This is not the first post discussing location-based services on mobile phones [see posts here]. And it won’t be the last. After reading my colleague’s post on the priest who resigned from his high-profile position after his location was tied to Grindr, I thought it would be useful to remind readers to think about that privacy setting a bit more.

In sum, when you download an app, the Privacy Policy of that app will tell you what type of data that app is collecting from your phone. When you click “I agree” after downloading the app, you have just agreed to everything the app developer said it would collect in the Privacy Policy. This could include access to your microphone, camera, movement, contacts, photos and location. The app could literally be tracking everything you do.

Unfortunately, many people don’t understand how location services can be used and disclosed. If the app Privacy Policy says it will collect your location when you have your location services on, and also says it will sell it and disclose it to others, and you agree, that is exactly what they are doing. The information is no longer private and the app developer can use and disclose it to others freely (and legally) because you consented to the collection and use of the location based data.

Tips for the week with location-based services:

  • understand which apps are tracking your location and how they are tracking it (read the description under “Location Alerts” in Privacy Settings under Location Services);
  • consider only allowing your location to be tracked when using a specific app;
  • turn location services off when not using specific apps or after using the app ;
  • check Privacy Settings frequently to see which apps have access to location (and other) services and frequently reset them;
  • Read Privacy Policies of apps you have already downloaded or are about to download to see what data they are collecting from you and how they are using and disclosing it to others;
  • Read the disclaimers when they pop up to ask for specific consent and make an educated decision on whether to allow the access and collection to your data;
  • Make an educated decision on whether you will allow others to have access to your location by reading and understanding the “Share My Location” section of the Location Services under Privacy Settings; and
  • Delete any apps that you are not comfortable with the Privacy Policies.

Like the unfortunate situation with the priest who resigned from his position because he was reportedly associated with Grindr based on location services, people are often surprised to find out how their location is tracked and used. Now is the time to re-check your privacy settings and reset them as necessary.

Location data is data that marks the longitude/latitude location of a smartphone or other device at a particular time, or over a period of time. It works like this: each day our device, which has a unique identifier or ID, uses or connects to multiple location signals, like GPS, Wi-Fi, Bluetooth, cell towers or other external location signals. Each location signal combined with an identifier permits you to plot the location of the device at a particular time, and the movement of the device over time. Carriers, private companies, and apps collect users’ location data, usually automatically and often even when you aren’t using the app. You can literally track a device’s physical location over the course of a day by the monitoring of the external location signals, tracking from a home to an office, to the grocery store, to the gym, to the beach. As you use your device to look up information, data is collected that flags your interests, such as vacation spots, new mattress models, restaurants, etc.

Your location data is then sold to aggregators, advertisers and marketers, sometimes in real time and usually without your express consent. Advertisers then use the location data to target relevant ads to your device. Ever wonder why the special offer for airline fare pops up into your social media app while you are looking up hotels in Hawaii? Law enforcement and government agencies are also interested in location data as it can be used to put a suspect near a crime scene. Using location data, they can determine whether a particular device owned by the suspect was used to make a phone call near a particular cell tower at a particular time. Given this value and interest, it is no surprise that location data market continues to grow. Lots of data brokers, aggregators and marketing companies are profiting from these currently legal transactions, which are based on our tracked movements and activities as we go about our day. The New York Times 2019 piece has an interesting visual view of location data.

These purveyors of this widely available location data claim it is anonymized. By that they mean while the ads are delivered to your device and your apps based on your location data, the advertisers don’t know your name. While the data usually doesn’t include your name or phone number, it can contain other information, such as your gender, your age and your unique device ID. It is also very easy to combine location data with other purchased or acquired data, such as real estate records or office location, which can permit the identification of individuals by name. There are many examples where location data has been used against specific individuals.

The most recent example involves a Catholic priest who was confronted with location data that showed the use of gay social “hook-up” app Grindr almost daily over multiple years from locations near his office and his work-owned home, as well as trips to gay bars in other cities during timeframes he was known to have been there for work events. After being confronted, the priest resigned his high profile position. Some of the details are still murky as to how the data was acquired and tied to a specific person. Nonetheless, this story is likely to further concerns about the collection, sharing and sale of location data.

AT&T was sued this week in the Northern District of California by customers alleging that AT&T sold their location data to data aggregators without their consent. The proposed class action suit was filed on behalf of all AT&T wireless customers from 2011 to date.

The suit alleges that AT&T sold customers’ location data to LocationSmart and Zumigo, third party service providers that provide location-based services to corporations without AT&T customers’ consent [view related post]. Wireless companies agreed to limit the sale of location data last year at the request of several members of Congress.

The suit alleges that AT&T failed to protect the customers’ confidentiality and that it has breached its duties to customers by disclosing location information to “thousands of third-parties for years.” According to the suit, AT&T’s sharing of location based information to third-parties was not transparent and customers were unaware that the information was being shared while they were using their phones.

The suit asks for monetary damages and an order to ban the sale of location based information.

AT&T denies the allegations, and has stated that it only shares location data with customers’ consent and that it stopped sharing location data with aggregators after it pledged to do so

Last week’s Privacy Tip centered on how our cell phone geolocation data is being sold by the telephone companies Cell Phone Geolocation Data Being Sold. I sent out an APB to readers to answer my question about how they can do this when I turn off my location based services. My question was “…the thing I want to know is whether your location can be tracked if your location based services are turned off?”

I received multiple answers, and here are the most helpful that I want to pass along to you:

One reader responded: “To answer your question, ‘I want to know whether your location can be tracked if your location based services are turned off?’ The answer is yes.

The information the phone companies are selling is gathered from the phone’s administration communications with the cell sites, “Hi. I’m here. I can accept a call.” The signal is picked up from multiple cell sites and is evaluated to determine which site is receiving the strongest signal. Location is determined by triangulation. While not precise, it can get you into the neighborhood.

If they were using the phone’s GPS-based location services the location would be within a few yards.”

Another reader sent me several links to other articles, one of which I found to be concerning, and the other very helpful. I hope they help:

https://theconversation.com/your-mobile-phone-can-give-away-your-location-even-if-you-tell-it-not-to-65443

https://www.wired.com/story/google-location-tracking-turn-off/

It has also been reported that Senator Ron Wyden renewed efforts for the Senate to adopt his legislation that bans the carriers from selling users’ location data, and expressed disappointment with the carriers, who previously “pledged to end these practices.”

We previously cautioned that telephone companies sell customer data to third parties, including location data [view related posts here]. Last year, the telecom industry pledged to stop the practice after pressure by members of Congress.

Earlier this month, Joseph Cox of Motherboard released I Gave a Bounty Hunter $300. Then He Located Our Phone and outlined how he gave the individual his phone number and the individual (called a bounty hunter) was able to find the “current location of most phones in the United States.” When he did so for Mr. Cox, the bounty hunter was able to locate the phone within a few blocks of where the individual was located.

According to Mr. Cox, “The bounty hunter did this all without deploying a hacking tool or having any previous knowledge or the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves…” The article is fascinating and can be accessed here.

It is better to read it than for me to try to give it justice, but the thing I want to know is whether your location can be tracked if your location based services are turned off? I would love for someone to send me the answer, as I am a big fan of only using location based services when absolutely necessary (like when using ride-sharing apps or navigation). This is a tip to consider, particularly after reading the article.

A lawsuit filed late last week by Los Angeles City Attorney Michael Feuer alleges that TWC Product and Technology LLC (TWC), the company behind The Weather Company App, is collecting, disclosing, selling and monetizing users’ information without their consent.

According to the lawsuit, the weather app tracks real time geolocation data on 45 million users and sells that data to third parties for commercial use, advertising and profit.

The lawsuit alleges that the app tracks with “startling precision” the location information on where users live, work and move every second of the day, even when they are not using the app.

Although the app maintains that it obtains users’ consent for geolocation tracking, the Complaint alleges that TWC does not inform users that their geolocation information will be sold to third parties for advertising and other commercial purposes that are not related to providing services to the users. It states “Users therefore have no reason to believe that their geolocation information will be used for anything other than providing them with ‘personalized local weather data, alerts and forecasts, or other services directly relating to the app.”

According to the City Attorney, “This case goes to the core of one of today’s most fundamental issues: How do we maintain our privacy in the digital age? We believe Americans must have the facts before giving away our most personal information.”

This is another example of an app that is potentially gathering very specific information on consumers and monetizing it allegedly without consent. Before downloading apps, consumers may wish to evaluate the utility of the app that they are downloading, and research into how the app is collecting, disclosing, selling and using very personal information like tracking our location on a minute by minute basis.

Cell phones are a ubiquitous part of our modern life. It’s easy to forget that they are constantly tapping into the wireless networks around us several times a minute, even when we’re not using them. Each time a cell phone connects to a cell tower or cell site, it generates a time-stamped record known as Cell-Site Location Information (CSLI). Wireless carriers collect and store their customer’s increasingly precise CSLI generated from incoming calls, text messages, and routine data connections. Would you expect these CSLI records maintained by your service provider to remain private? What if the police wanted access to them as part of an investigation of a crime? Should they be expected to obtain a warrant in order to obtain them?

The recent U.S. Supreme Court case of Carpenter v. United States dealt with that very issue. In a 5-4 ruling, the Court held that “an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI.” Accordingly, the Court ruled that the government generally needs a warrant to collect customer’s location dates from cellphone companies. In so doing, the Court recognized that “[i]n light of the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection, the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection.”

While this case was narrowly focused on historical CSLI data and the Fourth Amendment rights of a criminal defendant, and recognized that warrantless searches related to bomb threats, active shootings, and child abductions may still be approved, it nonetheless represents an important recognition by the Court of the interconnected, digital reality in which we now live. While the Court was careful to state that its decision is not intended to address anything other than the historical CSLI data at issue, other courts and litigants may seek to expand the Court’s reasoning and holding to other forms of cellphone and email data.

I have been watching several articles published by ZDNet with interest. First, ZDNet reported that “four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.” That company is LocationSmart, which touts itself as a data aggregator that has “direct connections” to the carriers in order to obtain locations from cell towers and provide it to law enforcement.

The back story is that a former sheriff used location data he obtained from Securus, a customer of LocationSmart, to conduct unauthorized surveillance without a warrant. The story was picked up by The New York Times and ZDNet, which then reported that our real-time location through our cell phone is being sold to this third-party company, which is then providing it to the police through a web portal. No doubt it is getting paid for the service. So the cell carriers are charging us a monthly fee for cell phone service, then selling our real-time location data to a third party company, which is selling it to law enforcement. I want a refund from my cell phone carrier. Although I do not keep my location-based services turned on, it is well known that the carriers still can track your location, but apps supposedly can’t.

If you are appalled, so is Senator Ron Wyden (D – OR), who sent a letter to the FCC last week demanding that this be investigated, and also to the four cell carriers demanding that they stop selling the data and to provide answers about the allegations.

After ZDNet reported on the sale of the phone location data, a researcher at Carnegie Mellon University started looking into LocationsSmart’s website and found a bug! According to ZDNet, “the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located—without obtaining their consent.”

According to the researcher, when he went to LocationSmart’s website to “try-before-you-buy,” although the page requested express consent before location data could be used, “due to a very elementary bug in the website, you can just skip that consent part and go straight to the location…[T]here seems to be no security oversight here.” The researcher and ZDNET report that “the bug may have exposed nearly every cell phone customer in the US and Canada, some 200 million customers.” That probably includes me and you.

Senator Wyden issued a statement saying that this bug “represents a clear and present danger, not just to privacy but to the financial and personal security of every American family…The wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone…which poses ‘limitless’ dangers to consumers.”

OK, so this is not really a tip, but more of an OMG. What I want to know from my security colleagues is whether our location can be tracked by cell phone carriers while our cell phone is OFF?

I will update you on the answer to this question next week. I am going to turn my cell phone off now. Stay tuned.

Hyatt Hotels Corporation recently announced that it had identified malicious software code resulting in unauthorized access to customer payment card information. Hyatt disclosed that upon investigating the incident, it discovered unauthorized access to customer payment cards manually entered or swiped at the front desk of 41 Hyatt-managed locations in 11 countries between March 18, 2017, and July 2, 2017. A list of the affected locations and contact information for questions is available here. Hyatt states that cardholder name, card number, expiration date and internal verification codes were affected but that it has no indication that other information was involved. This is the second Hyatt breach in the past two years. The previous incident (describe here) involved credit card data at 250 locations in approximately 50 countries.

Facebook announced last week that it successfully completed a second test of an unmanned aerial system (UAS or drone) designed to carry internet access to remote parts of the world. Unlike Facebook’s first test for this task back in June 2016, the drone did not crash in this second test. Facebook plans to develop an entire fleet of drones that will fly for months at a time – powered entirely by sunlight –communicating with each other through lasers and extending internet connectivity to the ground below. During the first test in June, Facebook flew its drones above the Arizona desert for about an hour and a half, which was three times longer than it planned; but the drone crashed right before landing and ended up with a damaged wing. During this second test, which occurred back in May, the drone flew for about an hour and 45 minutes before landing near Yuma, Arizona, with only a few minor, easily-repairable dings. Before the second test flight, Facebook engineers added “spoilers” to the drones’ wings to increase drag and reduce lift during the landing approach which likely aided in the successful flight and landing. This is the beginning of a new revolution for Facebook and the internet, too.