In 2023, a family visit to an amusement park illustrated the evolving landscape of technology and privacy. As one parent stayed behind with a stroller, the others enjoyed a ride. Upon their return, the park’s app, utilizing geolocation through Bluetooth and Wi-Fi, recognized the waiting parent and sent a notification, granting them access via a fast-track entry, effectively bypassing the lines. This incident serves as a microcosm of the intricate ways in which our smartphones leverage geolocation data.
However, the potential for misuse of such technology raises significant concerns. Recent investigations led by Spanish researchers delve into how various applications exploit Bluetooth and Wi-Fi permissions to track users’ locations indoors, even when GPS is disabled. The findings, set to be presented at the esteemed Pets privacy conference in Washington D.C., shed light on a hidden ecosystem of data extraction embedded within countless apps, aimed at targeting users with advertisements and profiling their behaviors.
Unveiling the Intricacies of Data Collection
Juan Tapiador, a co-author of the research and a professor at Carlos III University in Madrid, emphasizes the enigmatic nature of these data practices. He cites examples where individuals encountered unsettling advertisements after visiting sensitive locations, such as abortion clinics or liquor stores. “There are a lot of mysterious uses,” he notes, highlighting the discomfort many feel when their devices seem to know intimate details about their lives without explicit consent.
Public databases containing GPS coordinates of Bluetooth beacons and Wi-Fi antennas enable apps to detect when a user has been in a specific location. This capability, while seemingly innocuous, raises ethical questions about the extent to which this information is shared and utilized. According to the research, a staggering 86% of the 9,976 Android apps analyzed collect at least one type of sensitive data, including user identifiers and location coordinates.
The implications of this data collection extend beyond mere advertising. Narseo Vallina, another co-author and researcher at the Imdea Networks Institute, warns that such information can be employed to track individuals’ movements and associations. This could lead to the identification of sensitive activities, such as entering a place of worship or even the speed of a vehicle, raising alarms about privacy violations.
The Role of SDKs in Data Harvesting
Most applications are not built from the ground up; they rely on software development kits (SDKs) that streamline programming tasks. Vallina points out that many of these SDKs perform functions that are not immediately visible to users, often including location tracking capabilities. “This is an SDK ecosystem that no one has studied,” he remarks, noting the lack of empirical research on how these tools operate.
The potential for misuse is vast. For instance, a dating app with access to Wi-Fi could simultaneously scan for nearby Bluetooth devices, revealing the identity of a user’s date and their location. The real concern lies not with the dating app itself but with third-party applications that may also have access to this data through integrated SDKs.
The study identifies 52 SDKs with Bluetooth and Wi-Fi scanning features embedded in nearly 10,000 apps, collectively installed on around 55 billion devices. These applications span various sectors, from banking to hospitality, raising questions about the pervasive nature of data collection.
In a public transit setting, a Bluetooth beacon might be used to count passengers, yet nothing prevents an SDK from tracking a user’s precise location on the subway. This capability allows for the re-identification of individuals based on their movements, complicating the challenge of understanding where this data ultimately resides and how it is utilized.
As the research indicates, the Android Advertising ID serves as a marker for tracking users, allowing companies to create detailed profiles based on location data. This method circumvents the need for explicit consent, raising ethical dilemmas about privacy and the commodification of personal information. “If you were to ask a company that thrives on tracking what interests them most about a person, they would probably say location,” Tapiador explains, underscoring the significance of location data in the broader context of digital surveillance.
