Data Protection

Location Tracking

Background

Many different entities may be tracking and selling your movements to others—including the government.

Your location data can reveal a lot about you: where you live, where you work, where you shop. It should be no surprise, then, that there is big demand for your location data. 

The location data market is a vast and multi-layered network of actors and technology. At one end is your phone, the source of much of the location data collected about you. Various entities collect the location data generated by your phone, including your telephone service provider, stores, adverting platforms, and phone apps. The collecting companies then sell your location data to aggregators, who then either package and resell the data to further brokers or sell data products directly to end users. Much of the location data market is centered around marketing analytics, but the government has also been a major purchaser of location data.

Apps Are Tracking Your Every Move

Many an app has likely prompted you to request access to your location. Sometimes, the app has a legitimate reason to access the information, like displaying your local weather. Sometimes, it doesn’t. In either case, the app may be selling your location data to a third party. 

Apps often capture your location information through third-party Software Development Kits, or “SDKs”, which are pieces of code that data aggregators write and make available to app developers to easily add functionality to their apps—and to create a data pipeline back to the data aggregator. SDK developers pay app developers that use their SDKs based on their app’s number of active users—the more people who use the app, the more location data the developer contributes to the aggregator’s dataset, and the more valuable the dataset. A single SDK can be found in hundreds of different apps, providing the data aggregator with location data on thousands or even millions of individuals.

Other ways companies collect your location 

Apps are not the only way data aggregators can get your location data. The four major telephone service providers have sold location data to aggregators, resulting in a $200 million fine from the FCC. Mobile ad companies also sell location data collected through a “bidstream,” which is data sent from a mobile device to an ad company that is used to determine what ad to serve the device. Stores and other service providers with physical locations also collect location data through bluetooth beacons, which are devices that collect information from your phone through bluetooth. Stores often use beacons to track your movement through a store and to serve ads related to the products you spend time near. They also sell this data to aggregators, who, along with all of their customers, now know you are in the market for a car or household furnishings.

Buying Location Data: The Government’s Run Around Carpenter

In 2018, the U.S. Supreme Court said in Carpenter v. United States that the government must get a warrant to obtain cell phone-generated location data that reveals a person’s past movements. But instead of getting a warrant, many government agencies have, instead, purchased location data from data brokers. The U.S. military has purchased access to X-Mode, which runs an SDK that is embedded in apps targeting Muslims. ICE, Customs and Border Protection (“CBP”), the IRS, the FBI, and the DEA have all purchased access to Venntel, which aggregates location data from 80,000 apps, including X-Mode apps. Many of the same agencies, along with the Secret Service, have purchased access to Locate X, which produces a product similar to Venntel. Lawmakers have introduced legislation to end this practice.

EPIC’s Work

EPIC has been working to stop apps from collecting and selling users’ location data without consent. One success story is EPIC’s case against AccuWeather, which resulted in AccuWeather changing its app to separate location access permissions for app function and for other purposes (i.e., sale to a third-party marketing company).

Recent Documents on Location Tracking

  • FOIA Cases

    EPIC v. DOJ (CSLI Section 2703(d) Orders)

    US District Court for the District of Columbia

    EPIC is seeking the public release of information detailing the Department of Justice's collection of cell site location information through S 2703(d) court orders.

  • Amicus Briefs

    Sanchez v. Los Angeles Department of Transportation

    US Court of Appeals for the Ninth Circuit

    Whether compelled disclosure of detailed location information on individual e-scooter trips violates the Fourth Amendment.

  • Amicus Briefs

    Commonwealth v. Zachery

    Massachusetts Supreme Judicial Court

    Whether a person has a reasonable expectation of privacy in information relating to their use of a public transportation card, or in any data that card may contain or generate.

  • Privacy Cases

    EPIC v. AccuWeather

    DC Superior Court

    Challenging the unlawful collection, use, and disclosure of personal location data by AccuWeather through its mobile iOS App

  • Amicus Briefs

    Carpenter v. United States

    US Supreme Court

    Whether the Fourth Amendment Permits the Government to Obtain Six Months of Cell Phone Location Records Without a Warrant

  • Consumer Cases

    In re: Uber Privacy Policy

    EPIC's complaint charges that Uber's plan to track users and gather contact details is an unlawful and deceptive trade practice.

  • FOIA Cases

    EPIC v. FBI – Stingray / Cell Site Simulator

    US District Court for the District of Columbia

    Seeking records related the use of a new tracking technology that records the location of cell phones even when the devices are not in use.

  • Amicus Briefs

    State of New Jersey v Earls

    New Jersey Supreme Court

    Whether the government can constitutionally obtain and use locational information from a defendant's cell phone provider to track a suspect's location without a warrant under the Fourth Amendment

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.

Donate