Dangerous Permissions – Location Tracking

Data showing the specific movement of tens of thousands of smartphones in Ireland is available to purchase from companies working in the digital marketing and advertising industries, an undercover Prime Time investigation has found.

We have closely tracked the mobile industry and its often problematic relationship with the data economy. But even we were surprised by RTE’s revelations that data brokers are selling gps level location history data for European citizens. Anyone with even glancing familiarity with the nature of location data would realise that such data is not anonymous. A combination of a work and home address are enough to identify almost anyone. At Corrata we take privacy seriously – we never ask for location and we don’t collect browsing history. And we prevent location data leakage by identifying any apps unnecessarily tracking location.

One of the most insidious aspects of the mobile advertising ecosystem is how app vendors exploit end-user trust. Apps that provide useful services often request a wide range of permissions – many only loosely connected to the app’s core function – in order to harvest detailed data on user behavior. The most egregious example is the monetization of GPS-level location data. Below we outline how this happens and how Corrata helps prevent employees from unknowingly sharing their movements in the so-called “data economy.”

How Users Surrender Their Privacy

A wide variety of apps request access to device location, often under the guise of delivering a better experience. For example, a browser might claim to improve search results by using your current location. Yet in many cases, location data adds little real value to the user. Outside of location-centric apps like navigation, the benefit is negligible.

For app vendors, however, location data is highly lucrative. By collecting frequent “pings” and combining them with data from other apps and brokers, they can build a detailed picture of an individual’s movements. This becomes even easier when background location tracking is enabled – recording a user’s movements even when the app is not in use. While intended only for legitimate cases like navigation or exercise tracking, in practice this capability is often misused.

Protecting Against Invasive Tracking with Corrata

• You cannot rely on employees to always make the right choices when granting app permissions. Corrata provides technical safeguards to drastically reduce the risk of location data leakage.
• Our solution scans all apps on an employee’s device to identify those with background location tracking enabled – part of a category of app permissions we classify as potentially dangerous.
• Once detected, Corrata alerts the user, and if the issue is not addressed, can quarantine the device until action is taken. Apps with a legitimate need for background location (e.g., navigation tools with strong privacy protections) can be allow-listed to prevent false positives.
• By giving organizations visibility of background location tracking, Corrata can ensure both the privacy and safety of employees and ensure that their location history never falls into the wrong hands.