Third-Party Apps on iOS and Android Share Granular Location Data With Advertisers and Hedge Funds nytimes.com

Jennifer Valentino-DeVries, Natasha Singer, Michael H. Keller and Aaron Krolik of the New York Times analyzed dozens of apps and their privacy policies, as well as a location database of a million phones solely in the New York area:

At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States — about half those in use last year. The database reviewed by The Times — a sample of information gathered in 2017 and held by one company — reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.

[…]

Businesses say their interest is in the patterns, not the identities, that the data reveals about consumers. They note that the information apps collect is tied not to someone’s name or phone number but to a unique ID. But those with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.

Many location companies say that when phone users enable location services, their data is fair game. But, The Times found, the explanations people see when prompted to give permission are often incomplete or misleading. An app may tell users that granting access to their location will help them get traffic information, but not mention that the data will be shared and sold. That disclosure is often buried in a vague privacy policy.

Nicole Nguyen of Buzzfeed in May:

Apple and Google’s policies prohibit sharing or selling user data with third parties unrelated to improving the app experience or displaying ads in the app.

In emailed statements to BuzzFeed News, an Apple spokesperson wrote that “immediate action” is taken on policy violators, while a Google representative said, “We have policies that disallow apps in Google Play that are deceptive or misuse personal data, and we remove apps that violate our policies.”

But it’s easy for developers to evade detection. Trackers are tucked away in the app’s codebase, and developers can share user data outside of their apps by uploading it to a server.

This is the kind of thing I would expect Apple and Google to actively police in their app marketplaces, but there is a very difficult line to draw primarily because of companies like Google. My dream would be for developers to be outright banned from using location data other than for direct user tasks: checking the weather, looking at a map, location-based reminders, and so on. Perhaps Apple could implement something similar to Safari’s intelligent tracking prevention at the system level.

App developers should, at the very least, be required to be completely forthright in their permissions request dialogs. If a developer is scooping and selling user data, they should be able to defend that practice to users in language that they can understand; if they cannot, then perhaps that’s a practice they should cease.

A completely understandable yet indefensible reason for developers engaging in this is because users generally refuse to pay for apps. Good developers need to be financially supported with business models that we can understand and which do not compromise our fundamental privacy rights in such a callous and needless way.