When visiting a medical doctor's office, a women's health clinic, a therapist's office, an addiction treatment center or a place of worship, many think that their location will be off limits to tech companies vying to sell the next thing to you.
But in reality, the unique personal data being collected is sold on the marketplace allowing companies to acquire a consumers' precise geolocation for precision advertising.
For example, a Midwest anti-abortion group last year used cellphone location data to target online content to visitors of Planned Parenthood clinics, according to the Wall Street Journal.
When users clicked the targeted ads, they were directed to a site giving them options of "I want to undo the abortion pill" or "I am thinking about the abortion pill," and then continued to track the users on the web.
This type of invasion of privacy is nothing new. It remains unregulated and unenforced, according to Christo Wilson, an associate professor and director of the BS in Cybersecurity program at the Khoury College of Computer Sciences at Northeastern University.
Wilson spoke with Northeastern Global News about the current landscape on how companies track your every move and how very few rules or regulations stop this practice from happening. His comments have been edited for brevity and clarity.
How do companies track your location?
There are two primary mechanisms for where the data comes from. One is apps. You download an app, and it can request access to location sensors. Historically, there was very little control over this, and if you said yes, it could get your location at any time, even when you're not using the app and send this to a third party.
Android and iOS have gotten a little better where you can say, "Let it get the location when I'm using the app." But even then, you probably have 20 or 30 different apps on your phone that have permission to use location.
Even apps with a stated purpose for having your location (for takeout delivery, for example), you have no idea what else is in that app; any coding part of it can read the location and then send that to anyone for any reason.
Apps have this coding in there because they get paid for providing it to third parties.
The second way this happens is through online advertising. So online advertising is crazy. When you open a website, there's a banner ad that appears. How does that banner ad reach you? So this is through a process called real-time bidding.
For example, if you open up CNN, a big banner ad goes to the top of the page. What will happen is you download the page from CNN, and then there's some code in that page provided by what's called an ad exchange. Your browser will contact the ad exchange and send bid solicitations anywhere from a couple to a couple of thousand different companies.
The ad exchange sends out a unique ID for you—the same person who's moving around the web, seeing ads in all these places. The ad exchange will also send other information, like your current location.
So anytime you're encountering a banner ad like this, anywhere on the web, even in apps, behind the scenes, there are probably 1,000 different companies that are getting this information and asking (the companies) what they are willing to pay to show an ad.
You have these companies that are in the background, you can't see them, but they're giving these little breadcrumbs of your location all the time as you're using apps and using the web.
What rules and regulations are in place for sharing one's location?
My understanding is there are basically no rules. That's the sad truth.
At the federal level in this country, there are some data privacy rules for children under 13 and HIPPA for health-care providers. But there is no federal-level data privacy law.
The Federal Trade Commission polices things like unfair and deceptive trade practices. But that always hinges on someone failing to disclose the collection. As long as you disclose, you can collect and do whatever you want.
Companies have policies that say specific locations are off-limits, but are they followed or enforced?
My impression is that enforcement is lax. To me, it looks like butt-covering. They said don't do things, and then if it's pointed out to them someone is doing something, maybe they will take action. But there's no proactive enforcement of these policies.
Why is sensitive data allowed to be used, and how do companies profit from it?
I'm not even sure they all have policies prohibiting (using locations from sensitive locations). And even the ones that do, it's pretty vague. Often, the people collecting and selling this data don't even know and don't have a way to sift through every hospital, health-care provider, or where a church or abortion clinic is.
There are a lot of claims this data is anonymous, and often that is strictly untrue. What they mean by anonymous is that it doesn't have your name. But it has a unique identifier, so they know it's the same person over time.
Having this knowledge is a good way to do competitive intelligence. It's a great way to do ad targeting. You can measure your own foot traffic. It's incredibly valuable data.
Should people be concerned?
Super concerned. Who knows what's going on behind the scenes? Or the ways that it is used for discriminatory purposes, like targeting ads for real estate but only in affluent white areas.
Is there a way to prevent your location from being shared?
Yeah, it's really challenging. You can uninstall apps with location permission that you don't use or change their settings so they only get location when they're active. In general, you should have a bunch of ad blockers in your browser. Every time your ad contacts third parties for tracking, your location gets leaked.
Provided by Northeastern University