New York Times analyzes a leaked set of location data from a private broker, sounds the alarm

In 2017, a string of reports revealed that data-brokers were acquiring and linking titanic sets of location data from apps and mobile carriers and mining that data (and sometimes selling it outright). The carriers promised they'd end the practice, but they were lying. A year later, fresh reports surfaced of both app- and carrier-derived location data being sold, often by companies whose lack of elementary security meant that the data was effectively available to anyone. Then we learned that carriers were supplying fine-grained, realtime location data that was ending up in the hands of bounty hunters, skip tracers, and crooks and stalkers (naturally Ajit Pai's FCC had helped them get away with it0.

Now, the New York Times has obtained a file of app-derived location data of the sort amassed by brokers, composed of 50b location "pings" from 50m Americans' devices.

In an extraordinary piece of journalism, the Times shows just how easy it is to positively identify people in the data-set and then follow them: whether that's senior political officials, celebrities, protesters, cops, or the families and friends of all of the above. The writers describe how they were able to identify overnight visitors to the Playboy mansion, follow journalists as they talked with sources, and watch who came and went from massage parlors, methadone clinics, the White House, and more. They followed a tech exec as he left his employer's campus and interviewed for a job at its major rival, and tracked the children of police officers as they went to school and to friends' houses.

The companies say they don't share the data, but as the Times points out, data leaks like crazy. The companies say they anonymize the data, but as the Times points out, location data is the easiest data to re-identify.

All of this comes from a single leak from a single company. It's a sliver of a slice of a grain of the location data generated by our devices and warehoused by brokers we've never heard of, who use it in ways we're not privy to.

The brokerages self-regulate, with a self-serving code of conduct.

The Times doesn't think we'd be happy with the way that data is being used: "If you could see the full trove, you might never use your phone the same way again."

Location data is transmitted from your phone via software development kits, or S.D.Ks. as they’re known in the trade. The kits are small programs that can be used to build features within an app. They make it easy for app developers to simply include location-tracking features, a useful component of services like weather apps. Because they’re so useful and easy to use, S.D.K.s are embedded in thousands of apps. Facebook, Google and Amazon, for example, have extremely popular S.D.K.s that allow smaller apps to connect to bigger companies’ ad platforms or help provide web traffic analytics or payment infrastructure.

But they could also sit on an app and collect location data while providing no real service back to the app. Location companies may pay the apps to be included — collecting valuable data that can be monetized.

“If you have an S.D.K. that’s frequently collecting location data, it is more than likely being resold across the industry,” said Nick Hall, chief executive of the data marketplace company VenPath.

Twelve Million Phones, One Dataset, Zero Privacy [Stuart A. Thompson and Charlie Warzel/New York Times]