Data Dealer Sells 3.6 Billion Location Data from 11 Million Phones

Smartphones are considered indispensable for just about anyone these days, but one particular downside is how the smartphone is the perfect tracking device as it goes around collecting user data round-the-clock. If apps are provided access to relevant data, these apps can also pass on such sensitive information to third parties.

The Bavarian Broadcasting Corporation (BR) and netzpolitik.org researched to what extent this happens. Via Datarade, the research team received 3.6 billion location data from eleven million device identifiers hailing from German smartphones, according to US data dealer Datastream Group.

• Paranoid? Here's how you turn off location tracking on Android

However, there may be overlaps in the transmitted device identifiers. Several apps can be used on a single smartphone. A more precise differentiation factor of the delivered data is therefore not possible, but the number remains surprisingly high.

The GPS data was gleaned from installed apps on smartphones. Numerous applications, such as dating, navigation, or weather apps, require permission for location access. These data points are simultaneously sold to data dealers for advertising purposes.

Movement profiles pose a security risk

Data buyers will then be able to receive precise information about users, which can be used to create relatively accurate movement profiles. This in turn allows reasonable conclusions about the user's lifestyle to be drawn. Such profiles can be of interest not only to advertisers, but to other parties with vested interest as well.

• Also read: How to share your real-time location via Google Maps

Using publicly available information and the movement pattern, the identity of an employee of a German intelligence agency could be determined – who may himself be a customer of the data dealers. Therefore, such data is relevant to security. The dataset used was provided by the provider as a free trial. For a monthly payment of $14,000, it can be kept up to date in real-time.

Is such data trading legal?

The trading of data appears to be taking place in violation of legal requirements. While a whole range of apps require permission for location access to their functionality, users also have to consent to the transfer of data for advertising purposes under the applicable General Data Protection Regulation (GDPR). According to privacy advocates, this does not happen in most cases.

• Interesting to know: Here is a VPN comparison among the major players

However, authorities have limited power to intervene at this point. From a legal perspective, the operator of the intermediary platform is not at fault. They simply ensure that buyers and sellers find each other. Considering the latter is based outside of Europe, it evades the provisions of the GDPR.

For app users, this means they are on their own. Ultimately, they have only two options: either to abstain from using the respective apps or to carefully consider when they allow app permissions on their smartphones when it comes to location sharing.

Do you leave location sharing permanently enabled on your smartphone, or only when you use a particular app? What other safety measures do you take? Please let us know in the comments.