Location Tracking

Your location data can reveal a lot about you: where you live, where you work, where you shop. It should be no surprise, then, that there is big demand for your location data. 

The location data market is a vast and multi-layered network of actors and technology. At one end is your phone, the source of much of the location data collected about you. Various entities collect the location data generated by your phone, including your telephone service provider, stores, adverting platforms, and phone apps. The collecting companies then sell your location data to aggregators, who then either package and resell the data to further brokers or sell data products directly to end users. Much of the location data market is centered around marketing analytics, but the government has also been a major purchaser of location data.

Apps Are Tracking Your Every Move

Many an app has likely prompted you to request access to your location. Sometimes, the app has a legitimate reason to access the information, like displaying your local weather. Sometimes, it doesn’t. In either case, the app may be selling your location data to a third party. 

Apps often capture your location information through third-party Software Development Kits, or “SDKs”, which are pieces of code that data aggregators write and make available to app developers to easily add functionality to their apps—and to create a data pipeline back to the data aggregator. SDK developers pay app developers that use their SDKs based on their app’s number of active users—the more people who use the app, the more location data the developer contributes to the aggregator’s dataset, and the more valuable the dataset. A single SDK can be found in hundreds of different apps, providing the data aggregator with location data on thousands or even millions of individuals.

Other ways companies collect your location 

Apps are not the only way data aggregators can get your location data. The four major telephone service providers have sold location data to aggregators, resulting in a $200 million fine from the FCC. Mobile ad companies also sell location data collected through a “bidstream,” which is data sent from a mobile device to an ad company that is used to determine what ad to serve the device. Stores and other service providers with physical locations also collect location data through bluetooth beacons, which are devices that collect information from your phone through bluetooth. Stores often use beacons to track your movement through a store and to serve ads related to the products you spend time near. They also sell this data to aggregators, who, along with all of their customers, now know you are in the market for a car or household furnishings.

Buying Location Data: The Government’s Run Around Carpenter

In 2018, the U.S. Supreme Court said in Carpenter v. United States that the government must get a warrant to obtain cell phone-generated location data that reveals a person’s past movements. But instead of getting a warrant, many government agencies have, instead, purchased location data from data brokers. The U.S. military has purchased access to X-Mode, which runs an SDK that is embedded in apps targeting Muslims. ICE, Customs and Border Protection (“CBP”), the IRS, the FBI, and the DEA have all purchased access to Venntel, which aggregates location data from 80,000 apps, including X-Mode apps. Many of the same agencies, along with the Secret Service, have purchased access to Locate X, which produces a product similar to Venntel. Lawmakers have introduced legislation to end this practice.

EPIC’s Work

EPIC has been working to stop apps from collecting and selling users’ location data without consent. One success story is EPIC’s case against AccuWeather, which resulted in AccuWeather changing its app to separate location access permissions for app function and for other purposes (i.e., sale to a third-party marketing company).