Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles.
Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017. The data was provided to Times Opinion by sources who asked to remain anonymous because they were not authorized to share it and could face severe penalties for doing so. The sources of the information said they had grown alarmed about how it might be abused and urgently wanted to inform the public and lawmakers.
We all know this is happening, yet there’s very little we can do about it – save for living far away in the woods, disconnected from everything. There’s cameras everywhere, anything with any sort of wireless connection – from smartphone to dumbphone – is tracked at the carrier level, and even our lightbulbs are ‘smart’ these days.
Yet, despite knowing this is happening, it’s still eye-opening to see it in such detail as discovered by The New York Times.
It depends. Sure, cameras are a problem, but I can’t be the only Canadian who considers a smartphone plan to be too expensive to be tracked that way.
As far as IoT goes…
1. I’ve always thought smart lightbulbs (ie. smart disposables) were a stupid idea compared to smart sockets or smart light switches, and I chose X10 for those because it was the cheapest options… X10 is a 1975 wire protocol implemented in ASICs with no IoT capability. (Bridging into a PC is done using open-source software and either a USB 1.1 or RS-232 transceiver, neither of which support DMA.)
2. I avoid those sorts of “Internet connectivity required” IoT things like the plague, because I want my devices to be obsolete when *I* say so.
TV box? Give me something like a Raspberry Pi with no kernel-mode driver blobs and people willing to make a build of something like OpenELEC.
Wireless smart sensors? Give me an ESP8266 or ESP32 dev board and I’ll build something which spews UDP at an open-source daemon on my PC (which can be Firejail’d to only UDP listening port on the local subnet) and either requires a reflash to configure or only cares about things beyond bridging raw sensor output to UDP (with minimal processing that could be gotten wrong) and listening for DHCP lease grants while a pairing button is being held down.
Gah! There really needs to be an option to edit these, so overlooked typos can be fixed.
I heard several complaints about this lately, but I just posted a reply and got the 5 minute edit option (Chrome)
[rough math following because of imprecise data provided]
50 billion location pings for 12 million Americans means about 4000 pings per person. This was done in a period of several months in 2016 and 2017, so lets assume 6 months. That comes out to about…..1 data-point per hour
Incredibly well made piece and webpage!
Am I the only one who doesn’t go around with the GPS and mobile data enabled 24×7? I use my cell phone mainly as a phone for, you know, calling people. I only enable WiFI temporarily as needed when I’m at home. Mobile data is expensive, so I only enable it for a few seconds if needed when I’m away from home. And I enable the GPS only when I’m lost, which is usually in rural areas that don’t have any cell service. I guess this is an old habit from the bad old days of mobile devices that drained their battery much faster when additional connectivity was enabled, but it also just seems like common sense. I bet that a large number of people that moan and groan about their data privacy are the same ones that voluntarily and indiscriminately post their full name, location, and even photos of their personal life together with detailed descriptions of what they’re doing for billions to see. So I’m not defending the tech giants, but you can’t protect people from their own ignorance and naivet.
rahim123,
There’s a couple things to unpack. Most people keep their cell phones on to receive texts and calls, and many use wifi to minimize being billed for cellular data. Obviously you are an outlier, but I don’t think your accusations of others are particularly fair: many people who are cellular subscribers are not indiscriminately posting data for billions to see.
The article doesn’t say exactly where this data dump came from, they only said this…
Which rules out the likes of google in this case, although google’s location tracking must be one of the more comprehensive location tracking databases. It’s important to note that android has alternative geolocation mechanism by analyzing strength of nearby cell/APs. Google was itself guilty of tracking even those android users who explicitly opted out. They got me and I did my damnedest not to be tracked by google, and for all you know they might have gotten you too. They literally ignored the dialog boxes where users explicitly withheld consent to be tracked.
https://dpoblog.eu/google-is-tracking-location-of-users-without-consent
This article is not about google anyways, but it is concerning. Another obvious party is the telcos themselves, who triangulate users via their tower connectivity. They track virtually everyone with a cell phone that’s turned on, and that’s unavoidable, but the article says their data set came from installed apps, which theoretically should be avoidable if you knew which ones they were, which we can’t know. I wish they’d say who it was, but I’d say the odds are very high that the data came from one of the mobile app advertising networks. The app developers themselves often outsource advertising to a more capable company, but they might not even be totally aware of what their own advertising partners are doing with user tracking.
Heck, even innocuous websites can have anti-features when it comes to unwanted tracking. I don’t like that wordpress right here on osnews automatically opens youtube videos that track us without even clicking, allowing google to install cookies and track us. Also, gravatar’s API (used here on osnews and millions of wordpress and other sites throughout the web) explicitly shares a hash of email addresses, which are not otherwise encrypted. As a user you cannot disable this. This harms privacy in two different ways: 1) it’s absolutely trivial for absolutely anyone to correlate accounts across separate websites if you use the same email to sign up; the same email means the same hash 2) it’s computationally intensive, but nevertheless feasible to brute force the md5sum to extract the email addresses themselves. When osnews did the wordpress transition a while back I raised the issue and reversed a couple addresses just to show that it was in fact possible. There was talk about letting us opt-out of publishing gravatar email hashes, but it never came to fruition and it remains insecure here on osnews and millions of other websites. People who use a well known service like gmail are especially vulnerable because it significantly cuts down on search space. Anybody could be taking advantage of these vulnerabilities, probably the NSA, maybe google & other advertisers? Who knows.
You don’t need GPS or mobile data to achieve this. Mobile phone location can be done by triangulating the location of the cell towers you’re connected to. Even if you don’t have a SIM card, the mobile phone still connects to them for emergency call purposes.
Ironically, a Wi-Fi only device is probably the most anonymous option, specially considering that calls and SMS can be tampered with.