App-based location data has been used against individuals, and that presents real risks for those people and organizations. Credit: Thinkstock The market for you and your device’s location is enormous and growing. That data is collected by your network provider, by apps on your smart devices, and by the websites with which you engage. It is the holy grail of marketing, and infosec’s nightmare. Companies that produce location-tracking algorithms and technological magic are riding the hyper-personalized marketing rocket, which continues to expand at breathtaking speed. In the fall of 2021, Grandview Research estimated the U.S. market alone to be approximately $14 billion USD and expected it to expand at a compound annual growth rate (CAGR) of 15.6% from 2022 to 2030.With growth projections of this size, the segment is no doubt considered a sweet sector in which to be engaged. It’s another example of the robust, cutting-edge infrastructure that IT and security departments support presenting new challenges with regularity. Dangers of sharing location dataThe long trail of data left by your employees when aggregated may provide competitors an overt means to deduce your company’s research and development efforts, identify public instances of your trade secrets and the cataloging the location of your employees and corporate assets. They may be as innocuous as who is attending the corporate customer convention, to who is working on the latest widget that will slice bread differently, or the pattern of executive engagement and movement prior or during crisis. All of the above is expected in the world of competitive intelligence. Another challenge that engineers and those who support these apps and algorithms may not have had in the calculus is how the information can be used against individuals as opposed to for the benefit of the individual. Yet such is the case within the context of the Roe v Wade case before the Supreme Court of the United States and the various anti-abortion laws that have been passed in some of the states within the U.S.Indeed, Vice magazine’s article “Data Broker Is Selling Location Data of People Who Visit Abortion Clinics” noted how, “It costs just over $160 to get a week’s worth of data on where people who visited Planned Parenthood came from, and where they went afterwards.” The piece continues with the identification of the entity selling the data, SafeGraph: “SafeGraph ultimately obtains location data from ordinary apps installed on peoples’ phones. Often app developers install code, called software development kits (SDKs), into their apps that sends users’ location data to companies in exchange for the developer receiving payment.” While Safeguard declined to comment directly to Vice, the CEO did publish a denial via a Tweet. Surveillance Technology Oversight Project Research Director Eleni Manis commented how the organization’s report on the use of technology to track women “lays out the steps that states, abortion providers, and tech companies must take to improve privacy protections for pregnant people, while also describing the steps pregnant people can take to protect themselves from digital surveillance.”The Markup did a deep dive into the industry and located 47 different companies involved in the data location sector in September 2021. Its story highlighted how data from a Muslim prayer app was sold to military contractors. A Catholic news outlet used data to track a gay priest who frequented gay bars. Another data company sold data to the U.S. government for use in support of immigration monitoring. Separately, social media was alight with warnings that apps that women use to track their menstrual periods were being harvested to identify those who may be pregnant by anti-abortion entities and law enforcement in some states.SDKs to add location tracking to other appsThe most interesting data point drawn from the Markup piece is the clarity in its explanation on how the various data aggregators create SDKs that are available for licensing, oftentimes at no cost, for integration into an entity’s application. Thus, the application’s developers have the functionality provided by the SDK and the company who developed the SDK is harvesting the data for their use. Growing pressure to regulate use of location dataThe collection and use of data to identify pregnant women who may be exercising their healthcare choices was the proverbial straw that broke the camel’s back with respect to congressional interest. A letter addressed to U.S. FTC Chairman Lina Khan, signed by 16 senators, requested the FTC to investigate this lightly regulated sector. What measures is the FTC taking to ensure individuals have the right to review and remove their information online and assist them should their data be sold or if they become victim to a breach? Their questions:How does the FTC plan to mitigate harms posed by mobile phone apps that are developed to collect and sell location data? How is the FTC educating individuals about how to identify apps that collect and sell their location data?What is the FTC doing to coordinate with Department of Justice, states and localities, health care providers and private stakeholders to prevent data brokers and others from gaining access to the personal information of women and their healthcare decisions?Does the FTC need additional resources to better protect women from having their personal location data bought and disseminated by data brokers?While the letter requested the FTC provide answers, the questions should also serve to guide every company that engages in evolving commercial offerings or creating SDKs for embedding by others as to the focus of those who create the laws of the land. Related content news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices news Google Chrome gets a patch for actively exploited zero-day vulnerability Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. By Lucian Constantin May 10, 2024 3 mins Threat and Vulnerability Management Zero-day vulnerability Vulnerabilities news Dell data breach exposes data of 49 million customers The company says the breach compromised non-critical customer data and involved no sensitive personal or financial information. By Shweta Sharma May 10, 2024 3 mins Data Breach Hacking feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe