35 min read

This chapter begins where the textbook began — with the promise made in Chapter 1 that we would follow Jordan Ellis through a single day and map, in detail, the surveillance data generated by that day. We have spent seventeen chapters building the...

In This Chapter

Exercises Quiz Case Study 01 Case Study 02 Key Takeaways Further Reading

Chapter 18: Smartphone Surveillance: Location Data and Digital Exhaust

The Promise Delivered: One Tuesday in Jordan's Life

This chapter begins where the textbook began — with the promise made in Chapter 1 that we would follow Jordan Ellis through a single day and map, in detail, the surveillance data generated by that day. We have spent seventeen chapters building the conceptual tools to understand what that mapping reveals. Now we use them.

It is a Tuesday in October. Jordan has an 8 AM shift at the warehouse, afternoon classes at Hartwell University, and an evening dinner at a friend's apartment. It is an ordinary day — not a day with anything to hide, not a day with any political significance or unusual activity. Just Tuesday.

What follows is not Jordan's experience of that Tuesday. It is what Tuesday looked like to the data systems that recorded it.

5:47 AM — Jordan's iPhone sends a background signal to Apple's servers, confirming the device is active and reporting its location (GPS, to within 8 meters) to apps with background location access: Google Maps (2 pings), a weather app (1 ping), and a food delivery app (1 ping). The phone's location is registered: Jordan's apartment building, Hartwell neighborhood.

6:12 AM — Jordan opens Instagram. The app records the time, the device identifier, the account, and the location. A behavioral profile note: Jordan opens Instagram in bed, before getting up, on 89% of mornings in the past three months.

6:18 AM — Jordan's apartment WiFi logs a connection handshake, timestamp, device identifier. The apartment building's ISP logs an outbound data request: Instagram servers, volume 2.3 MB, timestamp.

6:41 AM — Jordan leaves the apartment. The building's electronic key fob system logs an exit event: Unit 4B, timestamp 6:41:33 AM. Jordan's phone's GPS engine begins triangulating from satellite signals plus two nearby cell towers (Tower ID 7441 and 7442, carrier AT&T) and a WiFi positioning system that maps Jordan's location from the signal strengths of nearby WiFi networks. The phone's accelerometer detects motion patterns consistent with walking.

7:03 AM — Jordan stops at a coffee shop. The phone detects the coffee shop's WiFi network (the phone does not connect, but its WiFi probe requests — broadcast automatically as the phone searches for known networks — are logged by the coffee shop's WiFi infrastructure). Jordan pays with a debit card: the transaction records the merchant, time, amount, and account. A third-party payment processor records additional identifiers. The coffee shop's point-of-sale system records the purchase item (one medium coffee, one bagel).

7:14 AM — Jordan boards a city bus. The transit authority's card reader logs the fare payment (SmartTrip card, account number, timestamp, route). The city's traffic management system cameras capture the bus's location every 30 seconds. A transit authority analyst could place Jordan on Bus Route 44, stop 12, at 7:14 AM.

7:31 AM — Jordan arrives at the warehouse. The employer's biometric timeclock scans Jordan's fingerprint (or handprint) and logs the clock-in: Employee ID, timestamp, location. The warehouse's WiFi network logs Jordan's device connection. Jordan's phone continues sending location pings to background apps.

7:31 AM to 2:47 PM — Jordan works. The warehouse's security cameras capture Jordan's movements through the facility approximately every 8 seconds. The warehouse management system logs every scan of every product Jordan handles: item barcode, timestamp, employee ID, location in the facility. Jordan sends two text messages during a break; the texts are transmitted through the carrier's network, which logs metadata: sender, recipient, timestamp, cell tower used. The content is encrypted; the metadata is not.

2:54 PM — Jordan leaves the warehouse, clocking out via the biometric system. Jordan's phone reconnects to the cell network and sends a burst of pings to apps that have been waiting for foreground or background location permission.

3:15 PM — Jordan rides the bus to campus. A mounted camera in the bus reads license plates of vehicles passing through the intersection where Jordan's stop is located. Jordan's transit card is logged again. Jordan receives a text message that carries metadata: the sender's number, Jordan's number, the carriers of both parties, the timestamp, the cell towers routing the message.

4:00 PM to 5:45 PM — Jordan attends Dr. Osei's seminar on social theory. Jordan's phone is in their bag. It continues to ping background apps, log WiFi networks in the building, and record accelerometer data indicating Jordan is seated and stationary.

5:52 PM — Jordan searches Google Maps for the address of a friend's apartment. Google records the search query, the device identifier, the account, the location at the time of the search, and the destination query. The search is associated with Jordan's complete Google profile, which includes: six years of location history, every Google search ever conducted on this device, every YouTube video watched, every email received in Gmail, and the behavioral model derived from all of this data.

6:23 PM — Jordan arrives at the friend's apartment building. A Ring doorbell camera on the building entrance captures Jordan's face. The image is uploaded to Amazon's cloud. Jordan rings the intercom; the intercom system logs the ring event.

6:23 PM to 9:17 PM — Dinner. Jordan's phone is in a pocket or on a table. The friend's Alexa device is in the kitchen. The accelerometer data shows Jordan is stationary. The phone's microphone access has been granted to six apps; whether any of them are sampling audio during this period is not visible to Jordan.

9:31 PM — Jordan's Uber ride home is requested. Uber logs: the request time, the pickup location (to the meter), the destination, the driver's ID, the route taken, the duration, the payment. The ride-sharing company's algorithm records this data to a profile that now includes hundreds of previous rides.

10:04 PM — Jordan is home. The apartment key fob logs an entry event. Jordan's phone connects to the home WiFi and uploads a queue of data to multiple apps. Total location pings for the day: approximately 340. Data points generated: thousands.

This is what Tuesday looked like. Jordan experienced it as just a day. The data architecture experienced it as a high-resolution behavioral map of one person's life.

Now we need to understand the systems that produced this map — what they are, who holds the data, what they can do with it, and what it means for Jordan and for everyone else who carries a smartphone.

18.1 The Smartphone as a Surveillance Device You Carry Voluntarily

The Paradox of the Pocket Panopticon

The smartphone is the most consequential surveillance device in human history, and it is also the device people choose to carry with them everywhere, voluntarily, because it is genuinely useful. This paradox — that the most effective surveillance device is also the most valued personal technology — is at the heart of contemporary privacy analysis.

Previous surveillance technologies required the watcher to invest resources in watching. CCTV cameras had to be installed, maintained, powered. Cell tower records had to be subpoenaed. Mail had to be physically intercepted. Each of these required effort and expense that created some practical limit on surveillance volume.

The smartphone inverts this economics. The person being surveilled carries the surveillance device, powers it, maintains it, and pays for the data plan that transmits surveillance data to remote servers. The watcher pays almost nothing. The watched pays for the apparatus of their own watching.

This inversion is the central structural fact of smartphone surveillance. It explains why smartphone surveillance is so comprehensive and so persistent — because the economic incentive structure that normally limits surveillance (you have to pay for surveillance) has been reversed (the surveilled pay for their own surveillance through their use of ostensibly free services).

💡 Intuition Check: In the Tuesday mapping above, Jordan uses six apps that have location data: Google Maps, a weather app, a food delivery app, Instagram, Uber, and the transit authority's card system. Only one of those (the transit card) is a service Jordan is paying for directly. The others are "free." Why do free apps collect location data? The answer — that the data is the payment — will be familiar from Chapter 11. But the full implications of that exchange deserve scrutiny in this chapter.

What "Voluntary" Means

The framing of smartphone surveillance as "voluntary" — you chose to buy the phone, download the apps, agree to the terms of service — requires careful examination. In what sense is Jordan's use of Uber "voluntary" in a city where Uber has replaced much of the taxi infrastructure? In what sense is Jordan's use of Google Maps "voluntary" when it is the default navigation app on their phone and the alternative requires purchasing a paper map?

Voluntary, here, means "not physically coerced." It does not mean "freely chosen from among genuinely equivalent alternatives." It does not mean "chosen with full information about what the choice entails." It does not mean "chosen without economic pressure." The concept of voluntary in this context is impoverished. Surveillance scholars argue that the "voluntary use" justification for smartphone data collection is one of the most significant instances of consent-as-fiction in contemporary life.

18.2 Location Data: The Architecture of Tracking

Three Technologies of Location

Modern smartphones determine and record location through three distinct technical systems that are frequently used in combination:

GPS (Global Positioning System): Twenty-four satellites maintained by the U.S. Department of Defense broadcast signals that GPS receivers in smartphones use to triangulate position. GPS provides the most accurate positioning — typically within 4–8 meters horizontally — but requires an unobstructed view of the sky and draws significant battery power. GPS does not inherently transmit location to any external party; it only determines location. The transmission happens through apps with location access.

Cell tower triangulation: Smartphones continuously communicate with nearby cell towers to maintain network connectivity. By measuring the signal strength and timing from multiple towers, carriers and sophisticated apps can estimate the phone's location without using GPS. Cell tower triangulation is less accurate than GPS — typically within 100–500 meters in dense urban areas, much less precise in rural areas — but works indoors and requires no special location permission. Crucially, cell tower data is collected by the carrier regardless of what location permissions the user has granted to apps. The carrier always knows (approximately) where your phone is.

WiFi positioning: WiFi-enabled phones broadcast "probe requests" — messages searching for known WiFi networks — that can be logged by nearby WiFi access points. By comparing the known locations of WiFi access points against the signals received by a phone, WiFi positioning systems can estimate location with accuracy comparable to cell tower triangulation. The Android and iOS operating systems maintain databases of WiFi access point locations. A phone that is merely searching for WiFi — not connected to any network — is broadcasting location-enabling information to every nearby access point.

📊 Real-World Application: The combination of GPS, cell tower, and WiFi positioning creates what researchers call "persistent location tracking" — a location history that is available to carriers, to app developers, and to data brokers regardless of what the user does with their phone's location settings. Turning off GPS reduces app-based location tracking but does not eliminate cell tower data available to the carrier. Turning off WiFi eliminates WiFi positioning but reduces phone utility significantly. Airplane mode, which disables all radios, eliminates most tracking — but also eliminates the phone's functionality as a communication device.

The Location Data Broker Ecosystem

The location data that apps collect from smartphones does not stay with those apps. A significant portion is sold to location data brokers — companies whose primary business is acquiring, aggregating, and reselling precise location histories of large numbers of smartphones.

Major location data brokers that have been documented by journalists and researchers include:

SafeGraph: A company that aggregated location data from hundreds of millions of smartphones by partnering with app developers. SafeGraph sold access to its location database to researchers, retailers, governments, and other commercial clients. A 2021 investigation by Motherboard revealed that SafeGraph had sold location data to federal agencies including the Department of Homeland Security, raising concerns about warrantless government surveillance through commercial data purchases.

X-Mode (now Outlogic): A company that embedded its data collection SDK (software development kit) into hundreds of popular apps, collecting location data that it then sold. A 2020 investigation by Motherboard found that X-Mode had sold location data to military contractors and to companies working with U.S. military intelligence agencies.

Veraset: A spinoff from SafeGraph that continued location data brokerage operations following investigations into SafeGraph's practices.

NinthDecimal, PlaceIQ, Foursquare (Pilgrim SDK): Additional major players in the location data brokerage market, each aggregating location data from millions of devices through app partnerships.

The location data broker ecosystem operates almost entirely without users' awareness. The weather app that requests location access to "provide accurate forecasts" may also have embedded an SDK that sells that location data to a broker. The food delivery app, the game, the flashlight utility — any app that has been granted location access may be a data collection vector for the broker ecosystem.

🎓 Advanced Concept: The SDK Economy

Apps generate revenue in multiple ways: direct payment, in-app purchases, advertising, and data monetization. For many small and mid-sized apps, data monetization through SDK (Software Development Kit) embedding is significant. An SDK is a pre-built code package that developers embed in their apps; many SDKs collect behavioral or location data and send it to the SDK provider, who monetizes it. The app developer receives a fee or revenue share. The user sees an app that has been granted location permission; they do not see that their location data is flowing to a data broker through an SDK they have never heard of.

App stores' review processes do not systematically detect or block SDK-based data collection. Privacy researchers who have reverse-engineered popular apps have found dozens of different tracking SDKs embedded in a single application. The average popular app embeds six to ten third-party SDKs with data collection components.

18.3 Location Data in Law Enforcement

Geofence Warrants: The Digital Dragnet

We have discussed geofence warrants in Chapter 16 in the context of Ring cameras. The more significant current application is to smartphone location data, particularly the data held by Google, Apple, and location data brokers.

A geofence warrant instructs a technology company to identify every device that was within a specified geographic area during a specified time window. In the context of a criminal investigation, police might request every Android device that was in a two-block radius around a crime scene between 2 PM and 4 PM on a specific date. Google, which maintains detailed location histories for Android users who have not disabled the feature, can potentially fulfill such requests.

The constitutional problem with geofence warrants is their inherent overbreadth. A traditional warrant specifies the person or property to be searched. A geofence warrant specifies a place and time and requests data about everyone present — the vast majority of whom have no connection to the crime being investigated. Every Android user who happened to walk through that neighborhood in that two-hour window has their location data captured by the warrant.

The New York Times' investigation of geofence warrant use found that Google received thousands of geofence warrants annually, with requests increasing by over 1,500% between 2017 and 2019. The ACLU and EFF have argued that geofence warrants are presumptively unconstitutional under the Fourth Amendment. Lower courts have reached divergent conclusions; the Supreme Court had not definitively addressed the issue as of this writing.

📊 Real-World Application: In 2019, Zachary McCoy received a notice from Google informing him that the company had received a geofence warrant from police who were investigating a burglary. McCoy had been in the area on his regular bicycle route. He had not committed any crime. He was asked by police to identify himself. McCoy's experience was not unique: several geofence warrant cases have involved people who were in the relevant area for innocent reasons and were nonetheless swept into the investigative process. The warrant's overbreadth is precisely its danger.

Tower Dumps: Mass Carrier Surveillance

A cell tower dump (or tower dump) is a law enforcement request to a carrier for records of all devices that connected to a specific cell tower during a specific time window. Unlike a geofence warrant, a tower dump does not require a company like Google to process location data — it goes directly to the carrier's records of cell connections. Tower dumps can capture thousands or tens of thousands of device records for a single request covering a few hours.

Tower dumps have been used extensively in law enforcement. A 2020 investigation by the New York Times found that police departments across the United States had used tower dumps to investigate crimes ranging from murder to relatively minor offenses, capturing data about thousands of innocent people in the process.

Neither geofence warrants nor tower dumps require police to already have a suspect. They are investigative fishing expeditions — ways of generating lists of people who were present in an area, from which investigators hope to identify suspects. This reversal of the traditional investigative logic (from suspicion to evidence) to (from mass data to suspicion) represents a fundamental shift in how surveillance functions in law enforcement.

🔗 Connection to Chapter 2: The panopticon's function was to produce behavior change through the possibility of observation. Mass location surveillance in law enforcement produces a similar effect at the population level: when people know (or suspect) that their location data may be swept into criminal investigations based purely on presence in an area, they may avoid locations associated with investigation — protests, clinics, certain neighborhoods — not because they are doing anything wrong but because they do not want to appear in a dataset. This chilling effect on location behavior is a new form of panoptic social control.

18.4 App Permissions: What They Actually Mean

Reading the Permission Screen

When an app requests a permission — "allow [app] to access your location," "allow [app] to access your microphone," "allow [app] to access your contacts" — the permission screen presents this as a clear choice: allow or deny. The clarity is illusory.

What the permission screen does not tell you:

  • Whether the app will use the permission only for the purpose stated (or at all related to the stated purpose)
  • Whether the app has embedded SDKs that will also collect data through the granted permission
  • Whether location data collected will be shared with third parties
  • Whether "background location" access (if granted) means the app will collect location data 24 hours a day, not only when you are using the app
  • Whether the app will continue to access the data stream if you stop using the app regularly

The permission system assumes that users will read app privacy policies before granting permissions. Research consistently finds that they do not. The average privacy policy takes approximately 10 minutes to read; a user who read the privacy policy of every app on their phone before granting permissions would spend weeks per year on policy review.

⚠️ Common Pitfall: Many students believe that restricting an app to "only while using the app" location access provides meaningful protection. It does not, for two reasons. First, if you use the app while commuting, while at work, and while at home, "only while using" still provides a detailed location profile. Second, the restriction to "only while using" does not restrict data collection by embedded SDKs, which may operate on their own schedule regardless of app foreground status.

The Microphone and Camera

Apps that are granted microphone or camera access have the technical capability to record audio or video at any time when they are running. Whether they do so — and what they do with the recordings — is disclosed in privacy policies that most users do not read.

Several documented cases have involved apps that used microphone access in ways users did not anticipate:

Shazam (music recognition app): Researchers found that Shazam continuously sampled microphone audio in the background even when the user was not using the app. The company described this as necessary for the app's core function.

Various retail apps: Research by the Privacy Lab at Yale Law School found that several shopping apps appeared to activate microphone access during television commercials, apparently to identify what the user was watching for targeting purposes.

Music and social apps: Security researchers at Wandera and other firms have documented dozens of apps that accessed device microphones or cameras in circumstances unexplained by their disclosed function.

The difficulty for users is that microphone activation events are not easily visible without specialized monitoring tools. A phone's camera indicator light (where present) signals camera activation; no equivalent indicator exists for microphone access in most operating systems.

The Accelerometer: Surveillance Through Motion

The accelerometer — the sensor that detects the phone's orientation and movement — does not require a user permission to access. Any app can read accelerometer data without asking. This creates a surveillance vector that users cannot restrict.

What can be inferred from accelerometer data?

Gait analysis: The pattern of movement detected by an accelerometer when a person is walking is sufficiently distinctive that it can serve as a biometric identifier — "gait fingerprinting." Research has demonstrated that a person's gait pattern, captured through a smartphone accelerometer, can identify them with 90%+ accuracy across different phones and different days.

Activity inference: Accelerometer patterns distinguish walking, running, cycling, driving, riding in an elevator, and sitting. Combined with location data, activity inference provides a detailed picture of daily routine.

Context inference: Characteristic vibration patterns allow inferences about environment: train travel (distinctive rail vibration), elevator use, typing on a keyboard, and other contextually informative physical states.

Sleep monitoring: Smartphones placed on a bed surface (as many people keep them overnight) produce accelerometer data that sleep tracking apps use to analyze sleep quality. The same data is accessible to any app running in the background.

The accelerometer's combination of high informational yield, no permission requirement, and continuous availability makes it one of the most important and least understood surveillance sensors in the smartphone ecosystem.

18.5 Metadata: The Map of a Life

What Metadata Is

Metadata is data about data. In the context of communications, metadata describes the circumstances of a communication — who communicated with whom, when, for how long, from where — without containing the communication's content. The content of a text message is "what you said." The metadata of that text message is "you texted this person, at this time, for this duration, from this location, using this carrier."

Government officials and technology executives have sometimes characterized metadata as less sensitive than content — "we only collect metadata, not the content of communications" — as if this diminished the privacy implications. The surveillance scholar community has consistently and effectively challenged this characterization.

Stewart Baker, former general counsel of the NSA, has been quoted as saying: "Metadata absolutely tells you everything about somebody's life." The technical case for this claim is straightforward:

  • Your call records reveal your physician, your therapist, your attorney, your religious institutions, your political organizations, your intimate partners, and everyone else you communicate with.
  • The timing and duration of calls reveal the intensity of relationships.
  • Location metadata reveals where you live, work, worship, receive medical care, and spend your private time.
  • Communication metadata, combined with location metadata, creates a map of your social network, your daily schedule, your political activity, and your intimate life — with no need to ever read a single message.

The Supreme Court recognized this in Carpenter v. United States (2018), ruling that the government generally needs a warrant to obtain historical cell phone location data from carriers, precisely because such data provides such a comprehensive window into the private lives of individuals.

📊 Real-World Application: In 2013, researchers at Stanford's Security Lab (the "MetaPhone" project) demonstrated that they could infer sensitive information from phone metadata alone. Using volunteers' call and message metadata, the researchers were able to correctly identify participants who had a particular medical condition (from calls to specialist physicians and medical supply companies), participants who were exploring a specific religious affiliation (from calls to relevant organizations), and participants' romantic relationships. The research confirmed what intelligence professionals had long known: metadata is a comprehensive map of a life.

18.6 Digital Exhaust: Byproduct Data

Defining Digital Exhaust

"Digital exhaust" — also called "data exhaust" or "data trails" — refers to the data generated as a byproduct of digital activity, rather than data intentionally produced by the user. When Jordan used Google Maps to navigate to a friend's apartment, the intended action was navigation. The digital exhaust included: the timestamp of the search, the specific query terms, the device identifier, the location at the time of the search, the destination, the route taken, the speed of travel (which Google inferred from movement data), and the behavioral inference that Jordan was visiting a social contact at a residential location in the evening.

Jordan produced this exhaust without knowing it. The exhaust was not a requested product; it was a byproduct of a useful service. But for Google, the digital exhaust is more commercially valuable than the navigation service itself.

The concept of digital exhaust captures something important about the surveillance economy: the most commercially significant data is often not the data that users knowingly produce (their posts, their uploads, their explicit profile information) but the data generated invisibly as they use digital services. Users optimize the intentional data they share — they present curated versions of themselves on social media. They cannot optimize their digital exhaust because they do not know it is being generated.

Categories of Digital Exhaust

Digital exhaust encompasses:

Behavioral timing data: When you check an app, how long you spend on each item, when you put the phone down. This data is generated by almost every app and is used extensively in engagement optimization.

Search query patterns: Not just what you searched but when, from where, in what sequence. The pattern of queries over time is more revealing than any individual query.

WiFi probe requests: The history of WiFi networks your phone has searched for broadcasts information about every place you have ever connected to WiFi, including home networks (which are often named to identify the household), workplace networks, and networks at locations you have visited.

Bluetooth signal history: Smartphones continuously scan for Bluetooth devices. In retail stores, event venues, and urban environments, Bluetooth tracking beacons log the presence of phones passing through their range. This data is collected without any interaction from the user.

App launch and close events: The record of when apps are opened and closed builds a behavioral log of the user's digital routine.

Purchase metadata: When you pay for something electronically, the metadata of the transaction — merchant category, time, amount — is available to your bank, to payment networks, and (through data broker relationships) to a range of third parties.

The totality of digital exhaust, aggregated across the many systems that collect it, constitutes a comprehensive behavioral record that neither the user nor any single collector is aware of as a whole. The surveillance is distributed; the subject of the surveillance is integrated.

18.7 Jordan Downloads Their Data

Dr. Osei's seminar assignment this week is to download your Google Takeout data — the archive of all information Google has collected about you — and analyze what it reveals.

Jordan has been using their Google account since they were fifteen years old. The Takeout archive, when it arrives in Jordan's email 24 hours after being requested, is 18 gigabytes.

Jordan opens it with a knot in their stomach that they can't entirely explain.

The contents:

Location history: A file called "Location History.json" that, when Jordan opens it in a viewer, becomes an animated map of the past seven years. There is Jordan's parents' house in Cincinnati, visited every Thanksgiving and Christmas and most summer weekends of high school. There is the exact route Jordan walked to school every morning — the shortcut through the park visible because the track deviates from the road. There is a 10-day gap in the spring of junior year, which Jordan remembers as the weeks after they came out to their parents, weeks Jordan spent mostly in their bedroom.

The present: There is Jordan's apartment. There is the warehouse, with seven months of precise arrival and departure times. There is Hartwell University's campus, with locations precise enough to identify which building Jordan has been in. There are the three times Jordan went to the campus health clinic over the past year. There is the Pride rally in the park last June.

Jordan sits with that last one for a moment. The Pride rally. Jordan's presence there, on a specific afternoon, logged to Google's servers. Google knows Jordan went to a Pride event. Google knows the address of Jordan's apartment. Google knows Jordan's employer. If Google's data were shared — with an employer, a family member, a government agency — the combination of facts would reveal Jordan's sexual orientation in a jurisdiction where that revelation could have consequences.

Jordan thinks: I knew Google was tracking me. I knew it abstractly. But I didn't know it was this.

This is the gap that data literacy is designed to close — the gap between abstract knowledge ("Google collects data") and concrete comprehension ("Google has a seven-year animation of my life"). Jordan is closing it.

Search history: 847,291 searches since the account was created. Jordan scrolls through some of them: questions googled at 2 AM in high school that Jordan hoped no one would see. Medical questions. Financial questions. Questions about immigration (Jordan's mother is a permanent resident; Jordan has googled her visa status multiple times). Relationship questions.

YouTube history: Every video watched. Every pause. Every replay. The algorithm can infer from this list what Jordan finds comforting, what Jordan is curious about, what Jordan watches when anxious, and what Jordan has watched while grieving (three weeks of history, two years ago, in which the videos shift from Jordan's usual mix to an entirely different set — music videos from the 1990s that Jordan's late grandmother used to play).

Jordan closes the archive and sits quietly for a minute.

"Yara," Jordan texts. "You were right. About all of it. I looked at my Google data."

Yara replies: "I know. It's different when you see it, isn't it."

18.8 What Data Brokers Do With Location Data

The Market for Precision Location

Location data has significant commercial value across multiple markets:

Retail analytics: Retailers use location data to understand customer traffic patterns, measure the effectiveness of advertising, and target offers to people near their stores.

Real estate: Location data is used to analyze neighborhood demographics, predict property values, and identify development opportunities.

Financial services: Insurance companies and financial institutions use location data to inform underwriting decisions — whether you regularly visit high-risk locations, how regularly you commute (suggesting stable employment), and where you travel.

Advertising: Location data enables highly targeted advertising — reaching people who have visited specific locations, live in specific neighborhoods, or follow specific routines.

Government and law enforcement: Federal, state, and local government agencies have purchased location data from brokers as an alternative to seeking warrants, as documented by Motherboard investigations into SafeGraph and X-Mode.

The market for location data is estimated in the billions of dollars annually. The value derives from its precision and comprehensiveness: not a survey of where some people say they go, but a continuous, automated record of where identifiable devices (and therefore their human carriers) actually go.

The Re-Identification Problem

Location data is typically sold in "anonymized" form — with identifying information like name and phone number stripped from the records, replaced by a device identifier. This anonymization is routinely described as adequate privacy protection. It is not.

Research by Yves-Alexandre de Montjoye at MIT demonstrated in 2013 that four location data points — four places and times — are sufficient to uniquely identify 95% of individuals from a dataset of 1.5 million people. Four data points. If you know that a device was at a specific coffee shop on Monday morning, at a specific workplace on Monday afternoon, at a specific gym on Monday evening, and at a specific home on Monday night, you can identify who the device belongs to simply by cross-referencing against other available data (residential records, employer directories, fitness app data).

Location data that is "anonymized" by removing a name remains personally identifiable in practice. The re-identification vulnerability is known to everyone who works with the data professionally. "Anonymization" in the location data context is, as privacy researchers have characterized it, "security theater" — a privacy claim that provides legal cover without meaningful privacy protection.

📊 Real-World Application: In 2018, the New York Times acquired a dataset of smartphone location data from a location data broker and demonstrated that it could identify individuals within minutes of reviewing their location histories. The newspaper identified several specific people from the data, including individuals who had visited domestic violence shelters, psychiatrists' offices, and addiction treatment facilities — locations whose disclosure the individuals would clearly have wanted to keep private. The Times published the analysis without naming any of the individuals, but the demonstration proved that the data held in commercial databases was not functionally anonymous.

18.9 The Chilling Effect on Movement

Where You Go Is Who You Are

The comprehensive location record that Jordan discovered in their Google Takeout archive is not merely a historical curiosity. It is a present threat to autonomy. Location data reveals religious practice (regular attendance at a mosque, temple, or church), medical activity (visits to specific clinics and hospitals), political activity (attendance at rallies, union meetings, political campaigns), and intimate relationships (overnight visits to specific residences, repeated co-location with specific people).

When people know that their location is being tracked, their behavior changes. The effect is the same as the chilling effect on speech that surveillance of communications produces — a modification of behavior not because anything is actually prohibited but because the possibility of surveillance creates anxiety about how behavior will be interpreted.

A 2016 study by Jon Penney documented chilling effects on internet search behavior after the Snowden revelations about NSA surveillance, finding that searches for terrorism-related topics decreased significantly. The same mechanism applies to location behavior: if people believe their location is being tracked — by employers, by government agencies, by family members — they may avoid locations associated with stigmatized activities (clinics, recovery meetings, political gatherings) even when those activities are entirely legal.

This is the social cost of ubiquitous location surveillance that is most difficult to quantify. It is not that Jordan was arrested for going to a Pride rally. It is that knowing the record of their attendance is held in a commercial database, potentially accessible to employers and government agencies, makes Jordan — and many others — think twice before going to the next one.

18.10 Practical Steps: Managing Smartphone Surveillance

What You Can Do

No practical measure makes a smartphone fully private. But meaningful risk reduction is possible through deliberate configuration choices.

Best Practice: Smartphone Privacy Audit

Location permissions: - Review all apps with location access (Settings > Privacy > Location Services on iOS; Settings > Location on Android). - Revoke location access for apps where it is not necessary for the app's core function (weather apps need location; games generally do not). - Change "Always" location access to "While Using" or "Never" where possible. - Disable "Precise Location" for apps that need rough location but not precise positioning. - Consider disabling location history in Google Maps and Apple Maps if you do not use the "past trips" feature.

App permissions generally: - Regularly audit all app permissions using the privacy settings menus. - Revoke microphone and camera access for apps where these are not core to the app's function. - Review which apps have access to contacts, calendar, and health data.

Reducing data exhaust: - Use a privacy-focused browser (Firefox with uBlock Origin, Brave, or DuckDuckGo) for web browsing. - Use a search engine that does not build user profiles (DuckDuckGo, Startpage). - For sensitive searches (medical, legal, financial), consider using a browser in private/incognito mode or on a separate device not tied to your identity. - Review Google Takeout annually to understand what data Google has collected.

Understanding your carrier's practices: - Major carriers sell aggregated location data to third parties and have faced regulatory action for this practice. Review your carrier's opt-out options for data sharing. - Opt out of carrier location data sales where these options are available.

Understanding your rights: - In California and states with CCPA-equivalent laws, you have the right to request, delete, and opt out of the sale of your data from apps and data brokers. Exercise these rights annually. - Submit opt-out requests to major location data brokers (SafeGraph, LiveRamp, Acxiom, and others have opt-out processes, though they are deliberately difficult to use).

📝 Note: None of these steps provides complete protection. Cell tower data is collected by carriers regardless of app permissions. WiFi probe requests occur unless WiFi is turned off. The accelerometer requires no permission. But the steps above meaningfully reduce the commercial data collection that enables the location broker ecosystem and reduce the data available to law enforcement through third-party requests.

Chapter Summary

The smartphone is the most intimate surveillance device ever deployed at population scale. It knows where you go, who you communicate with, what you search for, what you buy, how you move, and — through digital exhaust — countless inferences about your beliefs, relationships, health, and psychology that you have never consciously disclosed.

The architecture of smartphone surveillance is built on reversed economics: the surveilled pay for and maintain the apparatus of their own surveillance. Location data brokers build commercial infrastructures on data that users generate without awareness or compensation. Law enforcement accesses this commercial data through geofence warrants and tower dumps that capture the innocent along with the guilty. Metadata — the map of a life — travels without the constitutional protection the government has conceded to communication content.

For Jordan, downloading their Google Takeout archive closed the gap between abstract knowledge of surveillance and concrete comprehension of it. Seven years of location history. A million searches. The precise record of three visits to the campus health clinic. The afternoon at the Pride rally.

The data exists. It is held by companies with complex incentives about how to use it. It is accessible to employers, insurers, government agencies, and data brokers through a variety of mechanisms that are opaque to the people the data describes. Understanding that this is the world we inhabit — and choosing how to move through it deliberately — is what data literacy, in the full sense, requires.

Key Terms

Digital exhaust: Data generated as a byproduct of digital activity, rather than intentionally produced by users — including timing data, search patterns, WiFi probe requests, and Bluetooth signal history.

Location data broker: A company that aggregates smartphone location data (obtained through app partnerships and SDKs) and resells it to commercial and government clients.

Geofence warrant: A court order requiring a technology company to provide data about all devices present within a specified geographic area during a specified time window.

Cell tower triangulation: The method by which a phone's location is estimated from the timing and signal strength of connections to multiple cell towers. Collected by carriers regardless of app location permissions.

WiFi positioning: Location estimation based on the signal strengths of nearby WiFi networks, using database maps of known access point locations. Probe requests are broadcast by phones regardless of whether they are connected to any network.

Metadata: Data about communications — who communicated with whom, when, from where, for how long — without including communication content. Courts and researchers have established that metadata reveals as much or more about individuals as content.

Gait analysis: The inference of a person's identity from the distinctive pattern of their movement, detectable through smartphone accelerometer data.

Re-identification: The process of linking "anonymous" data to specific individuals using other available data points. Four location data points are typically sufficient to uniquely identify an individual in a location dataset.

Discussion Questions

  1. Jordan's Google location history includes their attendance at a Pride rally. Identify at least three scenarios in which the existence of this record in a commercial database could cause concrete harm to Jordan. For each, specify who would access the data and through what mechanism.

  2. Location data brokers describe their data as "anonymized." Based on the re-identification research described in this chapter, evaluate this claim. What legal or regulatory consequences should follow from the finding that location data anonymization is routinely inadequate?

  3. The chapter argues that smartphone surveillance is "voluntary" only in an impoverished sense. Do you find this argument persuasive? At what point does the practical necessity of smartphone use make "voluntary" a meaningless descriptor?

  4. Geofence warrants capture data about everyone in an area, not only suspects. Design a legal standard that would allow legitimate geofence warrant use while protecting innocent people swept into the data collection.

  5. After Jordan downloads their Google data and shares their reaction with Yara, they seem to move toward Yara's more critical perspective on surveillance. What might this moment mean for Jordan's relationship with Marcus, whose "nothing to hide" position has been challenged by Jordan's concrete encounter with what Google knows?