Back in September, Facebook updated its location privacy settings for users. "Facebook is better with location," the company stressed, but users were free to turn off location tracking, and the company would be happy to tell them how. That setting, however, comes with an enormous loophole, and two US senators want the company to explain itself.

Senators Chris Coons (D-Del.) and Josh Hawley (R-Mo.) today sent a letter (PDF) to Facebook asking the company how, exactly, it tracks users' locations—even when location access and location history are disabled.

"We appreciate Facebook's attempt to proactively inform users about their privacy options," the senators wrote. "However, we are concerned that Facebook may not in fact be offering users the level of control that the company suggests these settings provide."

That choice of language is diplomatic indeed, given how often in the past Facebook has been accused of misleading users when it comes to users' privacy, drawing attention from both US and EU regulators.

"If a user has decided to limit Facebook's access to his or her location, Facebook should respect these privacy choices," Sens. Coons and Hawley stress, expressing concerns that Facebook does not respect those choices at all.

What Facebook does

Facebook in September published a blog post clarifying the way it gathers user location data from its mobile apps. Fall updates in both Android (to Android 10) and iOS (to iOS 13) spurred the changes, Facebook said at the time, with both operating systems allowing for more granular location sharing control.

For Android users, Facebook said it will "continue to respect your most restrictive settings choice." The social media giant also explained, "if your device location setting is set to 'all of the time' but your Facebook background location setting is off, we won't collect your precise location information when you're not using the Facebook app."

Facebook also explained the changes for iOS users. In addition to the three existing location settings—always, never, or only when in use—iOS users gained an "allow once" option for location data. That's in addition to additional notifications about when an app is using your precise location, as well as how many times the app accesses that information.

What Facebook left out

In one line near the end of the blog post, Facebook writes, "We may still understand your location using things like check-ins, events, and information about your Internet connection." That's the element Sens. Coons and Hawley zero in on.

GPS is great for super-precise pinpointing, but it's not wholly necessary for tracking your movements in a more general sense. You can get a less specific but still pretty accurate read on a device's location by examining information about the Wi-Fi network or cellular data network it's connected to. Facebook is far from the only app to take advantage of this kind of data, but its sheer size and history of repeated bad behavior have landed it in Congress's crosshairs.

Disabling Facebook's granular location settings has very little effect on what ads are targeted to you based on your location, as researcher Aleksandra Korolova explained in 2018. Data relating to IP address, Wi-Fi, and Bluetooth connections are enough for the platform to target you for location-based ads.

"Given that most mobile devices are connected to the Internet nearly all the time, whether through a cellular network or a Wi-Fi connection, this practice would allow Facebook to collect user location data almost constantly, irrespective of the user's privacy preferences," the senators note. They add that users who turn location services off "could reasonably be under the misimpression that their selection limits all of Facebook's efforts to extract location information."

"How frequently does Facebook collect location data based on information about a user's Internet connection when a user has turned off or limited location services?" the senators ask. They also seek information about how "precise" location information differs from all that other location information. And, importantly, they include: "Is it possible for a user to configure his or her privacy settings such that Facebook never monetizes any location information about that user?"

Sens. Coons and Hawley give Facebook until December 12 to respond to the request for information.