Facebook targets users with location-based adverts even if they block the company from accessing GPS on their phones, turn off location history in the app, hide their work location on their profile and never use the company’s “check in” feature, according to an investigation published this week.

There is no combination of settings that users can enable to prevent their location data from being used by advertisers to target them, according to the privacy researcher Aleksandra Korolova. “Taken together,” Korolova says, “Facebook creates an illusion of control rather than giving actual control over location-related ad targeting, which can lead to real harm.”

Facebook users can control to an extent how much information they give the company about their location. At the most revealing end, users may be happy to enable “location services” for Facebook, allowing their iPhone to provide ultra-precise location data to the company, or they may “check in” to shops, restaurants and theatres, telling the social network where they are on a sporadic basis.

But while users can decide to give more information to Facebook, Korolova revealed they cannot decide to stop the social network knowing where they are altogether nor can they stop it selling the ability to advertise based on that knowledge.

Despite going to as much trouble as possible to minimise the location data received by the social network, the researcher wrote, “Facebook showed me ads targeted at ‘people who live near Santa Monica’ (which is where I live) or ‘people who live or were recently near Los Angeles’ (which is where I work). Moreover, I have noticed that whenever I travel for work or pleasure, Facebook continues to keep track of my location and use it for advertising: a trip to Glacier national park resulted in an ad for activities in Whitefish, Montana; a trip to Cambridge, MA, in an ad for a business there; and a visit to Herzliya, Israel, in an ad for a business there.

“Some of the explanations by Facebook for why I am seeing a particular ad even mention specifically that I am seeing the ad because I was ‘recently near their business’.”

The experience was mirrored by the Guardian reporter Julia Carrie Wong, who discovered in April that the site “knows that I took reporting trips to Montana and Seattle and San Diego, despite the fact that I have never allowed it to track me by GPS”.

Facebook tells advertisers that it learns user locations from the IP address, wifi and Bluetooth data, Korolova says.

In its pitch to advertisers, Facebook says: “Local awareness ads were built with privacy in mind […] People have control over the recent location information they share with Facebook and will only see ads based on their recent location if location services are enabled on their phone.” Korolova says her findings show that “this claim is false”.

The academic argues that Facebook needs to offer the ability to opt out of location use entirely, “or, at the very least, an ability to meaningfully specify the granularity of its use and exclude particular areas from being used”.

In 2015, according to leaked emails published by the UK parliament, the team behind a particular version of location-based advertising, which used Bluetooth “beacons” to track users’ shopping habits without resorting to uploading GPS data, was particularly concerned about appearing “scary”.

“We’re still in a precarious position of scaling without freaking people out,” wrote a Facebook product manager in charge of the location-tracking technology. “If a negative meme were to develop around Facebook Bluetooth beacons, businesses could become reticent to accept them from us.”

Facebook said in a statement: “Facebook does not use wifi data to determine your location for ads if you have location services turned off. We do use IP and other information such as check-ins and current city from your profile. We explain this to people, including in our Privacy Basics site and on the About Facebook Ads site.”