Courtesy of the New York Times, we just got another reminder of how invasive location tracking through apps can be—which might have caused you to turn off this particular permission for a bunch of apps on your smartphone. But location tracking goes a lot deeper than that.
Here are five ways that apps, companies, and marketers can know where you’ve been, even after you’ve disabled location permissions inside your favorite apps. We can’t tell you exactly how this data is used, but we can give you some ideas about how it’s collected from you.
1) Logging into websites
Every time you log into Gmail, Amazon, Facebook, or anywhere else, these websites know where you’re browsing from, roughly speaking. In some situations, this is useful—to spot unusual and unauthorized logins, for instance—but it all adds to the data points that these firms have on you and which they might choose to sell on to other interested parties.
When you’re online, you’ll be revealing a public IP address tied to your Internet Service Provider (ISP), which is linked to your rough geographic area. On its own, it’s not enough to reveal exactly where you live, but it can be tied to other bits of information to learn more about you. It’s why you’ll sometimes see online ads for your local area even when you’re not logged in anywhere.
In other words, even if you haven’t told Facebook your home city, it probably knows (see here for the locations of your current Facebook logins). The only real way around this is to use a Virtual Private Network (VPN) service, which can connect to the web through a node that’s not at all related to your current location—it could even be on the other side of the world. Sites will still be able to log an IP when you sign into them, but it won’t be a geographically accurate one.
2) Tagging your photos
As you might already know, if you tag a place in an Instagram, Snapchat, Facebook, or Twitter photo, that location gets linked to your account and your identity. You should think very carefully about geotagging your pictures, especially if they are being published publicly, and especially if they’re around your home or place of work.
Even if you don’t post these images for the world at large to see though, the location data can still be logged and shared with whatever data partners your apps are working with. As we saw in the NYT report, this data is often described as anonymized in most privacy policies, but it’s not too difficult for someone to join the dots.
It gets worse though: Even if you don’t geotag your photos publicly, and disable an app’s location permissions, it can still work out where you’ve been if you grant it access to your photos. As developer Felix Krause revealed last year, if an app can access your photo library (kind of essential for Instagram and Snapchat), it can also read the location metadata linked to your existing photos, and see the spots you take pictures in.
3) Logging into wifi
We’re often so desperate for some good, strong wifi that we’ll click through no end of consent boxes and warning dialogs, just to get online at a hotel or a coffee shop. Public wifi is insecure at the best of times, but you’re also giving away your location whenever you log into a network that’s not your own.
We can’t speak for every public wifi operator out there in the world, but we do know that allowing your email address or phone number to be linked to the network might well be one of the conditions of access. Companies don’t often offer wifi out of the goodness of their hearts—they do it to make money from advertisers who want to advertise to you, and to do that they need to know more about where you are.
Sure, no one will be able to stalk you based on two coffee shop check-ins a month. But data brokers are experts are building up profiles of people based on disparate sources of information, and public wifi access can feed into that. If you can, only log into other wifi networks if you trust the people running them.
4) Posting your fitness data
This one is related to apps, and particularly fitness apps, but perhaps not in the way you think—you might remember the anonymized data dump released by Strava that revealed some of the locations of secret military bases, or the Polar Flow API hack that could be used to get at users’ location data, even if that data wasn’t published publicly.
Now if you want to track your runs around the park, then you’re going to have to give your fitness app of choice access to your location—it’s a trade-off. But beyond that, it’s also worth considering where you’re posting the maps of these runs, whether that’s to other users inside the app on or social networks like Facebook.
We’ve already spoken about companies and individuals being able to connect the dots between platforms, so if you’re linking Strava (for example) to Facebook (for example), you’re adding to the location data that both of those apps know. The fewer connections you have been apps the better, from a privacy standpoint.
5) Turning on your phone
Even if you switch off location tracking on all your phone apps, your phone itself is still going to grab as much location data as it can from you—it’s just part of the deal of owning a device made by Google or Apple, or indeed any mobile device at all. It’s essential for services like finding your phone when it’s lost, or making sure you’re always connected to the nearest cell tower, or automatically setting the right time zone.
Unless you want to go back to a dumb phone life, this location data is sort of necessary. To stop your iPhone logging locations full stop, go to Settings then tap Privacy and Location Services, and turn Location Services off. On Android, go to Settings then Security & location, Location, and turn Use location off.