Primer: Who’s tracking your location? Just about everybody

That pricey device in your pocket knows exactly where you are. And it’s sharing your location with more people than you realize.

Your smartphone is equipped with antennas that send signals to cell towers, GPS satellites, Wi-Fi access points, and Bluetooth and NFC transceivers. A variety of devices scoop up these signals to pinpoint your phone’s location, then automatically report it to a wide range of interested parties.

“This is some of the most sensitive data that exists,” says Nate Cardozo, staff attorney for the Electronic Frontier Foundation. “Location data can tell you where I live, where I work, where my kids go to school, where I spent last night, and where I ate lunch today—all without looking into the content of a single email, text message, or phone call.”



READ MORE ON LOCATION AND SECURITY

How to wipe location data from mapping apps
Harassed or stalked online? Follow these 5 steps
Beware hacked business listings on maps
When taking Uber or Lyft, is your ride-sharing data buckled up?
Will this app track my child? Here’s how to tell


In various ways, for a variety of reasons, carriers and cops, banks and data brokers, apps and ad networks—even your local coffee shop—might be tracking your location. How? Why? What might they be doing with it? Here’s a rundown.

Wireless carriers and service providers

If you want to receive a call or text message on your phone, your wireless carrier needs to be able to find it. Every few minutes, your phone sends signals to the nearest cell tower, saying, “I’m here!” Location data from one tower isn’t very precise. But if you’re standing somewhere between three towers, carriers can use a method called triangulation to locate you within a few hundred yards.

Carriers’ location information, typically stored for between several months and several years, has become catnip for U.S. law enforcement agencies. Last year alone, AT&T received more than 150,000 police requests for it, more than a third of which sought specific customers’ real-time locations. Verizon processed more than 40,000.

“Once you add up multiple data points—like, say, the route you take to work, coupled with your browsing habits—it’s relatively trivial to narrow it down to a single individual.”—Nate Cardozo, staff attorney, Electronic Frontier Foundation

With the right tools, intelligence agencies and others can access carriers’ location databases to locate virtually anyone carrying a connected device, anywhere in the world. Carriers also sell access to their location databases in bulk, part of a business worth an estimated $24 billion a year.

Wireless service providers such as Skyhook Wireless and LocationSmart, sell real-time customer locations to a wide range of businesses for a wide range of reasons, says Ashkan Soltani, an independent researcher and former chief technologist of the Federal Trade Commission. A bank might buy them, he says, to help its fraud department determine whether someone is using a customer’s credit card on the East Coast while she is on the West Coast.

Apps and mobile sites

Many operators of mobile apps and websites, including Google and Facebook, routinely log users’ locations. A December 2014 study by researchers at Carnegie Mellon University found that popular Android apps, when allowed, track user locations an average of once every 3 minutes.

In some cases, location awareness is necessary: If you want to find the best Korean restaurant within walking distance, for example, Yelp needs to know where you’re standing.

Most app operators, however, want to be able to share your location with third-party ad networks, just as ad-supported Web sites do, Soltani says. App developers sign up for mobile ad networks like AdMob or Flurry, which then deliver ads to apps based on users’ geographical coordinates. Flurry might show someone playing Angry Birds, for example, an ad for a hardware store down the street.

Retailers

Over the past two years, dozens of U.S. retailers, including Macy’s and Target, have installed devices that can recognize your handset’s Bluetooth, Wi-Fi, or NFC signals, or passive beacons that communicate with an app on your phone. The idea is to analyze foot traffic the same way websites analyze Internet traffic, then optimize for it: Add more couches where people linger, or add more to-go lines for customers who are clearly rushing to work.

Most of this data is not immediately personally identifiable; retailers today are using technology from companies such as Euclid Analytics and Nomi, which typically track phone serial numbers, not owners’ names. However, apps such as Shopkick or Checkpoints, which can maintain a running record of your purchases across multiple stores, require users to register their personal information to amass loyalty points and receive discounts.

Whether customers will warm to this level of tracking remains to be seen. Privacy backlashes have prompted retail chains such as Nordstrom and Philz Coffee to discontinue retail tracking.

Nordstrom discontinued its tracking experiment in May 2013, after customers complained, on Facebook and elsewhere, invoking Big Brother and Minority Report. Philz pulled its tracking a year later, following media reports and some tense Twitter exchanges between customers and Philz CEO Jacob Jaber.

Anonymous?

While wireless giants and location-based services claim to sell only anonymized data, de-anonymizing this information would be a fairly simple process, Cardozo says. “Once you add up multiple data points—like, say, the route you take to work, coupled with your browsing habits—it’s relatively trivial to narrow it down to a single individual.”

Few rules today safeguard consumers’ locations. Even the procedures law enforcement agencies must follow to access carriers’ location data vary wildly from state to state. In California, for example, cops need to secure a warrant from a judge; in other states, they have no legal barriers.

Private companies can do virtually anything they want with your data, so long as their terms of service or privacy policies allow it, Cardozo adds. In its voluntary guidelines for location privacy, wireless industry trade group CTIA simply recommends that location-based service providers notify consumers about their data-sharing policies and obtain their consent.

“In the past, you could walk into a store, buy something, go to the bank, come home, change your shirt, then go out for coffee later, and there was very little to tie how you spent your morning to how you spent the rest of your day,” Soltani says.

Now, he says, four or five entities you’ve never heard of could theoretically produce a neatly curated timeline of your day. And they could use that information in ways you’d never imagine.