I encourage everyone to try routing your own device's traffic through mitmproxy and observing this in real time. It's eye opening.
Apps like Deliveroo, which have legtimate reasons for high accuracy location access, send your data to marketing companies on every launch with very high precision.
I've written a guide[0] about how to use mitmproxy to look at the data escaping your device.
While it may not catch everything, another way I've picked up on various tracking services is simply running pihole and customizing the lists based on permitted dns lookups. It's interesting and troubling just how much of my internet browsing is blocked at the DNS level on a day to day basis with no perceivable impact on what's being viewed. I do wonder how many services might start trying to hardcode IP addresses to get around such things in the future. I'll have to try mitmproxy and see what I might be missing.
Yup I do this too and I agree with your observations, about one third of my home network's DNS request are rejected with nearly no impact on my internet browsing. I've also observed the same thing when browsing the web with uBlock Origin set to block third party scripts by default. On most sites whitelisting ~20% of scripts is enough to make the site functional, the other ~80% apparently being redundant for the purpose of the site's core functionality.
Am I understanding it correctly that the app on your mobile is directly sending the data to marketing companies? They don't even collect it and hand it to marketing companies through a separate channel?
No they dont't usually collect the data and forward it to third parties. With most stuff like this apps will embed a binary SDK which is initialized when the app starts. Because the SDK runs in the app's process it has all the same permission and data access that the app itself has. The SDK communicates with the relevant APIs directly. On the web similar models are often used with third party scripts loaded in the main page context.
One of the things I appreciate about the iPhone is the fine grained settings for location tracking. I have had to turn off access to numerous apps and have limited other apps to only using my location when I use the app.
To limit the tracking I had to personally do an audit. I noticed the location indicator was on most of the time and it annoyed me. I found too many apps using location tracking that just did not need it.
Most people will not do this. We need better laws.
No application should `require` location services to start/let you in.
If you have `Facebook` app installed first time, upon opening the app, there should not be any requirement to access location data.
Only at the point of posting with a 'Share Location' the app should request the Location tracking. And I don't see why it then needs to be permenantly permitted from then on. (Unless manually remove again)
They are scummy tactics and I agree, people just click okay to remove the inconvenience, but the creators are creating problems in order to get those 'Allow access'.
Its gross. Almost like selling a solution to a problem you created.
>"No application should `require` location services to start/let you in."
Exactly this. Rejecting apps from getting into your store ecosystem that request permissions that they can't justify based on the purpose of the application should be one of the first and major things app-store curators do.
Now to enforce this with browsers as well and include things such as "push notifications".
For Facebook that may make sense but requiring the user to grant permission every time the permission is used would be vista era bad for some apps (maps, camera apps that geotags).
Why would you approve location access to an app that doesn't require it?
The only thing I miss is "ask me everytime" option on android (atleast until 9), where you want to post an instagram photo with geotag now, let them do a location lookup once, and after that disable the location access (so, a "give permission for one lookup", instead of going to settings, enabling location, posting, back to settings, disabling location access).
Because location services can enhance apps, even ones that aren’t obviously location-related. For example, I love that iOS’s granular permissions allow me to approve location services “Just this once” for Camera.app, for the occasional photo when I do want it geotagged for later reference. Before, I would have to manually set it to “Allow when using”, which carried the huge risk of me forgetting to switch it off later.
I agree and even further: you cant trust security features by the company you got phone from. It is conflict of interests. On android at least you can remove google completely and use 3rd part application firewall like netguard, that is open source. Or xprivacy lua to fake the data. Google "security" is a joke. Trusting privacy settings to the company that makea billions by destroying the privacy. Nope. It wont work.
Are you? Are you able to tell for years ahead this wont happen? Insurance companies? Should I remind you about pre ww2 germany and their tagging of nationality (jew) in national archives? Sure in 1920 nobody cared about it, in 1942 it became something with mortal consequences. Maybe reminding about China social score? We are now in 1920 while I care what will happen in 1942. Historia magistra vitae.
If google gets to the point of falling revenue (which will happen, sooner or later, continuous growth in finite system is impossible), stock holders will force the "sale", do you think they will sell their offices? Computers?
I had our annual chat with a friend ( long story, it is just hard for us to find time we can both be in the same place ). She works in a hospital and said the same thing about medical bills. One person can't keep track of all this. I had the same point about privacy. We do need something better. The current version does not work for me.
The concept of freedom is so interesting. In the US, it is an inherent right. Many things are protected as inalienable rights from government intrusion. But a darker picture emerges when freedom is weaponized by private people (e.g. corporations). Your freedom actually starts turning into a capitalist feeding frenzy. Take it one step further and it is a nightmare (stalkers). Freedom is a careful balance of the two. This trade off is a strange yet inevitable world Americans live in.
You're only valuable to these companies if they can put an ad in front of you. If you quit Facebook and use uBlock, it's costing these companies money to keep track of your interests for ads if they can't serve you any.
With Location Services disabled, FB can use secondary data, like Bluetooth information and IP address to reasonably approximate location. It doesn't change the situation much.
Apple could also help by making the global Location Services toggle more readily available (icon available in Control Center?) instead of multiple clicks deep and a confirmation.
There was a pretty interesting talk presented at DefCon this year on tracking and other personal data being exfiltrated from mobile devices over Tor (in plaintext!!!). After noticing this activity on some end user devices, the presenters set up some exit nodes and started looking for similar traffic, and uncovered a shocking amount of data being moved about in this manner from a variety of mobile applications. Unfortunately, the presenters didn't name and shame (though they did imply some well-known brands were guilty), and it was presented at the SkyTalks venue, so no recording was allowed and the slides won't be published. But given the data that they were collecting and where the impacted users seemed to be located, it appeared like a majority of the tracking traffic they were intercepting was coming from users in China, Russia, and other states with civil liberties issues.
Yes, but you will need to first correlate connection data from a ton of anonymous IPs, and then send tough guys to the site to check everybody's passports at a gunpoint.
Or you just correlate the data with known locations as the NYT did in the article when they tracked the inauguration singer by knowing where she was on a single day.
If you didn't know, Google even added a special API in Android for Apps to use to get device IDs, IMEI included. The very point of it is to allow tracking by Apps.
In Android 6 they even made a special callback result to indicate that the user has refused to give his permission rather than indicating that modem/phone ID wasn't found.
Clearly they are aware of this and do that deliberately.
1) There is no Facebook, Apple and Google on the list of "location data" companies. These guys have records on you for years of tracking and it didn't cause nytimes to create a fancy article on them?
2) Funny how the only big company mentioned in the article is Apple, while iOS is far more difficult to convince to share location data with 3rd parties compared to Android.
The story discusses the provenance of the data after the opening paragraph:
> THE DATA REVIEWED BY TIMES OPINION didn’t come from a telecom or giant tech company, nor did it come from a governmental surveillance operation. It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book.
Is your suggestion that the NYT wait until every large tech company leaks their databases to their reporters?
Yes, I know of these systems and have been downloading/analyzing my personal data for years. And the press has written on the implications and risks of this data for years. I guess I don't understand what you're getting at? The NYT is not entitled to my or anyone else's data unless I give it to them.
Ostensibly, the story under discussion is interesting because it is personal data for millions of users who have consented (via agreeing to terms of services) to the collection, but haven't fully grasped what happens when that data can reveal to a third party.
Those companies sell advertisements, but keep the raw data to themselves. After all, that's in their business interest. This article talks about vendors directly selling the data itself.
This data seems highly valuable to hedge funds: if a fund could pin the devices of well-known bankers and executives of potential acquisition targets, it could see deals coming before announcements. Is this legal?
Hell, track their social relations, and the same for all of their employees, estimate their personal relations with social models, quantify and predict their mood on an organizational level. Then go long or short on the company. Rinse and repeat for everything on this planet.
I wish I had this data, myself. I mean, my own personal data - it would be so incredibly useful for me to be able to go back through the last years and see my location and tracking data. I could finally get those timesheets updated with correct details ..
But, alas, no. Its not available to me. Only third parties can access it.
My questions for any company that collects location data or receives it from a third party would include:
Do you associate the geo data with individualized identifiers? In other words, can individual data points be linked to one another (linkability)? (Obviously the answer is yes for whichever company this dataset came from)
Do you resell the raw data to other third parties, and if so, what kind of vetting and data controls are levied upon them? Where are these customers located? Let us see one of your contracts.
I generally think this story would have be more impactful if the Times tried to pose as a customer and bought the data from a company to expose flaws in that system. As it stands, the location companies are very willing to admit they sell this data, but they would claim that nothing bad will happen to you. Disprove that and now there’s a cause for action.
The US government has agreed with the US government's argument that any information transmitted over a 3rd party server is not protected by the 4th Amendment. This is why the US government will not do anything to stop or slow the mass collection of private data. They have asserted and affirmed their right to Hoover that shit in tandem.
The best way that I can see to force the government's hand on this issue is to use a dataset like the one the NYT obtained to expose a few politician's extramarital affairs. Once they realizes this information can be used against them, they'll suddenly consider it to be a very big issue.
Think of the modern Truman Burbank. The next step is to assume everything is live at all times and behave as such. Stop trying to prevent everyone being aware of each other.
Scheming is irrelevant now and if you are reversing the progress of the tribe then you should spend your days on your computer trying to come up with a new Tor and then you'll approach the end of your life knowing that all you did was try to avoid everyone's gaze so you could "get ahead."
Assuming everything is live presumes that we should have to care about what others think about any given conduct. Social justice is what this is plain and simple. Rule of law (or the absence thereof) is meaningless in modern society?
I've heard the "eye of Sauron" metaphor in a few podcasts that commentate on the ease of mass surveillance. This has less to do with individual smartphone tracking - individual smartphone users have the power to zero in on certain topics and ideas (viral) relatively instantly since news can travel along a global internet unhindered.
Chinese Social Credit automated aggregation of all citizen smartphone activity feeds is the "rule of Law". We will be economically limited by our inefficient (bad) deeds.
Funny you mention this. Outside the Guantanamo prison complex is a sign bearing the unit symbol of the military branch operating the facility. This is affixed to a fence bearing “maximum security” signage, etc. Displayed on this sign was their motto which contained verbiage about defending “freedom”. I found this ironic as there was a prisoner staring out through the fence standing next to the sign.
there's a very limited amount of people around the world that actually care about this those of us do our best to not allow this to happen but then there is the others, the people that don't read terms, that live for the gram etc these are the main demographic target because they're quite simply dumb. People constantly make jokes at me for wanting to be off the grid for trying to keep a low profile etc for complaining about having to accept cookies for any website you want to use these days. data mining has been big bucks for far too long and will remain that way until the masses join us which I sadly fear they never will along with the fact that these big data companies are all working with bigger government and political groups. its been this way for a long time as others have pointed out and its a sad fact that it will remain this way for the foreseeable future unless people educate themselves on these matters because the companies getting away with it will continue to and not educate the masses as that means a loss of profit.
I'm waiting for instant decisions about my service worthiness based on algorithmic analysis of my data points.
If the data know that I live in a nice neighborhood and commute every day to a office park job then Facebook will expend compute cycles on showing me things of interest to me. If an inner-city poor tries to get on Facebook, it can just show them a blank page. No money to be made there.
So can once and forever tell me someone why I can be tracked by a 3rd party app when I explicitly disable location services in my android phone? I'm not.talking about the device vendor or OS maker.
Can it really be so many people are so god damn stupid to leave that service on all the time or is it me here being goddamn stupid and naive :)
I try to avoid sarcasm online. It can be taken the wrong way. But I would like to welcome the NYT to 20 years or so ago when Google realized that there was money in the data. Or ten years ago or so, as privacy advocates started seriously bouncing off the walls realizing that we were tagging and tracking people in a way dictators of the past could only dream of. I'm glad they might be catching up, but for a big news organization like that, it's sad to see it take so long.
I wonder if, like so many of these blow ups in the past, there'll just be a spike of public interest and then it'll all die away. One of the most amazing things about the news in the last few years is how stories that used to have international, severe impact and political repercussions just drift off into the ether now. No follow-up, no continuing coverage. It's all about immediate spikes in shares, likes, tweets, and readers. They know people don't care about the follow-up that much; heck the data tells them that. So there's no follow-up, only the next sensation.
I hope this amounts to something. I have my reservations.
> there'll just be a spike of public interest and then it'll all die away
Panama Papers, Paradise Papers. Very little has come out of this and it's so disappointing. What this says to me is that enough of the people powerful enough to change any of it are in on it. Or, there just isn't the critical mass at the bottom, and this, where we find ourselves as a global population, is the stability between comfort and outrage.
The "Or" above, maybe should be an "And".
I wonder whether one of the reasons that seemingly illogical conservatism is as successful as it is, is because the bigger the world economy gets, and the larger the population, the harder it is to change anything meaningful without wiping out a pillar-sized part of the economy, the results of which are too unpredictable for anyone in power to want to take responsibility for.
This position only leads to further conservatism, in that any changes 'we let pass' must be war-gamed to the nth degree to ensure they don't cause societal collapse.
I'm not conservative, but the above is almost the only way I can process seemingly illogical conservatism that is actually anything other than "maintaining the status quo because I'm part of it". It's almost believing their own FUD. Hubbard-style. But it might not be entirely wrong.
Well, there is no impact that is immediately visible, bit since you mentioned Panama Papers, their content was studied by various entities providing lists to the banks. The last 100gb breach resulted in fallout from Formations Company. We still don't know how much of the recent 2TB drop will be utilized..
There are people who watch this stuff. You are right that an average person does not seem to care.
We knew that lead made people dumb back in the Roman times and yet we created leaded gasoline in 1925. In the US it was banned in 1996, after 70 (!!!) years. There's still some countries that haven't banned it, 90 years later.
I'd suggest you engage more with your fellow citizens and their ideas. Conservatives believe in their ideas just as earnestly as others and it is possible for people of good faith to disagree on fundamental issues.
You are fundamentally correct, a person doesn't hold a belief or opinion for no reason. I was specifically (attempting to) refer to "seemingly illogical" conservatism, where there is established fact or science that the 'conservative opinion / action' appears to be working against (climate change, trickle-down economics, backdooring encryption, wind farms).
Specifically where the 'conservative' position doesn't just not quite line up with, but is diametrically opposed to the commonly accepted experts opinion.
Garry Kasparov - along with many others, of course - has attributed this “drifting into the ether” to a shift in how authoritarian leadership maintains compliance. Where old school authoritarian organizations would attempt to actively stifle the flow of truth (aka the Great Firewall), today they seek to obscure the truth with a firehose of partial truths/could be truths/outright lies such that the average person is unable to accurately discern what is fundamentally true about any given situation. The tool of oppression is fake news, norms erosion, and maximizing confusion.
Scale and intentionality. Kasparov has talked about reading an interview he “gave” to a supposedly anti-Putin newspaper in which his political positions are acknowledged, but subtle changes are made that weaken his arguments and discredit him personally. The ability to create entire media organizations, websites, troll farms, etc. with the explicit intention of sowing confusion and kneecapping the ability of the populations to discern what is actually happening in the world around them is only a tool available - at scale - to a certain class of people.
> One of the most amazing things about the news in the last few years is how stories that used to have international, severe impact and political repercussions just drift off into the ether now. No follow-up, no continuing coverage. It's all about immediate spikes in shares, likes, tweets, and readers. They know people don't care about the follow-up that much; heck the data tells them that. So there's no follow-up, only the next sensation.
I sometimes joke here that A/B testing is how Satan interacts with this world. With each passing day, it seems less and less like a joke, though. And in all honesty, data science itself is fine - the problem is that some thing should not be optimized beyond a point.
This isn’t about what the news organizations know. It’s about writing to their audience and what the audience knows. The audience has a lack of awareness.
One thing that could use a lot more press is what companies do with this information. Many people who know they have it believe it to be harmless.
If they would focus on outing personal data of Senators, Congressmen, etc, that's a fairly direct path to action. I imagine there's some curious location data there.
A realisation hit me a few years back that those in power are not especially shielded from this, with cases that emerge periodically. There was General David Petraeus, brought down through a shared Gmail account (he and a lover would compose, but not send, messages). The FBI got on-board to that. Various investigations associated with major politicians. The known hacking of both Democratic and GOP politicians' personal accounts (notably John Podesta and Colin Powell, though certainly others), and more.
Other cases -- Harvey Weinstein and Jeffrey Epstein are both exemplars -- show that widely-known incriminating information can remain in broad circulation for decades without harm. It's somewhat less the information itself than the political and power balances surrounding it, which precipitate the final fall.
In the film Das Leben den Anderen (The Lives of Others), a fictional-but-highly-realistic account of the East German surveillance state, among the most poignant aspects was not the brutal suppression of political opposition, but the corruption and co-option of the surveillance system for personal gain and enjoyment -- the East German official coercing Christa-Maria (played by Martina Gedeck) into an affair that was effectively rape.
I've pointed out that Herbert Simon's defence of a data-intensive world on the grounds that the Nazis accomplished their atrocities without the benefit of automated data processing has since proven quite false: IBM were a willing and active enabler.
Or the action would be that the leaker of that information would be strung up as a perpetrator of an illegal act and have the book thrown at them. This would drown out the fact that the leaked information was accurate and true. It wouldn't be known if an illegal act hadn't been committed to release it in the first place.
Big news corporation all participate in tracking. Not a single large org doesn't have direct business relations with Google or Facebook.
I remember the day some years ago when my favorite paper (not US based) claimed it would try to still report critically about Facebook even while they are engaged in a cooperation and how such a market situation could be detrimental to independent news covering.
They needed to do that because these sites mainly drive engagement. Today, they also write a lot about the hot button topics of today, which isn't any different than boulevard really. They still have good content, but that doesn't put the meals on their table anymore.
> But I would like to welcome the NYT to 20 years or so ago when Google realized that there was money in the data
Nothing against snark, but I'm confused with what you're saying here. Are you implying that the NYT and media in general have not covered Google and other companies' threats to privacy? Or are you arguing that they haven't covered it enough, and your metric for this, ostensibly, is that these companies still exist and/or no one has been imprisoned or otherwise heavily sanctioned?
I ask because the story under discussion is explicitly not an investigation of illegal activity, but more the revelation/explanation of how closely our lives can be surveilled via smartphone through our consent. The article outright says that what's being described isn't illegal:
> Today, it’s perfectly legal to collect and sell all this information. In the United States, as in most of the world, no federal law limits what has become a vast and lucrative trade in human tracking. Only internal company policies and the decency of individual employees prevent those with access to the data from, say, stalking an estranged spouse or selling the evening commute of an intelligence officer to a hostile foreign power.
– and let's face it, if the authors hadn't emphasized this, half of us here would be ripping the authors for dishonest hype and clickbait for trying to "fool" the public into an outrage.
> One of the most amazing things about the news in the last few years is how stories that used to have international, severe impact and political repercussions just drift off into the ether now. No follow-up, no continuing coverage.
Given your opening statement, it's hard for me to know if this is an empirical assessment based on what you've observed, or whether your ability to pay attention to unfolding investigations/scandals are unreasonably dampened by skepticism and unreasonable impatience. This year alone we've seen severe and international repercussions from the Epstein scandal, which was catalyzed by Julie Brown, a Miami reporter who had been following him for years, long enough to know to keep digging when Trump's nominated labor secretary happened to be the Florida prosecutor who gave Epstein his sweet 2010 deal. I assume, like most people, you are dissatisfied that Epstein suddenly died before the possibility of a trial. Are you under the impression that journalists, including Brown, have dropped looking into Epstein? Or that something/anything should be happening faster and more noticeable to you and the public?
The reality is, many investigations happen (especially at the local level) that do effect important change, but after the initial public outrage and sanctions, if the change perpetuates, its through years-long process of policy and legislation, which you aren't likely to notice (almost by definition, if something is fixed, we take it for granted) The press itself is not given the power to directly make that change itself, and I think this is acceptable by anyone (i.e. just about everyone who is not part of the press) who hates the phenomenon of "trial by press".
All that said, I am curious what exemplary investigations you have in mind that, back in the better days, met your standard for to speedy, significant, and systemic change? For the U.S. press, Watergate is still seen as the gold standard for a major impact investigation. It took a more than 2 years from the break-in to when Nixon resigned in 1974. In that span, Nixon won re-election by the biggest landslide in American history, and many people who experienced this period would be justified (until 1974) into thinking Watergate amounted to very little.
> I hope this amounts to something. I have my reservations.
> news in the last few years is how stories that used to have international, severe impact and political repercussions just drift off into the ether now.
Wait, so you're relying on news organizations to provide detailed investigations into how companies abuse their power. Isn't that why we elect government officials?
> Work in the location tracking industry? Seen an abuse of data? We want to hear from you. Using a non-work phone or computer, contact us on a secure line at 440-295-5934
Would be nice if they clarified what the hell exactly a "secure line" means
Trying to optimize your line for non-whitespace character count since I have nothing else to do right now, I just discovered $ can be used in any webpage from the browser console:
There is strong anecdotal evidence that some people are affected by it. However few, or however small the effect size, it is not strictly the same thing as known zero risk.
"In most cases, ascertaining a home location and an office location was enough to identify a person. Consider your daily commute: Would any other smartphone travel directly between your house and your office every day?"
Then they back it up with:
"With the help of publicly available information, like home addresses, we easily identified and then tracked scores of notables."
And provided the specific example of Mary Millben.
It was manual and not automated, but the tech details of finding work and home addresses, based on the two most visited spots, seems not novel. Similar for extrapolating that into a name.
Do some patent searches for the companies pioneering the technology. Read their white papers. You can begin to assemble an idea of how they do it. It’s not entirely revealing and is very tedious. But you can connect the dots. NYT is somewhat half-hearted when it’s not a political subject.
It doesn’t have to be a telecom. Did they say which mobile platforms? Which apps? How to prevent apps from tracking you by using the permission system built into the OS?
Instead they created an article with a presentation style that looked like a MySpace page. I was half expecting early 2000s music.
Apps like Deliveroo, which have legtimate reasons for high accuracy location access, send your data to marketing companies on every launch with very high precision.
I've written a guide[0] about how to use mitmproxy to look at the data escaping your device.
0: https://hugotunius.se/2019/01/23/going-spelunking-with-mitmp...