App-based location data has been used against individuals, and that presents real risks for those people and organizations. Credit: Thinkstock The market for you and your device’s location is enormous and growing. That data is collected by your network provider, by apps on your smart devices, and by the websites with which you engage. It is the holy grail of marketing, and infosec’s nightmare. Companies that produce location-tracking algorithms and technological magic are riding the hyper-personalized marketing rocket, which continues to expand at breathtaking speed. In the fall of 2021, Grandview Research estimated the U.S. market alone to be approximately $14 billion USD and expected it to expand at a compound annual growth rate (CAGR) of 15.6% from 2022 to 2030.With growth projections of this size, the segment is no doubt considered a sweet sector in which to be engaged. It’s another example of the robust, cutting-edge infrastructure that IT and security departments support presenting new challenges with regularity.Dangers of sharing location dataThe long trail of data left by your employees when aggregated may provide competitors an overt means to deduce your company’s research and development efforts, identify public instances of your trade secrets and the cataloging the location of your employees and corporate assets. They may be as innocuous as who is attending the corporate customer convention, to who is working on the latest widget that will slice bread differently, or the pattern of executive engagement and movement prior or during crisis. All of the above is expected in the world of competitive intelligence. Another challenge that engineers and those who support these apps and algorithms may not have had in the calculus is how the information can be used against individuals as opposed to for the benefit of the individual. Yet such is the case within the context of the Roe v Wade case before the Supreme Court of the United States and the various anti-abortion laws that have been passed in some of the states within the U.S.Indeed, Vice magazine’s article “Data Broker Is Selling Location Data of People Who Visit Abortion Clinics” noted how, “It costs just over $160 to get a week’s worth of data on where people who visited Planned Parenthood came from, and where they went afterwards.” The piece continues with the identification of the entity selling the data, SafeGraph: “SafeGraph ultimately obtains location data from ordinary apps installed on peoples’ phones. Often app developers install code, called software development kits (SDKs), into their apps that sends users’ location data to companies in exchange for the developer receiving payment.” While Safeguard declined to comment directly to Vice, the CEO did publish a denial via a Tweet. Surveillance Technology Oversight Project Research Director Eleni Manis commented how the organization’s report on the use of technology to track women “lays out the steps that states, abortion providers, and tech companies must take to improve privacy protections for pregnant people, while also describing the steps pregnant people can take to protect themselves from digital surveillance.”The Markup did a deep dive into the industry and located 47 different companies involved in the data location sector in September 2021. Its story highlighted how data from a Muslim prayer app was sold to military contractors. A Catholic news outlet used data to track a gay priest who frequented gay bars. Another data company sold data to the U.S. government for use in support of immigration monitoring. Separately, social media was alight with warnings that apps that women use to track their menstrual periods were being harvested to identify those who may be pregnant by anti-abortion entities and law enforcement in some states.SDKs to add location tracking to other appsThe most interesting data point drawn from the Markup piece is the clarity in its explanation on how the various data aggregators create SDKs that are available for licensing, oftentimes at no cost, for integration into an entity’s application. Thus, the application’s developers have the functionality provided by the SDK and the company who developed the SDK is harvesting the data for their use.Growing pressure to regulate use of location dataThe collection and use of data to identify pregnant women who may be exercising their healthcare choices was the proverbial straw that broke the camel’s back with respect to congressional interest. A letter addressed to U.S. FTC Chairman Lina Khan, signed by 16 senators, requested the FTC to investigate this lightly regulated sector. What measures is the FTC taking to ensure individuals have the right to review and remove their information online and assist them should their data be sold or if they become victim to a breach? Their questions:How does the FTC plan to mitigate harms posed by mobile phone apps that are developed to collect and sell location data? How is the FTC educating individuals about how to identify apps that collect and sell their location data?What is the FTC doing to coordinate with Department of Justice, states and localities, health care providers and private stakeholders to prevent data brokers and others from gaining access to the personal information of women and their healthcare decisions?Does the FTC need additional resources to better protect women from having their personal location data bought and disseminated by data brokers?While the letter requested the FTC provide answers, the questions should also serve to guide every company that engages in evolving commercial offerings or creating SDKs for embedding by others as to the focus of those who create the laws of the land. Related content news UK CSO 30 Awards 2023 winners announced By Romy Tuin Dec 05, 2023 4 mins CSO and CISO C-Suite Roles news analysis Deepfakes emerge as a top security threat ahead of the 2024 US election As the US enters a critical election year, AI-generated threats, particularly deepfakes, are emerging as a top security issue, with no reliable tools yet in place to combat them. By Cynthia Brumfield Dec 05, 2023 7 mins Election Hacking Government Security Practices feature How cybersecurity teams should prepare for geopolitical crisis spillover CISOs can anticipate and prepare for cyberattacks conducted by participants in geopolitical conflict such as the Israel/Hamas war by understanding the threat actors' motivations and goals. By Christopher Whyte Dec 05, 2023 12 mins Advanced Persistent Threats Threat and Vulnerability Management Risk Management news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe