I KNOW WHAT YOU DID LAST SUMMER

Location tracking of phones is out of control. Here’s how to fight back.

Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew?

Dan Goodin – Oct 23, 2024 11:03 PM | 203

Credit: Getty Images

You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock.

Reston, Virginia-located Babel Street is the little-known firm behind Location X, a service with the capability to track the locations of hundreds of millions of phone users over sustained periods of time. Ostensibly, Babel Street limits the use of the service to personnel and contractors of US government law enforcement agencies, including state entities. Despite the restriction, an individual working on behalf of a company that helps people remove their personal information from consumer data broker databases recently was able to obtain a two-week free trial by (truthfully) telling Babel Street he was considering performing contracting work for a government agency in the future.

Tracking locations at scale

KrebsOnSecurity, one of five news outlets that obtained access to the data produced during the trial, said that one capability of Location X is the ability to draw a line between two states or other locations—or a shape around a building, street block, or entire city—and see a historical record of Internet-connected devices that traversed those boundaries.

Reporter Brian Krebs said that the data included nearly 100,000 hits for the phone of a New Jersey police officer who recently became the victim of an intense doxxing campaign that subjected her and her family to dozens of death threats from people who knew her home address and the phone numbers of both her and her husband. The campaign included masked people in cars driving outside the family’s home.

The data seen by the person using the two-week trial provided a detailed and intimate picture of the officer over several months. There’s no indication that the people stalking and harassing the family used Location X, but there’s little doubt the service could have allowed them to determine the officer’s phone number and residence location.

404 Media, another outlet given access to the data, reported that the trove allowed a reporter to zoom in on the parking lot of an abortion clinic in Florida and observe more than 700 red dots, each representing a phone that had recently visited the clinic. Location X then allowed the reporter to trace the movements of one specific device.

That device—and by extension, the person carrying it—began the journey in mid-June from a residence in Alabama. The person passed by a Lowe’s Home Improvement store, drove on a highway, visited a church, crossed into Florida, and finally stopped at the clinic where the phone indicates the person stayed for two hours before leaving and returning to Alabama. The data tracked the phone as having visited the clinic only once.

The technology making this vast data collection possible is, of course, tracking mechanisms built into Android and iOS and the apps that run on those operating systems. By default, Android assigns a unique ad ID to each device and makes it available to any app that has location permissions. iOS, by contrast, keeps its “Identifier for Advertisers” tracker private, but gives each installed app the opportunity to request access to it.

Some apps are given permission to access a phone's location and then sell the device's location to consumer data brokers. The data can also be made available through the web ad ecosystem. While an ad-supported page loads, the advertising network holds an auction in real time to sell a personalized ad to the highest bidder. A key piece of information bidders use to set a price is—you guessed it—the location of the device running the browser. Advertisers generate additional revenue by selling that history to the likes of Location X provider Babel Street.

Fighting back

There are multiple settings that phone users must choose to close off the constant leaking of their locations. For users of either Android or iOS, the first step is to audit which apps currently have permission to access the device location. This can be done on Android by accessing Settings > Location > App location permissions and, on iOS, Settings > Privacy & Security > Location Services.

Both operating systems will display a list of apps and whether they are permitted access always, never, only while the app is in use, or to prompt for permission each time. Both also allow users to choose whether the app sees precise locations down to a few feet or only a coarse-grained location.

For most users, there’s usefulness in allowing an app for photos, transit, or maps to access a user’s precise location. For other classes of apps—say those for Internet jukeboxes at bars and restaurants—it can be helpful for them to have an approximate location, but giving them precise, fine-grained access is likely overkill. And for other apps, there’s no reason for them ever to know the device's location. With a few exceptions, there’s little reason for apps to always have location access.

Not surprisingly, Android users who want to block intrusive location gathering have more settings to change than iOS users. The first thing to do is access Settings > Security & Privacy > Ads and choose “Delete advertising ID.” Then, promptly ignore the long, scary warning Google provides and hit the button confirming the decision at the bottom. If you don’t see that setting, good for you. It means you already deleted it. Google provides documentation here.

iOS, by default, doesn’t give apps access to “Identifier for Advertisers,” Apple’s version of the unique tracking number assigned to iPhones, iPads, and AppleTVs. Apps, however, can display a window asking that the setting be turned on, so it’s useful to check. iPhone users can do this by accessing Settings > Privacy & Security > Tracking. Any apps with permission to access the unique ID will appear. While there, users should also turn off the “Allow Apps to Request to Track” button. While in iOS Privacy & Security, users should navigate to Apple Advertising and ensure Personalized Ads is turned off.

Additional coverage of Location X from Haaretz and NOTUS is here and here. The New York Times, the other publication given access to the data, hadn't posted an article at the time this Ars post went live.

Dan Goodin Senior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

203 Comments

Staff Picks

HiggsForce

The Krebs on Security story mentioned in the article has a lot more detail. For example, the reporters found that Babel had 100,000 hits for one officer's iPhone allowing precise tracking of her movements. The only app with location tracking she had installed was the Macy's store app. Of course Macy's denies any involvement beyond "sharing geo-location data with a limited number of partners who help us deliver this enhanced app experience".

October 24, 2024 at 2:05 am

epid.nerd13

This is why the trend of stores and various agencies to push their apps or sometimes require them is so infuriating. I've been to places where the only way to get a transit pass for a week as a tourist was to install their app, just so I could ride the local subways and buses.

Dont forget they are also virtually all just tracker laden electron wrappers for web pages with features they don't bother making accessible any other way.

Most likely whoever sells the tech Macy uses in their app is selling the data.

No need to guess.

October 24, 2024 at 2:48 am