller
Reader View on mobile Safari seems to work

------
DanielBMarkham
I try to avoid sarcasm online. It can be taken the wrong way. But I would like
to welcome the NYT to 20 years or so ago when Google realized that there was
money in the data. Or ten years ago or so, as privacy advocates started
seriously bouncing off the walls realizing that we were tagging and tracking
people in a way dictators of the past could only dream of. I'm glad they might
be catching up, but for a big news organization like that, it's sad to see it
take so long.

I wonder if, like so many of these blow ups in the past, there'll just be a
spike of public interest and then it'll all die away. One of the most amazing
things about the news in the last few years is how stories that used to have
international, severe impact and political repercussions just drift off into
the ether now. No follow-up, no continuing coverage. It's all about immediate
spikes in shares, likes, tweets, and readers. They know people don't care
about the follow-up that much; heck the data tells them that. So there's no
follow-up, only the next sensation.

I hope this amounts to something. I have my reservations.

~~~
BLKNSLVR
> there'll just be a spike of public interest and then it'll all die away

Panama Papers, Paradise Papers. Very little has come out of this and it's so
disappointing. What this says to me is that enough of the people powerful
enough to change any of it are in on it. Or, there just isn't the critical
mass at the bottom, and this, where we find ourselves as a global population,
is the stability between comfort and outrage.

The "Or" above, maybe should be an "And".

I wonder whether one of the reasons that seemingly illogical conservatism is
as successful as it is, is because the bigger the world economy gets, and the
larger the population, the harder it is to change anything meaningful without
wiping out a pillar-sized part of the economy, the results of which are too
unpredictable for anyone in power to want to take responsibility for.

This position only leads to further conservatism, in that any changes 'we let
pass' must be war-gamed to the nth degree to ensure they don't cause societal
collapse.

I'm not conservative, but the above is almost the only way I can process
seemingly illogical conservatism that is actually anything other than
"maintaining the status quo because I'm part of it". It's almost believing
their own FUD. Hubbard-style. But it might not be entirely wrong.

~~~
Strang
> seemingly illogical conservatism

I'd suggest you engage more with your fellow citizens and their ideas.
Conservatives believe in their ideas just as earnestly as others and it is
possible for people of good faith to disagree on fundamental issues.

~~~
gizmo686
Conservatism and conservatism are 2 very different things. One is a political
movement, and one is an aversion to change.

Regardless of political ideology, large organizations tend towards
conservatism.

~~~
Strang
Fair enough. I assumed from his comment that he meant mainstream political
Conservatism.

Big-C Conservatism does of course include a lot of small-c conservatism.

------
deltron3030
Nice graphics, powered by Svelte?

------
boring_twenties
> Work in the location tracking industry? Seen an abuse of data? We want to
> hear from you. Using a non-work phone or computer, contact us on a secure
> line at 440-295-5934

Would be nice if they clarified what the hell exactly a "secure line" means

~~~
mike-cardwell
One that isn't recorded and routinely listened to by your manager?

~~~
boring_twenties
That would seem to have already been covered by the first half of the
sentence?

~~~
mike-cardwell
So if you read and understood the first half of the sentence, then you must
have an idea of what a secure line is then.

~~~
boring_twenties
This doesn't seem to make any sense.

The first half isn't explaining what the second half is going to mean. It
reads like two separate things of which you need to do both.

~~~
mike-cardwell
It's almost as if you're parsing the sentence as a computer would.

------
bilekas
The animation intro is detrimental to the actual article..

You need to delete the HTML element with class

`video-stepper-content`

So annoying.

if lazy : Console cmd :

`document.getElementsByClassName('video-stepper-
content')[0].parentNode.removeChild(document.getElementsByClassName('video-
stepper-content')[0])`

~~~
jraph
Trying to optimize your line for non-whitespace character count since I have
nothing else to do right now, I just discovered $ can be used in any webpage
from the browser console:

$('.video-stepper').style.display = 'none'

~~~
tyingq
If we're golfing, and jQuery is there: $('.video-stepper').hide()

~~~
jraph
I tried, it's not in this article, I am really interested for a shorter
solution however :-)

edit: $('.video-stepper').remove() works

~~~
tyingq
Ahh, I see. No jQuery. The Chrome developer console is aliasing $() to
document.querySelector()

[https://developers.google.com/web/tools/chrome-
devtools/cons...](https://developers.google.com/web/tools/chrome-
devtools/console/utilities#queryselector)

I didn't know it did that.

~~~
bilekas
Thats actually pretty interesting.. Wonder which would take preference if I
have a bespoke definition for $ in an extension/worker somewhere.

Even a browser level event listener on it. O_o

Clearly I don't have much either to do today.

------
ajb
Web page is broken. Only works for me if I scroll past the stupid animation
before it finishes loading, otherwise it gets stuck.

~~~
tyingq
None of the interactivity, and only one of the map images, but at least you
can read it:

[https://outline.com/nVTtcg](https://outline.com/nVTtcg)

------
onreact
That's one of the reasons why I gave up smartphones.

Radiation, addiction and 24/7 workweek were some of the others.

When your phone is smarter than you something is wrong.

~~~
kleiba
I've never seen any credible claim on negative implications through radiation
when using smartphones. Do you know any?

~~~
inimino
There is strong anecdotal evidence that some people are affected by it.
However few, or however small the effect size, it is not strictly the same
thing as known zero risk.

------
scarface74
As I suspected, the article is nowhere near technical enough to get any sense
of how third parties can tie a name to a phone.

NYT’s articles about technology are usual horrible.

~~~
tyingq
It does say this:

 _" In most cases, ascertaining a home location and an office location was
enough to identify a person. Consider your daily commute: Would any other
smartphone travel directly between your house and your office every day?"_

Then they back it up with:

 _" With the help of publicly available information, like home addresses, we
easily identified and then tracked scores of notables."_

And provided the specific example of Mary Millben.

It was manual and not automated, but the tech details of finding work and home
addresses, based on the two most visited spots, seems not novel. Similar for
extrapolating that into a name.

~~~
jc01480
Do some patent searches for the companies pioneering the technology. Read
their white papers. You can begin to assemble an idea of how they do it. It’s
not entirely revealing and is very tedious. But you can connect the dots. NYT
is somewhat half-hearted when it’s not a political subject.

