Your smartphone is creating a map of your life and strangers are selling it

We’ve known for years that our smartphones hemorrhage data about us, but The New York Times has a detailed and incendiary report showing things are even worse than we feared.

Journalists analyzed a leaked dataset from a location data-collecting firm. It covers 50 billion location pings from 12 million phones across multiple U.S. cities, collected between 2016 and 2017, and shows how easy it is to link allegedly anonymized data to specific people.

NYT was able to discern the movements of politicians, national security staff, celebrities and civilians alike. Some it was innocuous, but some included more compromising movements, like visits to the Playboy Mansion, roadside motels, abortion clinics, or in one instance, a job interview at a rival firm.

The three location lies — Location data brokers exist and can trade data because there are no laws preventing them from doing so, and limited ones governing specifics about how they need to behave. And because, according to them, we consent to being tracked, tracking data are anonymized, and data are securely stored. Three claims that are easily disproven.

First, consent is a stretch. Apps are vague about how they use location data, and terms of use are impenetrable reams of legalese. Second, with enough location data, personal identification is trivial – add a second data point, like a credit card statement, and it’s rudimentary. And third, leaks and breaches are reported almost daily, never mind those that go unreported.

At the same time, Facebook in particular repeatedly reminds us that trusting it or other self-regulating parties to be frank about how they’re tracking us, or to act ethically and in our interests is beyond misplaced, it’s idiotic.

Only as private as the weakest link — “Our privacy is only as secure as the least secure app on our device,” NYT notes. Similarly, with data endlessly resold, it’s only as secure as the least secure company with access to it.

The implications are deeply disturbing. We’re not providing consent in any explicit or substantive way. We’re inadvertently trusting companies we don’t even know the names of. And there’s no telling who has access to potentially compromising information about us, or what they’ll do with it.

If Snowden’s taught us anything, it’s that even government-grade security can be overcome with ingenuity and a Rubik’s cube – and private companies are unlikely to have anything approaching the same checks and measures for containment. Moreover, there’s no such thing as “having nothing to hide”, and once our privacy is compromised, it can’t be uncompromised.

Regulation might be our last line of defense — Despite what they might say, or which other products and services they offer, Google and Facebook are still primarily in the ad-peddling business, and their goal is to maximize returns for shareholders. This means two of the world’s largest, most pervasive companies are incentivized to build as thorough a profile of each of their users as they can.

We’ve literally built a system where tracking isn’t a byproduct, it’s a feature, but without any guardrails. Respect for the sanctity of privacy and defense of it either has to be turned profitable, or it needs to be regulated. It’s hard to see how to create the right incentives, so we need the right rules instead.