The Federal Trade Commission filed suit against Kochava Inc. on August 29, 2022, accusing the data broker of selling geolocation data from hundreds of millions of mobile devices. According to the committee, consumers are often unaware that their location data is being sold and that their movements can be tracked in the past.
The FTC suit specified that Kochava’s data could be used to: track consumers to sensitive locationsincluding “to determine which consumer mobile devices have visited reproductive health clinics.”
When the US Supreme Court overthrown Roe v. Wade on June 24, 2022, many people seeking abortion care ran into legal trouble. Numerous state laws criminalizing abortion highlight the perilous state of personal privacy. Like a researcher cybersecurity and privacyI’ve seen how easily people’s movements and activities can be tracked.
If people want to travel incognito to an abortion clinic, says well-intentioned advicethey have to plan their trip like a CIA agent would – and a… burner phone. Unfortunately, that still wouldn’t be good enough to guarantee privacy.
Using a maps app to plan a route, send terms to a search engine, and chat online are ways people are actively sharing their personal information. But mobile devices share much more data than just what their users say or type. They share information with the network about who people contacted, when they did so, how long the communication took and what type of device was used. The devices must do this in order to make calls or send an email.
Who talks to whom?
When NSA whistleblower Edward Snowden revealed that the National Security Service was collecting metadata from American phone calls – the Call Detail Records— en masse to track down terrorists, there was a lot of public consternation. The public was rightly concerned about the loss of privacy.
Stanford researchers later showed that conversation details plus publicly available information can: reveal sensitive informationsuch as whether someone had a heart problem and their arrhythmia monitoring device was malfunctioning or whether they were considering opening a marijuana dispensary. Often you don’t have to listen in to know what someone is thinking or planning. Conversation data – who called whom and when – can give it all away.
The transmission information in Internet-based communicationsIP packet headers—can reveal even more than call detail records. When you make an encrypted voice call over the Internet (a Voice over IP call), the content may be encrypted, but the information in the packet header can sometimes be tell some of the words you speak.
A bag full of sensors
That is not the only information given away by your communication device. Smartphones are computers, and they have many sensors. To ensure that your phone displays information correctly, it has a gyroscope and an accelerometer; to extend battery life, it has a power sensor; to give directions, a magnetometer.
Just as communication metadata can be used to keep track of what you do, these sensors can be used for other purposes. You can turn off GPS to prevent apps from tracking your location, but data from a phone’s gyroscope, accelerometer, and magnetometer can also track where you are going.
This sensor data can be attractive to companies. For example, Facebook has a patent that relies on the various wireless networks in a user’s vicinity to determine when two people have often been close together – at a conference, on a shuttle bus – as a basis for giving an introduction. Scary? Sure. As someone who rode the New York City subway as a young girl, the last thing I want is my phone to introduce me to someone who’s repeatedly stood too close to me on a subway.
And it’s not just apps that access this database. Data Brokers extract this information from the apps, compile it with other data and give it to companies and governments to use for your own purposes. Doing so may circumvent legal protections that require law enforcement to go to court before obtaining this information.
There isn’t much that users can do to protect themselves. Communication metadata and device telemetry – information from the phone sensors – are used to send, deliver, and display content. Not including it is usually not possible. And unlike the search terms or map locations you consciously enter, metadata and telemetry are sent without you even seeing them.
It is not possible to give permission. There is too much of this data, and it is too complicated to decide each case. Every application you use – video, chat, web surfing, email – uses metadata and telemetry differently. Giving truly informed consent so that you know what information you are providing and for what use is actually impossible.
If you use your cell phone for anything other than a paperweight, your visit to the cannabis dispensary and your personality – how? you are extroverted or that you’ve probably been out and about with family since the 2016 election—can be learned from metadata and telemetry and shared.
That goes even for a burner phone bought with cash, at least if you plan on turning the phone on. Do this while you have your regular phone with you and you have betrayed that the two phones are connected – and maybe even that they are yours. as little as can identify four location points: a user, another way your burner phone can reveal your identity. If you’re driving with someone else, they need to be just as careful or their phone would identify them—and you. Metadata and telemetry information reveals a remarkable amount about you. But you don’t control who gets that data or what they do with it.
The reality of technological life
There are some constitutional guarantees of anonymity. For example, the Supreme Court ruled that the right of association, guaranteed by the First Amendmentis the right to associate privately, without providing membership lists to the state. But with smartphones, that’s a right that’s basically impractical to exercise. it is almost impossible to function without a cell phone. Paper cards and public phone booths have virtually disappeared. If you want to do something – travel from here to there, make an appointment, order takeaway or check the weather – all you need is a smartphone.
It’s not just people who want to have abortions whose privacy is at risk from this data that phones are shedding. It could be your child applying for a job: For example, the company may check location data to see if they are participating in political protests. Or maybe it’s you, when the data from the gyroscope, accelerometer, and magnetometer reveals that you and your colleague went to the same hotel room overnight.
There is one way to solve this horrifying scenario, and that is for law or regulation to require that the data you provide to send and receive communications – TikTok, SnapChat, YouTube – be used only for that purpose, and nothing else . That helps the people who go for abortions – and the rest of us too.
Susan Landau is a professor of cybersecurity and policy at Tufts University.