Anyone who has ever granted a third-party app access to Location Services could be in a location-tracking database of 12 million phones, says a new report today. And while this database is the largest one yet examined, it represents just a small fraction of the location data bought and sold every day.

The report says that the privacy policies of many apps allow their developers to share your location with ‘trusted partners,’ which could be code for ‘companies who want to buy location data’…

The New York Times carried out a deep dive into the database, which included the locations of people in the Pentagon and White House, among other sensitive locations.

Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles. Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017 […] It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book. They can see the places you go every moment of the day, whom you meet with or spend the night with, where you pray, whether you visit a methadone clinic, a psychiatrist’s office or a massage parlor […] If you lived in one of the cities the dataset covers and use apps that share your location — anything from weather apps to local news apps to coupon savers — you could be in there, too. If you could see the full trove, you might never use your phone the same way again.

The paper says that the location-tracking database was sent to it by sources concerned by the practice of selling the data and alarmed by the potential for abuse. It notes that selling such data is perfectly legal.

The data is supposed to be anonymous, but a previous NY Times piece debunked this claim.

The paper was able to identify specific individuals from some location patterns, and found that one iOS app was passing exact location data to a total of 40 different companies […] [One phone] leaves a house in upstate New York at 7 a.m. and travels to a middle school 14 miles away, staying until late afternoon each school day. Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher. Her smartphone goes with her. An app on the device gathered her location information, which was then sold without her knowledge.

Today’s piece underlines just how easy it is to identify specific individuals.

In most cases, ascertaining a home location and an office location was enough to identify a person. Consider your daily commute: Would any other smartphone travel directly between your house and your office every day? Describing location data as anonymous is “a completely false claim” that has been debunked in multiple studies, Paul Ohm, a law professor and privacy researcher at the Georgetown University Law Center, told us. “Really precise, longitudinal geolocation information is absolutely impossible to anonymize.”

The paper proved this by identifying and tracking sensitive individuals.

With the help of publicly available information, like home addresses, we easily identified and then tracked scores of notables. We followed military officials with security clearances as they drove home at night. We tracked law enforcement officers as they took their kids to school […] We spotted a senior official at the Department of Defense walking through the Women’s March [and] to a high school, homes of friends, a visit to Joint Base Andrews, workdays spent in the Pentagon and a ceremony at Joint Base Myer-Henderson Hall with President Barack Obama in 2017.

The paper was able to identify everything in the location-tracking database from people attending job interviews to those meeting up for a few hours at a time in motels.

Facebook recently admitted that it tracked user locations even when tracking was toggled off.

The full, lengthy NYT piece is well worth reading.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news: