The mobile phone seems to be an important weapon in the fight against COVID-19. Phone apps that track location – basically, latitude, longitude at a specific time – and send this information to health authorities live are being deployed to ensure that phone owners remain within quarantine zones.
A different use simply records the location trail over a few weeks, at, say, 30-minute intervals, which can be shared with health authorities in case a person gets infected. Authorities can collate trails that intersect and alert people individually that they may have been in the proximity of someone who was infected. Or they could release this information into the public sphere so that other people can compare their own trails with those who acquired the infection to check if “paths ever crossed”.
At first sight, all of this looks good. Yet, questions must be asked: Who is acquiring this data? How will it be secured? Who all will have access to it? Can it be used for some other purpose? What can happen if this data were hacked or leaked? Most importantly, how will my identity and privacy be protected? The answers to some of these questions, as we will see, have given rise to widespread apprehension that location tracking may be too intrusive, and can put individuals at risk of social and physical threats.
Such uneasiness with location tracking has led many developers to prefer the more accurate, Bluetooth-based contact tracing approaches where the focus is not on locating; rather, it is to compile a list of who all a person was in proximity with (“contact”), at various times, over a few weeks or months.
The Indian government-sponsored Aarogya Setu app does Bluetooth-based contact tracing, and also logs location at 15-minute intervals. Installation of this app has been made mandatory for large sets of people, like employees going to work in public and private organisations, and those living in COVID-19 containment zones. Not using this app can lead to imprisonment. This issue has seen immediate pushback and a case also been filed against the app’s installation being made mandatory.
At the same time, Apple and Google – who have just launched their collaborative framework for Bluetooth-based “exposure notification” system – have forbidden location tracking, and added mandatory opt-in consent for sharing a positive diagnosis, in the apps that will use their framework.
So, what is it with absolute location tracking that is so avoidable?
Location data from mobile telephony service providers
To understand this, it is crucial to review the many ways in which location data about individuals can be captured, its accuracy and most importantly who is interested in it.
We “leak” location data just by using our mobile phone. The mobile (cell) phone works by connecting to a cell tower situated nearest to it. Therefore, the mobile service provider always has a record of user movements as logged by the sequence of cell towers that the mobile connected to. This data collection cannot be turned off. It is required for cell phones to work, even the most basic ones.
Typically, mobile telephony service providers (carriers, in short) store this data for periods ranging from a few months to a couple of years. This kind of location data is accurate to the order of a few hundred meters. This data, normally, cannot be shared with anyone except law enforcement, under specific laws or court orders. Ironically, it is not accessible to the users themselves!
In the context of the COVID-19 pandemic, some governments have sought access to this location data directly from the service providers, or their intelligence agencies! This cuts out all possibilities of user intervention in the data acquisition process, whether it is about having a phone with the required features or installing an appropriate app. Of course, people still need to carry their phones with them and also keep them on all the time.
Better location data from phone software
Next in line, among those who know where you are, are the companies that make the phone operating system, i.e. Apple which makes iOS phones and Google that makes Android phones.
Location can be tracked best by using satellite-based systems. Here, a special radio in the smartphone communicates directly with a network of satellites, and the technique is generically called the “Global Positioning System” (GPS). More commonly, location is determined using triangulation which uses the distance of a mobile phone from multiple cell phone towers or public WiFi hotspots. Overall, the accuracy of location here ranges from a few to tens of meters.
The methods used for determining location can be toggled on and off in the phone settings. When location tracking is completely switched off, Apple or Google will not be able to know your location. When on, the companies will keep a fairly detailed log of your location history across time. Turning off location tracking is more complicated than it seems especially for Android phones. It goes without saying that apps that genuinely require location data (e.g. maps) will not work if tracking is switched off at the phone system level.
Who else knows where you are: apps!
Some apps really need location, such as maps, weather, ride-hailing, fitness trackers and find-my-phone. These will obviously track location while they are in use but may continue to operate in the background and keep extracting location records at regular intervals. Apple and Google have now started alerting users when background apps ask for location.
Then, other apps have nothing to do with location but they will still want location data. Most will ask for the relevant permission once upon the first run and most users will uncritically agree; sometimes the app will not work till you give permission. There are also rogue apps which will steal this information without even letting you know.
The web browser as an app is in a class by itself because it does a lot of things: browsing a website, playing videos, displaying images, and most importantly searching the web. Sites will often want to know the location. Twitter has an opt-in feature that can geo-locate a tweet. Facebook does aggressive location tracking.
To sum up, there are a very large number of apps which capture location data.
Other than apps, location data can also be obtained from ad servers (they know where they showed an ad), hardware beacons that detect the proximity of a mobile (typically installed in shops and malls), license plate readers, and points of sale (e.g. credit card use at a store).
Location data markets: buyers and sellers
Location data can be bought from data brokers i.e. companies that collect and collate data and then sell it to local (smaller) data traders, advertisers, and even state agencies. Trading in location data is big business. Location data in the market is usually available tagged with an anonymous id.
The largest amount of location data comes from apps. App makers sell location data to various data aggregators who trade in this commodity. It could be a weather app. It can be any type of device. Some of the more well-known location data aggregators have thousands of partners.
A significant amount of data also makes it to the secondary market for location data. Mobile carriers are not allowed to sell subscribers’ personal data to anyone. Now, when an app requests for location data (and the app cannot take it directly from the mobile itself), the mobile carriers do not provide location data directly; they pass on this data to location data aggregators who in turn give it to the app. This arrangement is considered a kind of subcontracting, and not the sale of data.
The aggregators are middlemen, and are not properly regulated. So they monetize this data by selling it to whoever wants it. Neither the carriers nor the aggregators care about how this data is used or have any effective way to monitor it. The US Federal Communication Commission (FCC) recently imposed hefty fines on four major US mobile carriers for selling users’ location data. This market is not restricted to the US alone and location data sales for regions like Canada, India and the Philippines have also been advertised. India too seems to have a fast-growing general data brokerage sector, with significant presence of international players, fed significantly by data from mobile carriers.
New laws such as the General Data Protection Regulations (GDPR) in Europe have stymied a lot of this business.
Google and Apple do not sell location data to anyone. Though, Google uses this information for its own ad placement services.
Data breaches and hacks, that release personal data into the public sphere, are not uncommon in the telecom industry. So is the case of data associated with social media and other apps. A lot of this data finds its way into the data market.
There is also a more restricted type of access just for law enforcement agencies. Google maintains a database called “Sensorvault” which contains detailed location histories of millions of cell phones. Police departments in the US ask Google to provide data about all devices present in a certain region across a certain duration under a “geofence” warrant. Of course, the police can also obtain location data from the carriers under a warrant.
In India, any police officer above the rank of a Superintendent can ask for a Call Detail Record (CDR) from the carrier. These records will also contain location related information. Other government agencies, like the tax departments, intelligence cells, too can obtain these records subject to certain permissions.
Use & abuse of location data
Surprisingly, even US government agencies buy data from this market. A company very popular with US law enforcement agencies is Babel Street because it enables the agencies to do the job of locating people without a warrant! Homeland security has also bought location data to monitor movements of people near the US-Mexico border.
Unsurprisingly, the data is also available with shady companies. In one investigation a reporter paid $300 to get a company to track him down so that he could demonstrate how a bounty hunter could track anyone. There have also been other instances.
For the location data obtained from Google’s “Sensorvault”, investigating agencies try to narrow down potential suspects from this list which contains names of all who were present within the given geofenced zone during a given period. The problem with this approach is that it runs the risk of ensnaring the innocent and amounts to a fishing expedition. This has led to innocent people being arrested for something they had no connection with. It is something that has a fair chance of happening every now and then.
Location data is also purchased by local data aggregators who give it to ad placement agencies or other sundry local service providers. Primarily, it is used for serving locally targeted ads. When you drive into a town your apps and browser will show ads for eateries in that town. Google ad placement services also use location data, along with other personal data, to customize ads shown to you. This is its greatest commercial use.
But deeper than that, location data is used for building “customer profiles” that contain eerie amounts of information relating to lifestyle, priorities, professional and personal habits – basically, everything that can be inferred from continuous location tracking.
The most horrific use of location data is to identify a person, their place of work and residence. A New York Times investigation shows that by examining anonymised location data trails, and combining the emergent movement patterns with public information, like addresses associated with a given location, it was not very difficult to identify people. The Times obtained location data from the secondary data market. Not only could the investigators identify famous people from their mobile location trails but they could also do this for political activists present at protest marches. The report says, “… pings at the protest connected to clear trails through the data, documenting the lives of protesters in the months before and after the protest, including where they lived and worked.”
In the hands of stalkers, extortionists, blackmailers, contract killers and lynch mobs, location data can be used for “going after people”.
In the hands of state agencies, except for a few legitimate scenarios, such data can be the true enabler of surveillance, often harassment and political vendetta, because it can be used to ascertain whom you are meeting where and for how long.
The COVID context
We have seen milder forms of socially inappropriate targeting when South Korea released anonymised but detailed location trails about COVID-19 patients into the public sphere. People could easily figure out the identity of the patients and harassed them on social media. Closer home, a Karnataka government app for contact tracing – using location data – revealed the names and addresses of all patients on a map showing location trails, leading to harassment by neighbours.
An ethical hacker pointed out how the Madhya Pradesh government-run dashboard displayed detailed information about quarantined persons. The information revealed contained, “names of quarantined people, their device ID and name, OS version, app version code, GPS coordinates of their current location and GPS coordinates of their office …” A Wired analysis shows that anyone can locate COVID-19 patients in their vicinity through the Aarogya Setu app. If you spoof your own location you can not only explore any region but also use triangulation to focus so narrowly on an area to possibly identify and find the address (and name) of a patient.
It has been reported that the Aarogya Setu system has “predictively” located infection hotspots – because it records location – which would have “otherwise” (?) been missed. This is puzzling. If the COVID positive status of a person came to be known to the Aarogya Setu system from the Indian Council of Medical Research (ICMR) database then patient information is already there (including personal and location particulars); it can be analysed right away to see if many others are testing positive, from the same area.
If the “forecast” is being made based on self-assessment reported by individuals then how does one know how many of these were really COVID-19 cases? In any case, such self-assessment is better and cheaply done through tele-reporting to local helplines followed instantly by medical advice on how to proceed. This is better than getting medical administrative personnel to screen centralised lists generated by the app and then make phone calls to suspected patients – a process that involves time delays and anxiety. Such helpline reporting also obviates the need for an app that does location tracking and a smartphone, and will still generate hotspot formation alerts if too many people are calling in from a given area.
Location data collected by COVID-19-related apps can reach the data markets because it may not be secured sufficiently well, or the app design permits leakage, or the servers are hacked – we saw enough examples above. From the data market, it can reach anyone – advertisers, stalkers, criminals, political opponents, and so on.
Location tracking can be fatal for democracy in terms of the chilling effect that it has on political freedoms in general and the freedom of expression in particular. In its landmark ruling to enforce location data protections, the US Supreme Court noted, in 2018, that such data provides, “an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’”
The lesson that this holds is that apps and frameworks built for tracking people during the pandemic should not use location tracking. If at all such apps are made they must come with iron-clad guarantees that the collected data will never be used for anything else, that it will never be made accessible to any other agency (other than a well-defined health authority), that such authority will be liable for harms that come to individuals through hacks, breaches or malfunctioning of the app; and that the app will stand automatically withdrawn through a sunset clause, and all data deleted.
A lesson unlikely to be honoured by authoritarian governments or corporations for whom such data is money.
Anurag Mehra teaches engineering and policy at IIT Bombay. His policy focus is the interface between technology, culture and politics.