I encourage everyone to try routing your own device's traffic through mitmproxy and observing this in real time. It's eye opening.
Apps like Deliveroo, which have legtimate reasons for high accuracy location access, send your data to marketing companies on every launch with very high precision.
I've written a guide[0] about how to use mitmproxy to look at the data escaping your device.
While it may not catch everything, another way I've picked up on various tracking services is simply running pihole and customizing the lists based on permitted dns lookups. It's interesting and troubling just how much of my internet browsing is blocked at the DNS level on a day to day basis with no perceivable impact on what's being viewed. I do wonder how many services might start trying to hardcode IP addresses to get around such things in the future. I'll have to try mitmproxy and see what I might be missing.
Yup I do this too and I agree with your observations, about one third of my home network's DNS request are rejected with nearly no impact on my internet browsing. I've also observed the same thing when browsing the web with uBlock Origin set to block third party scripts by default. On most sites whitelisting ~20% of scripts is enough to make the site functional, the other ~80% apparently being redundant for the purpose of the site's core functionality.
Am I understanding it correctly that the app on your mobile is directly sending the data to marketing companies? They don't even collect it and hand it to marketing companies through a separate channel?
No they dont't usually collect the data and forward it to third parties. With most stuff like this apps will embed a binary SDK which is initialized when the app starts. Because the SDK runs in the app's process it has all the same permission and data access that the app itself has. The SDK communicates with the relevant APIs directly. On the web similar models are often used with third party scripts loaded in the main page context.
One of the things I appreciate about the iPhone is the fine grained settings for location tracking. I have had to turn off access to numerous apps and have limited other apps to only using my location when I use the app.
To limit the tracking I had to personally do an audit. I noticed the location indicator was on most of the time and it annoyed me. I found too many apps using location tracking that just did not need it.
Most people will not do this. We need better laws.
I agree and even further: you cant trust security features by the company you got phone from. It is conflict of interests. On android at least you can remove google completely and use 3rd part application firewall like netguard, that is open source. Or xprivacy lua to fake the data. Google "security" is a joke. Trusting privacy settings to the company that makea billions by destroying the privacy. Nope. It wont work.
I had our annual chat with a friend ( long story, it is just hard for us to find time we can both be in the same place ). She works in a hospital and said the same thing about medical bills. One person can't keep track of all this. I had the same point about privacy. We do need something better. The current version does not work for me.
The concept of freedom is so interesting. In the US, it is an inherent right. Many things are protected as inalienable rights from government intrusion. But a darker picture emerges when freedom is weaponized by private people (e.g. corporations). Your freedom actually starts turning into a capitalist feeding frenzy. Take it one step further and it is a nightmare (stalkers). Freedom is a careful balance of the two. This trade off is a strange yet inevitable world Americans live in.
With Location Services disabled, FB can use secondary data, like Bluetooth information and IP address to reasonably approximate location. It doesn't change the situation much.
Apple could also help by making the global Location Services toggle more readily available (icon available in Control Center?) instead of multiple clicks deep and a confirmation.
There was a pretty interesting talk presented at DefCon this year on tracking and other personal data being exfiltrated from mobile devices over Tor (in plaintext!!!). After noticing this activity on some end user devices, the presenters set up some exit nodes and started looking for similar traffic, and uncovered a shocking amount of data being moved about in this manner from a variety of mobile applications. Unfortunately, the presenters didn't name and shame (though they did imply some well-known brands were guilty), and it was presented at the SkyTalks venue, so no recording was allowed and the slides won't be published. But given the data that they were collecting and where the impacted users seemed to be located, it appeared like a majority of the tracking traffic they were intercepting was coming from users in China, Russia, and other states with civil liberties issues.
Yes, but you will need to first correlate connection data from a ton of anonymous IPs, and then send tough guys to the site to check everybody's passports at a gunpoint.
If you didn't know, Google even added a special API in Android for Apps to use to get device IDs, IMEI included. The very point of it is to allow tracking by Apps.
In Android 6 they even made a special callback result to indicate that the user has refused to give his permission rather than indicating that modem/phone ID wasn't found.
Clearly they are aware of this and do that deliberately.
1) There is no Facebook, Apple and Google on the list of "location data" companies. These guys have records on you for years of tracking and it didn't cause nytimes to create a fancy article on them?
2) Funny how the only big company mentioned in the article is Apple, while iOS is far more difficult to convince to share location data with 3rd parties compared to Android.
The story discusses the provenance of the data after the opening paragraph:
> THE DATA REVIEWED BY TIMES OPINION didn’t come from a telecom or giant tech company, nor did it come from a governmental surveillance operation. It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book.
Is your suggestion that the NYT wait until every large tech company leaks their databases to their reporters?
Those companies sell advertisements, but keep the raw data to themselves. After all, that's in their business interest. This article talks about vendors directly selling the data itself.
This data seems highly valuable to hedge funds: if a fund could pin the devices of well-known bankers and executives of potential acquisition targets, it could see deals coming before announcements. Is this legal?
Hell, track their social relations, and the same for all of their employees, estimate their personal relations with social models, quantify and predict their mood on an organizational level. Then go long or short on the company. Rinse and repeat for everything on this planet.
I wish I had this data, myself. I mean, my own personal data - it would be so incredibly useful for me to be able to go back through the last years and see my location and tracking data. I could finally get those timesheets updated with correct details ..
But, alas, no. Its not available to me. Only third parties can access it.
Readit News
Apps like Deliveroo, which have legtimate reasons for high accuracy location access, send your data to marketing companies on every launch with very high precision.
I've written a guide[0] about how to use mitmproxy to look at the data escaping your device.
0: https://hugotunius.se/2019/01/23/going-spelunking-with-mitmp...
For example here's Braze's developer integration guide https://www.braze.com/docs/developer_guide/platform_integrat...
To limit the tracking I had to personally do an audit. I noticed the location indicator was on most of the time and it annoyed me. I found too many apps using location tracking that just did not need it.
Most people will not do this. We need better laws.
Instead of expecting that nothing tracks you until you permit it.
FWIW: This 'ability' is not specific for Iphone
Deleted Comment
Dead Comment
No way to underestimate how important this is.
Second to it, you guys need to push for removing tracking infrastructure that Google shoves into Android.
Not a single application should be allowed access to anything amounting to a "Device ID" or fingerprinting method, implicit or explicit
Even if person had an anonymous SIM it would be trivial to identify them by the locations where they spent most of their time.
Not something automateable.
In Android 6 they even made a special callback result to indicate that the user has refused to give his permission rather than indicating that modem/phone ID wasn't found.
Clearly they are aware of this and do that deliberately.
2) Funny how the only big company mentioned in the article is Apple, while iOS is far more difficult to convince to share location data with 3rd parties compared to Android.
> THE DATA REVIEWED BY TIMES OPINION didn’t come from a telecom or giant tech company, nor did it come from a governmental surveillance operation. It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book.
Is your suggestion that the NYT wait until every large tech company leaks their databases to their reporters?
If you haven't looked at it yet, Google's dashboard is pretty eye opening. You can see where you were every minute of the day years ago.
Deleted Comment
Because my gut tells me, it will be in a decade or two.
But, alas, no. Its not available to me. Only third parties can access it.
This is a terrible situation.
Not sure if this is only for EU citizens.