Should it be illegal for your phone to track your movements? | The Tylt
Should it be illegal for your phone to track your movements?
Most cell phone users are unaware of the way their movements are being tracked and shared. The New York Times talked to one woman, Lisa Magrin, a 46-year-old math teacher from upstate New York, whose location was recorded and shared over 8,600 during four months.
An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin’s identity was not disclosed in those records, The Times was able to easily connect her to that dot.
The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.
“It’s the thought of people finding out those intimate details that you don’t want people to know,” said Ms. Magrin, who allowed The Times to review her location data.
At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States — about half those in use last year. The database reviewed by The Times — a sample of information gathered in 2017 and held by one company — reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.
Companies aren't the only ones who can easily track your movements via your phone. According to Guevara Noubir, a professor of computer and information science at Northeastern University, hackers can also use the combination of tools included on your phone to create a detailed portrait of each of your movements. Writing for Fast Company, Nobir says:
Mobile devices are perfect targets for this sort of attack from an unexpected direction. They are stuffed with sensors, usually including at least one accelerometer, a gyroscope, a magnetometer, a barometer, up to four microphones, one or two cameras, a thermometer, a pedometer, a light sensor and a humidity sensor.
Apps can access most of these sensors without asking for permission from the user. And by combining readings from two or more devices, it’s often possible to do things that users, phone designers, and app creators alike may not expect.
In one recent project, we developed an app that could determine what letters a user was typing on a mobile phone’s on-screen keyboard–without reading inputs from the keyboard. Rather, we combined information from the phone’s gyroscope and its microphones.
When a user taps on the screen in different locations, the phone itself rotates slightly in ways that can be measured by the three-axis micromechanical gyroscopes found in most current phones. Further, tapping on a phone screen produces a sound that can be recorded on each of a phone’s multiple microphones. A tap close to the center of the screen will not move the phone much, will reach both microphones at the same time, and will sound roughly the same to all the microphones. However, a tap at the bottom left edge of the screen will rotate the phone left and down; it will reach the left microphone faster; and it will sound louder to microphones near the bottom of the screen and quieter to microphones elsewhere on the device.
Processing the movement and sound data together let us determine what key a user pressed, and we were right over 90% of the time. This sort of function could be added secretly to any app and could run unnoticed by a user.
Yet The New York Times, notes that individuals are capable of turning this tracking off on certain apps. In an addendum to their piece, they have provided a detailed description of how to turn app tracking off. They do note most companies do not let users delete information once it has been collected.
The location data industry benefits from lack of regulation and little transparency, making it extremely difficult to get access to or delete this data. Your information can also be spread among many companies. And most of them store location data attached not to a person’s name or phone number, but to an ID number, so it may be cumbersome for them to identify your data if you want to delete it — and they are under no obligation to do so.
Google, a prominent collector of location data, lets users delete a segment of that information called their Location History. To do that, go to this page, then hit the Delete Location History button. Click it again when prompted. You can delete another segment of location data associated with your Google account by logging in and going to My Activity. Then click on Activity Controls and turn off Web & App Activity.
Wired notes that while it is difficult for users to turn off their location tracking on Google, it is possible.
To actually turn off location tracking, Google says you have to navigate to a setting buried deep in your Google Account called Web & App Activity, which is set by default to share your information, including not just location but IP address and more. Finding that setting isn't easy. At all.
Sign in to your Google account on a browser on iOS or your desktop, or through the Android settings menu. In the browser, access your account settings by finding Google Account in the dropdown in the upper right-hand corner, then head to Personal Info & Privacy, choose Go to My Activity, then in the left-hand nav click Activity Controls. Once there you'll see the setting called Web & App Activity, which you can toggle off.
On your Android phone, go from Google settings to Google Account, then tap on Data & personalization. You'll find Web & App Activity there.
Google further buries the notion that Web & App Activity has anything to do with location. In fact, the setting sits right above the Location History option, suggesting at a glance that the two things are quite distinct. And Google's vanilla description of Web & App Activity is that it "Saves your activity on Google sites and apps to give you faster searches, better recommendations, and more personalized experiences in Maps, Search, and other Google services." From there, you have to tap Learn more, then scroll to What's saved as Web & App Activity, and tap again on Info about your searches & more before Google says anything about location whatsoever.
To stop that tracking, toggle the blue Web & App Activity slider to off. Google will then give you a popup warning: "Pausing Web & App Activity may limit or disable more personalized experiences across Google services. For example, you may stop seeing more relevant search results or recommendations about places you care about. Even when this setting is paused, Google may temporarily use information from recent searches in order to improve the quality of the active search session."
Beyond simply telling consumers to turn off location tracking on their own, the U.S. lawmakers could look to the European Union for a framework for protecting citizen's privacy. NPR reports that in May, the E.U. passed laws known as the General Data Protection Regulation, or GDPR, to curtail the power of data companies.
At the most basic level, GDPR expands what counts as personal data and your rights over that data. Your data is, for example, what you post on social media, your electronic medical records and your mailing address. It's also your IP address (a string of numbers that's unique to your smartphone or laptop), as well as GPS location.
The directive says people have to give permission for a company to collect their data. A company can't just sign you up without explicitly asking. And the more personal the data — say, biometrics, which is considered a special category under the law — the ask must be even more clear.
Europeans have a right to have their data deleted if they don't want a company to keep it. Companies have to delete the data without undue delay, or face a penalty.