New York Times Journalists Received Location Data and Were Easily Able to De-Anonymize It

Stuart A. Thompson and Charlie Warzel, New York Times:

Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles.

Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017. The data was provided to Times Opinion by sources who asked to remain anonymous because they were not authorized to share it and could face severe penalties for doing so. The sources of the information said they had grown alarmed about how it might be abused and urgently wanted to inform the public and lawmakers.

After spending months sifting through the data, tracking the movements of people across the country and speaking with dozens of data companies, technologists, lawyers and academics who study this field, we feel the same sense of alarm. In the cities that the data file covers, it tracks people from nearly every neighborhood and block, whether they live in mobile homes in Alexandria, Va., or luxury towers in Manhattan.

The page that delivers this alarming news also contains analytics scripts from a dizzying number of third-party providers. Their app contains user tracking SDKs provided by ComScore, Google (Firebase), and Localytics. If you’re a U.S.-based print subscriber, the Times will sell your address to third-party companies without telling you.

Yes, there absolutely should be laws in place that restrict how this data may be collected and shared. But the parties controlling websites and apps also bear responsibility for the privacy-destroying software they include, and business practices that are similarly compromising.

Update: To their credit, the Times provides a decent guide to setting up your phone for better privacy protections, and they have previously acknowledged that they collect visitor data. It is not the fault of Thompson and Warzel that their employer uses tracking technologies on the very investigation that points to abuses of collecting this information. But it is their employer’s responsibility to understand what they’re reporting and change their practices.