Online tracking is firmly fixed in the public consciousness as a trade-off for utilizing modern technology – tolerated, if not always accepted. When it comes to privacy in the physical world, however – as we leave our homes, hop onto public transport, traverse the streets, and enter our workplaces, malls, cafés, and bars – people expect not to be stalked by an all-seeing eye. But are we being tracked anyway?
GPS trackers are selling our locations in real-time. Bluetooth beacons are fencing us in at supermarkets. Facial recognition cameras are in streets, airports, and pubs. There are automated license plate readers, drones, and smart
doorbells. The data they collect provides an ever-richer profile of our
lives, including sensitive information related to our health and bodies, as well as our religious and political beliefs and our immigration status.
A range of high-tech methods and tools, employed by public and commercial actors for a variety of purposes, is eroding our ability to move through the world unrecorded. In varying degrees according to country and city, our location privacy is being dismantled. Any expectation for location privacy might be wishful thinking unless we take meaningful steps to protect it. Below, The Privacy Issue shares strategies for regaining a degree of autonomy over our movements.
If your phone’s location data settings are turned on, chances are that your current location is being sold to the highest bidder in real time, in an advertising market worth over $26.5 billion and growing fast. While the data is sometimes obfuscated (usually called "anonymization" by marketers) before it is sold, a New York Times study revealed how easy it is to identify an individual by combining raw data points. As Ron Wyden, Senator for Oregon, told the authors, “location information can reveal some of the most intimate details of a person’s life – whether you’ve visited a psychiatrist, whether you went to an A.A. meeting, who you might date...” Since then, we've learned how powerful these datasets have become as they are analyzed and stored in massive repositories.
Cell phone carriers also sell their customers' location data. In 2018, LocationSmart, a California data aggregation company, "claimed to have 'direct connections' to cell carrier networks to obtain real-time cell phone location data from nearby cell towers,” according to a report by ZDNet. Those carriers include Sprint, AT&T, T-Mobile, Verizon, Virgin, Boost, U.S. Cellular, and MetroPCS – which amounts to 95% coverage of the United States. Thanks to this access, LocationSmart can locate any U.S. cell phone user within 15 seconds and sell this to advertisers. In some cases, the data can be sold to bounty hunters, as Motherboard discovered – despite promises by carriers to cease the practice. These stories, and many others, reveal a market hungry for sensitive data that can be sold by apps and your cell carrier in real time without express consent. Perhaps it’s worth taking another look at your phone settings, which are the first line of defense (but not necessarily telling you the whole story).
What You Can Do
- Turn off your location data via software. Do your apps really need to know where you are in real time? Switch off location services on your devices and only turn them on when absolutely necessary. iPhone users also need to switch off Apple's Ultra Wideband (UWB) tracking. You may want to consider using airplane mode as often as possible and scrapping GPS altogether (taking screenshots of maps and directions is a reasonable, if less useful, alternative to turn-by-turn directions).
- Avoid data oversharing. Only download apps you trust, read their privacy policies, and limit the information you share via their privacy settings. Reconsider whether you really need every app you have installed, especially those that collect sensitive data such as financial or health information (e.g. menstrual/period trackers). You can also ask the apps you use – and your cell carrier – to clarify how they use your data in plain language via email, Twitter, or other social media channels.
- In the EU, make the most of your data protection rights. General Data Protection Regulation (GDPR) is a comprehensive, multinational authority that gives individuals a host of rights regarding the information companies request, retain, and process – including the right to be forgotten, enshrined in Article 17. Find out more about how to claim these rights.
- Turn off your location data via hardware. There are a few phones on the market promising to turn off your GPS and cell sensors via hardware kill switches. Your mileage may vary, but you might consider one of these phones as your future mobile device.
It’s not only cell tower signals, GPS, and WiFi that are giving away your location as you move through public spaces. As the New York Times reported in 2018, when we step inside retail spaces – notably supermarkets or big-box stores like Target and Walmart – small electronic devices called Bluetooth beacons can pick up on our location with high accuracy. These beacons communicate with our phones (in some cases, even when Bluetooth is switched off), track the products and displays we stop in front of, and may send us discount coupons or advertisements for similar products based on that information. The Bluetooth standard was updated in 2019 and again in early 2020, in part to better support these surveillance use cases. The rise of Bluetooth low-energy (BLE) devices as small as a coin is quickly making the technology ubiquitous, and Apple is actively pushing the technology via the de facto iBeacon standard as well as making Bluetooth difficult to disable.
Furthermore, third-party location marketing firms use beacon tracking codes to create a Software Development Kit (SDK), which developers can place in seemingly-unrelated apps that collect location data – such as weather or news apps. When combined with other information, the data collected about our location, movement, and shopping habits can be used to create a granular – and accordingly, lucrative – profile of us. These beacons have even been coupled with creepy ultrasonic spying, with SDKs in apps that open up device microphones and can be used to track proximity as well as the audio in the room.
What You Can Do
- Switch off. Turn off location services and Bluetooth settings when you don’t need them. Since Bluetooth beacons sometimes also emit ultrasonic tones that can be picked up by your device's microphone, check the apps that you give microphone access, as well.
- Check your apps. Use Exodus Privacy's excellent database of trackers to check if your app has known trackers that utilize Bluetooth beacons.
- Use a protective pouch. Purchase a phone pouch or Faraday bag that blocks electronic signals. Better yet, create your own. The artist Aram Bartholl provides step-by-step instructions.
- Scan for beacons. Android users can install an iBeacon Detector app to reveal nearby beacons. iPhone users can also try one of the iBeacon scanner apps. Unfortunately, the only way to block beacons is by turning off Bluetooth.
- Boycott retailers that deploy beacons. Where possible, avoid shopping at Target, Walmart, and many other stores that have been found to use beacons to track people moving through their spaces – a practice termed "proximity marketing".
The rise of facial recognition technology (FRT) – which utilizes biometric technology to identify individuals in real time – is very invasive of our privacy as we move through public spaces, airports, schools, and smart cities. A particularly-problematic element of FRT is that, although it is highly-accurate when it comes to identifying white men, it has been proven to be less accurate in identifying people of color, women, and transgender and non-binary people. This can lead to serious problems of discrimination in law enforcement.
Despite these issues, FRT’s use by law enforcement is widespread and growing. In the U.S., over 117 million Americans are included in FRT databases. Additionally, we now know about Clearview AI and its massive partnership with U.S. law enforcement. In the UK, police use of the technology is rapidly expanding. In September 2019, a Cardiff court ruled that the UK’s police use of automated FRT to find people in crowds was constitutional.
On both sides of the Atlantic, public concern is higher when it comes to the use of FRT by private companies such as advertisers or tech companies. FRT isn’t going anywhere – and lawmakers urgently need to catch up and implement regulation to govern its use while protecting civil liberties. There are growing calls for a moratorium preventing its blanket use in the meantime, such as the Automated Facial Recognition Technology Bill drafted by the UK’s House of Lords Select Committee on Artificial Intelligence in late 2019. For a more in-depth look, read The Privacy Issue’s feature on the facial recognition crisis, which includes our call to action on FRT.
What You Can Do
- Show your support. Sign Fight For the Future’s fast-growing petition to ban facial recognition, and join a local effort to get FRT banned where you live.
- Consider FRT when relocating. If you’re a resident of San Francisco, Oakland, Berkeley, Brookline, Cambridge, or Somerville in the U.S., you’re in luck – these cities have banned their local government departments, including police, from using FRT. At the time of publication, the city of Portland is also debating a ban on the private use of FRT. This interactive map tracks FRT usage across the United States.
- Avoid biometric boarding. Where possible, choose the airport queue with a human immigration officer instead of a FRT camera to let you into the country or to board your plane – though with more and more airlines adopting biometric boarding, sometimes this is not an option. The tool AirlinePrivacy.com calls out airlines that use the tech, and lists surveillance-free alternatives, like Air Canada or United.
- Shield your face. Several artist-led projects offer innovative ways to shield your face from being recognized by FRT. From infrared masks to clothing to hair and makeup and jewellery – or the more comprehensive prosthetic option from artist Leo Selvaggio – the techniques range from the straightforward to the extreme.
Automated License Plate Readers
Across the United States, car owners are being tracked via automated license plate readers (ALPRs) attached to road signs, bridges, toll booths and police cars. Using small cameras, ALPRs photograph thousands of plates every minute. These photographs and the information accompanying them – date, time, location – are uploaded to a server, which can be used by law enforcement to identify vehicles in real time. There are few limits on the time span for which this information – even that pertaining to motorists who have not broken the law or are under suspicion of doing so – can be stored. In general, there are currently very few rules governing or limiting the use of these databases, which leaves them free of oversight and open to abuse.
As the D.C. Circuit Court opinion in United States v. Jones stated, “A person who knows all of another’s travels can deduce whether he is a weekly churchgoer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups – and not just one such fact about a person, but all such facts.” These facts have been used to target certain communities – like in New York City, where police officers were reported to have driven unmarked police cars mounted with ALPRs in the vicinity of mosques to monitor their attendees. Civil liberties organizations such as ACLU and EFF are fighting back against the harms caused by ALPRs through official information requests and lawsuits. You can follow the latest news on this topic via the ACLU blog.
What You Can Do
- Educate yourself. Inform yourself about ALPRs. The ACLU provides a concise and informative interactive explainer on license plate readers. The EFF has consolidated a list of local government ALPR policies.
- Speak up. Talk to your local or state representative about what they’re doing to implement privacy protections for ALPR in your vicinity.
- Take public transportation. Leave the car at home and opt for an alternative form of transport (bonus points for the environment!).
Cameras in Public Spaces
As camera technology becomes ever-more-ubiquitous, it’s also becoming more surreptitious. Two forms of photography that are in the spotlight for the threats they pose to privacy are unmanned aircraft equipped with cameras, commonly known as drones, and home security systems with surveillance cameras, such as Amazon’s Ring. Neither of these technologies is currently governed by sufficient privacy regulations. In the case of drones – which are cheap, easy to obtain, and can capture sharp detail from afar – the Federal Aviation Administration (FAA) regulations that control their use are problematic. They do not specifically address flight over residential areas, making it possible for drone owners to film people in the privacy of their own backyards. Numerous studies have confirmed public concern about the potential for this behavior, though the FAA may soon require remote identification of drones, to mixed response from industry and amateurs alike.
The use of drones by police, as well as potential bad actors, for constant surveillance, is of equal concern, given the inconsistent patchwork of laws and regulations currently governing their use across the U.S. On a more encouraging note, police in the Netherlands have been training birds of prey to catch illegal drones as they fly through the sky.
When it comes to camera-equipped security systems, Amazon’s Ring offers a wide-angle view of residential entrances, streets, and sidewalks, as well as the option to have footage stored in a leaky, Amazon-controlled cloud. Recordings are kept for two months unless users delete them. Additionally, Ring has been working with police to offer discounted or free cameras to people via a subsidy program promoting the use of neighborhood cameras – and encouraging communities to share these videos. All of this increased, constant surveillance is occurring in and around one of the last remaining spheres of private life: the home.
What You Can Do
- Public outreach. The FAA has created a “No Drone Zone” digital toolkit with signage for print and web that you can print out and pin up to make your stance against drones clear.
- Petition your local rep. The Brookings Institute has published a list of recommendations for legislators to redress the privacy harms drones cause. They provide a good starting point for a discussion with your local government representative on the efforts they’re making to protect their constituents’ privacy.
- Be a good neighbor. Talk to your neighbors about alternative strategies for keeping your community safe without the need for privacy-invading surveillance systems.
- Tag and photograph surveillance cameras. Join Yale Privacy Lab's call to action and tag surveillance devices via OpenStreetMap. This map relies on the excellent work of Surveillance under Surveillance and can also be embedded in your website, for your town or city.