Location data poses risks to individuals, organizations

The market for you and your device’s location is enormous and growing. That data is collected by your network provider, by apps on your smart devices, and by the websites with which you engage. It is the holy grail of marketing, and infosec’s nightmare. 

Companies that produce location-tracking algorithms and technological magic are riding the hyper-personalized marketing rocket, which continues to expand at breathtaking speed. In the fall of 2021, Grandview Research estimated the U.S. market alone to be approximately $14 billion USD and expected it to expand at a compound annual growth rate (CAGR) of 15.6% from 2022 to 2030.

With growth projections of this size, the segment is no doubt considered a sweet sector in which to be engaged. It’s another example of the robust, cutting-edge infrastructure that IT and security departments support presenting new challenges with regularity.

Dangers of sharing location data

The long trail of data left by your employees when aggregated may provide competitors an overt means to deduce your company’s research and development efforts, identify public instances of your trade secrets and the cataloging the location of your employees and corporate assets. They may be as innocuous as who is attending the corporate customer convention, to who is working on the latest widget that will slice bread differently, or the pattern of executive engagement and movement prior or during crisis.  All of the above is expected in the world of competitive intelligence.

Another challenge that engineers and those who support these apps and algorithms may not have had in the calculus is how the information can be used against individuals as opposed to for the benefit of the individual. Yet such is the case within the context of the Roe v Wade case before the Supreme Court of the United States and the various anti-abortion laws that have been passed in some of the states within the U.S.

Indeed, Vice magazine’s article “Data Broker Is Selling Location Data of People Who Visit Abortion Clinics” noted how, “It costs just over $160 to get a week’s worth of data on where people who visited Planned Parenthood came from, and where they went afterwards.” The piece continues with the identification of the entity selling the data, SafeGraph: “SafeGraph ultimately obtains location data from ordinary apps installed on peoples’ phones. Often app developers install code, called software development kits (SDKs), into their apps that sends users’ location data to companies in exchange for the developer receiving payment.” While Safeguard declined to comment directly to Vice, the CEO did publish a denial via a Tweet.

Surveillance Technology Oversight Project Research Director Eleni Manis commented how the organization’s report on the use of technology to track women “lays out the steps that states, abortion providers, and tech companies must take to improve privacy protections for pregnant people, while also describing the steps pregnant people can take to protect themselves from digital surveillance.”

The Markup did a deep dive into the industry and located 47 different companies involved in the data location sector in September 2021. Its story highlighted how data from a Muslim prayer app was sold to military contractors. A Catholic news outlet used data to track a gay priest who frequented gay bars. Another data company sold data to the U.S. government for use in support of immigration monitoring. Separately, social media was alight with warnings that apps that women use to track their menstrual periods were being harvested to identify those who may be pregnant by anti-abortion entities and law enforcement in some states.

SDKs to add location tracking to other apps

The most interesting data point drawn from the Markup piece is the clarity in its explanation on how the various data aggregators create SDKs that are available for licensing, oftentimes at no cost, for integration into an entity’s application. Thus, the application’s developers have the functionality provided by the SDK and the company who developed the SDK is harvesting the data for their use.

Growing pressure to regulate use of location data

The collection and use of data to identify pregnant women who may be exercising their healthcare choices was the proverbial straw that broke the camel’s back with respect to congressional interest. A letter addressed to U.S. FTC Chairman Lina Khan, signed by 16 senators, requested the FTC to investigate this lightly regulated sector. What measures is the FTC taking to ensure individuals have the right to review and remove their information online and assist them should their data be sold or if they become victim to a breach? Their questions:

• How does the FTC plan to mitigate harms posed by mobile phone apps that are developed to collect and sell location data? How is the FTC educating individuals about how to identify apps that collect and sell their location data?
• What is the FTC doing to coordinate with Department of Justice, states and localities, health care providers and private stakeholders to prevent data brokers and others from gaining access to the personal information of women and their healthcare decisions?
• Does the FTC need additional resources to better protect women from having their personal location data bought and disseminated by data brokers?

While the letter requested the FTC provide answers, the questions should also serve to guide every company that engages in evolving commercial offerings or creating SDKs for embedding by others as to the focus of those who create the laws of the land.