I’m Jennifer Valentino-DeVries, a tech reporter on the NY Times investigations team that uncovered how companies track and sell location data from smartphones. Ask me anything.

Any major apps I should immediately delete off my phone?

Hi. I know this is frustrating for people, but we don’t have a comprehensive list of apps for you to delete. This is because, in the course of our reporting, we learned that many apps gather the data, get it on their servers and then sell it to other companies. We can’t see that kind of sharing, can’t test it, and can’t learn about it unless the companies respond to us and acknowledge it.

It was important to us to not provide a list of apps that they could delete, because that could give them a false sense of security.

We provide instructions for checking your settings and limiting this information here.

And we do list the apps we tested, here, although these were what I would characterize as “spot tests” to see how the location tracking worked.
(Edited to fix links markdown problem.)

Hi Jennifer,

Thanks for doing this AMA. My question: What can be done to pressure tech companies into respecting digital privacy? Is this something that needs to be enshrined into law - that citizens have a basic right to digital privacy?

I'm sorry I don't have great answers for you. California recently enacted a privacy law, and the EU has a new one as well. So it will be interesting to see whether those have an effect on data-gathering practices, and whether those laws might be improved.

My earlier reporting suggests that it is difficult to pressure technology companies.

In economic terms, we are dealing with a question of asymmetric information. Under the system we have, involving long, difficult-to-understand privacy policies, many consumers do not appear to have the knowledge they need to make decisions about their data. (Some consumers do, of course, and are either happy to make the trade or happy to avoid the technology.)

Additionally, although people have the choice not to use certain services, some level of connectivity is necessary to take part in many aspects of society these days. And for many services, there aren't a lot of choices available to a consumer with average technical knowledge.

Those kinds of economic problems tend to point to a policy solution, rather than ones that are purely technological or market-based. That said, I'm a terrible prognosticator and would not advocate one solution over another at this point.

How would you convince someone who thinks that it isn't such a big deal that tech companies tracks / knows so much about us and don't care much about privacy?

Hi. In some ways, I don’t feel that I need to convince someone that this is a big deal or that they should care about such tracking. My role is largely to help ensure that people know what is going on. If people are truly aware of what is being done with their data, and they choose to share it, I think that’s a reasonable decision that people should feel empowered to make.

Right now, our reporting indicates that technology companies do not in fact give people adequate information to make such decisions. It’s buried in a difficult-to-understand privacy policy, and companies know that nobody reads or can decipher these.

I also think, though, that it’s difficult for people to conceive of ways in which their data can be used against them. This is natural. Nice people don’t generally think the way an authoritarian government or a hacker would.

But you can look to China and other countries to see how such data can be weaponized. And you can think back to our own history, for example the Red Scare, to conceive of how something that you might consider “nothing to hide” now could be used against you in the future.

Most unethical use of sold data you had came across ?

I'm not sure we could characterize any of these activities uses as "unethical." As far as we could tell, these activities are legal, although there are regulatory and ethical questions about whether apps and companies are misleading users about the collection and use of this data. As I mentioned in another response:

What we found when we tested apps was that they ask users for permission to obtain their location data, but in doing so they typically provide an incomplete explanation of how the information will be used. For example, they will say something like "This app would like to access your location. We will use this to provide you with more customized weather alerts," or with traffic updates, or what have you. They usually do not mention advertising, and almost none mention sale or retention of the data beyond advertising.

The other uses may be mentioned in a privacy policy, but it was difficult even for us to tell for certain. Companies we knew were funneling data for use by financial services firms, for instance, used vague phrases such as those saying the data could also be used for "business purposes."

So, to understand the scope of the sharing, as a user, you would have to recognize that the initial message was incomplete, navigate to the privacy policy, read the entire thing and figure what phrases such as "business purposes" or "analysis of traffic patterns" actually mean.

In terms of ultimate use of the data, there have been some uses that I think might strike some people as unethical but that might be viewed as ethical by others. For instance:

There was a case in Massachusetts that was previously reported, of a company using location data to target "abortion-minded" women with anti-abortion advertising. That company settled with the state attorney general and promised not to do that in Massachusetts.

We did not encounter examples of employees at any of these location firms or their clients (including hedge finds and financial firms) stalking anyone using this data. But after viewing the data, that would be one of my primary concerns. Particularly when considering the spread of the data among a number of start-ups, I have many questions about the security of the data itself, including protection from employee access.

Have you experienced any backlash from tech companies for uncovering their tactics?

The only backlash has been from people in the industry who say this isn't news, that people are sharing their data willingly, that only clueless people don't know this is happening and that advertisers aren't using the data to identify or stalk people. Those arguments are pretty standard.

It seems like my phone is listening to me when I am talking, not even using the phone. For instance, I went to the University of Missouri but I don't have anything to do with the school anymore- no googling, I don't watch games, I don't even talk about it. But I ran into an old classmate and we talked about Mizzou in person, the next day my phone was full of ads for Mizzou. We were playing cards one night and someone said something about spades, I said, oh, I haven't played spades in forever. Thats it. The next day, I got all these ads to play spades. Is my phone listening to me or am I paranoid?

I provided a related answer in a question that was Facebook-specific, but this question appears to be receiving significant attention. My colleague Sapna Maheshwari found a company that was using the microphone to determine which ads people had viewed on television. She also has written about patents by Amazon and Google that describe using audio signals for advertising and other things — but the companies say the patents are not currently being used. (That's extremely common for patents, by the way.)

I have not heard of anyone isolating other examples in a technologically rigorous way, nor have I seen internal documentation acknowledging such practices. If anyone has such documentation, The Times has a site for tip submissions: https://www.nytimes.com/tips.

​

I’m kind of bummed this isn’t answered by her, because everyone in the industry knows for a fact that this is impossibly impractical to do with today’s technologies.

Someone has to:

• do voice recognition (processor intensive if done locally and radio intensive if done remotely) without draining the battery

• do voice recognition on the equivalent audio of a butt dial.

• be able to surreptitiously record hiding from jailbreakers and companies like Apple who have every incentive to expose this behavior. Apple would throw them off the platform without prejudice.

• defeat os protections including showing a red banner when an app is recording in the background.

• fb has a crap ton of leaks. This is the kind of thing that can’t be kept secret in the company and also needs to be communicated and sold to advertisers to make money.

I responded to this late because I had answered a similar question about Facebook specifically, but then for whatever reason this was the question that was upvoted. Now my answer here does not have many votes, although the parent question does. *Sigh.*

In any event, your response is similar to what our reporting has demonstrated thus far, although I'm always hesitant to imply that the technology could not eventually reach a point where voice-based tracking is common.

How is the NYT and NYT app any different?

1. What Personal Information Do We Gather About You?

When you use the NYT Services by, among other actions, ordering a subscription or other product, providing registration details, setting newsletter preferences, browsing our sites, completing a survey, entering a contest or otherwise interacting with our NYT Services, we gather personal information. Personal information is information that identifies you as an individual or relates to an identifiable individual. Several different types of personal information can be gathered when you interact with the NYT Services, depending on the type of product or service being used. Collection of personal information is necessary to delivering you the NYT Services or to enhance your customer experience.

If you disclose any personal information relating to other people to us or to our service providers in connection with the NYT Services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

Also, isn't NYT part of the problem since you use the data from these other shady dealers?

B) Analysis and Development of New Products and Services. We perform statistical, demographic and marketing analyses of users of the NYT Services, and their subscribing and purchasing patterns, so we can analyze or predict our users’ preferences for product and services development purposes, to determine our promotional campaign effectiveness so we can adapt our campaign to the needs and interests of our users, and to generally inform advertisers about the nature of our subscriber base. We use this information for analytical purposes, including analysis to improve customer relationships, to support strategic business decisions and our marketing tactics and to measure and track our brand health. We will engage in these activities to manage our contractual relationship with you, to comply with a legal obligation, or because we have a legitimate interest in doing so.

D) Location Information. Some of our mobile applications can deliver content based on your current location if you choose to enable that feature of the app, for example, by use of satellite, cell phone tower, or WiFi signals. If you enable the location-based feature, your current location will be stored locally on your device, which will then be used by the app. If you elect to have a location-based search saved to your history, we will store that information on our servers. If you do not enable the location-based service, or if an app does not have that feature, the app will not transmit to us, and we will not collect or store, location information. The ads in our apps are not targeted to you based on your current GPS location, but they are targeted to you based on your ZIP code or device's IP address.

C) Sharing With Other Third Parties. We will not sell, rent, swap or authorize any third party (except our service providers) to use your email address without your permission. Nothing in this Privacy Policy is intended to restrict our use or sharing of aggregated or de-identified information in any way.

This is an expose of nothing. You "uncovered" what? A dummies guide to big data from 2004?

All apps can do this, all apps/sites can share data.The NYT site uses it to push ads and the app uses it for identical purposes. It's how the internet is built.

Now, if you will state plainly exactly who you "share" (such a nice way of putting it, eh?) information with, we can then be a well-informed public and decide if it's worth it. I (obviously) work in the sector, and I know exactly how the buck passing happens. You entity0 "share" with entityA, who "shares" with entityB, who actually does sell it to entityC, who then has some foggy stake with entity0. And then when there's some data breach at entityC everyone can ¯\(ツ)/¯. I DUNNO LOL. until there is something connecting the dots.

Until then, you're just another mysterious promise-maker.

Hi. Thanks so much for this question. I know it sounds corny, but it’s actually important for me as a reporter covering these issues.

First, we tested the NYT app on both platforms and note that in our methodology. The NYT app did not send precise location data elsewhere, although it did send location data based on IP address, which placed us in New York City. In general this was sent to advertising companies. I’m not saying that’s great, but this story was narrowly focused on precise location collection by apps.

You will note if you go to the NYT site that there are a number of advertising cookies and trackers. Although I recently joined The Times, I and other reporters I know have covered this sort of tracking before. When I worked at the WSJ, we reported on this in 2010 and tested our own apps and websites as well as those of The Times. I would do the same thing here.

As a reporter, I’m interested in these issues and think the public should know more about them. As much as I wish I were in charge of things, the business side is separate from the reporting side here and at most reputable news organizations.

(Edited to fix a markdown issue with the links.)

Not that I'm ok with it, but why should we care if companies are tracking us and selling our location data? What is the harm or potential harm done?

I get this question a lot. There are a couple answers.

First, in looking at this data, it struck me that the chance is low that such information has not been misused by an employee or other person with access to such information, for example to look up an ex or other person of interest.

Aside from that individual harm, however, I think the accumulation of such information gives companies considerable power over us. Several companies said they use this information to determine what people really want. They could, for example, see that someone says online that they are on a diet but really goes to fast food restaurants regularly. So they could advertise unhealthy food to that person.

Of course, I understand that people view targeted advertising as helpful. But I think there should be more transparency around how this is happening, so consumers can truly make informed choices about whether they want this.

Finally, I think there is an overall problem for society when it comes to surveillance. Many of us are, by now, aware that we are being watched and judged in some capacity, even if just by machines. It influences what many people do, in subtle ways. You may avoid behaviors that you don’t want to go into your online “profile,” for instance, because you don’t know exactly how your profile is built or how you can get out of it.

Is that good? Is that how we want our behavior to be shaped? I think it’s an important question.

Do you have any inside stories on how this tracking data has been abused already to the detriment of the user? E.g. any real-life consequences of hidden/passive data tracking?

There was a case in Massachusetts that was previously reported and didn't make it into the story, of a company using location data to target "abortion-minded" women with anti-abortion advertising. That company settled with the state attorney general and promised not to do that in Massachusetts.

We also spoke with a company using location data to target people in emergency rooms with ads from personal-injury lawyers, or people that had been in local jails or at bail bondsmen with defense attorney ads, that sort of thing. Some people might find that intrusive, but others might not. It doesn't appear to violate any industry guidelines, which allow advertising targeted to many general health concerns but not some sensitive ones such as cancer or STDs.

So...Facebook actually listens to us via microphone, right?

I get this question all the time! A number of good reporters have looked into this question and not found evidence so far that Facebook is doing this.

However, my colleague Sapna Maheshwari reported on a company that was using the microphone to listen to what television ads people were seeing. https://www.nytimes.com/2017/12/28/business/media/alphonso-app-tracking.html

And other reporters have noted that, when it comes to Facebook, they have so much data from your contact information, what your friends are doing, your location, some of your browsing behavior and so forth that they can come up with ads and recommendations that seem as though they must have been triggered by something you said.

[deleted]

Apple says the “while using” setting prevents apps from sending data in the background. In my experience, there is some relatively small amount of time that the app remains active even when you don’t have it immediately on your screen. Additionally, some apps can be updated via things like “background app refresh,” which you can turn on and off by going to Settings > General. (That’s for things like updating podcasts while you sleep.) We didn’t conduct extensive testing of those situations, though.

Do you think that this will result in any legislation? (And are there any groups that I could possible donate to that are pushing a pro-privacy agenda?)

I’m not sure. A handful of representatives and senators have been proposing privacy bills every session for nearly a decade now, and they don’t usually go anywhere. It’s a complicated subject, the harms are diffuse and ill-defined, and there is a ton of money backing technology companies and their interests. Lawmakers don’t want to be seen as killing innovation.

That said, it’s always possible that at some point, public concern will reach a point at which we do get legislation. California recently enacted new privacy regulations. The EU has an entire new system, called GDPR, that went into effect this year. It will be interesting to see how that goes.

I can’t recommend a particular group or course of action, but I am familiar with some. The Electronic Frontier Foundation is quite prominent in pushing privacy. There are other groups, including the Electronic Privacy Information Center, that do such work as well.

I thought this was common knowledge. Was it really not before this investigation?

​

There are two answers to this.

The first is that I think people with a certain level of tech expertise are aware of this tracking, but the readership of The Times may not be. It’s not because they are stupid or inept; these are educated people. They simply don’t have the time or technology or legal background to decipher these behaviors.

The second answer is that, although many people seem to be aware in some vague sense that they are being tracked, they frequently do not understand what that means, how extensive the tracking is or what it can reveal. In speaking with consumers, we often hear them say something like, “Oh, God, you’re going to tell me I’m being tracked everywhere, aren’t you?” But they are nevertheless surprised to learn the details. It’s as though they have enough knowledge to develop a sense of learned helplessness.

Out of the groups you interviewed from the top level executives to the ground floor employees, did any express any sort of resentment or guilt about how much they are invading the privacy of individuals?

I’m not sure I would say there was “resentment” or “guilt,” but there were some misgivings. As far as we could tell, these activities are legal here. The companies are within the law and therefore feel that what they are doing is OK. In addition, people I spoke with said they didn’t try to identify anyone in the data; they weren’t using it to stalk anyone.

But many were well aware of what the data could reveal, and that it could be used to identify people. They acknowledged that people don’t read privacy policies and expressed concern that the public may not in fact be fully aware of what is going on. Nevertheless, all the companies characterize this data as being given on an “opt in” basis, because people agree to share it with their apps. And they refer to it as “anonymous,” “anonymized,” “pseudonymous” or some similar word.

Are you aware of any ways to increase the anonymization of our location data?

I don’t see any way to stop the tracking, and wouldn’t want to stop it for practical purposes. Tying it to ourselves with a 1:1 personal identity is what I’d like to avoid

Great reporting on this, caught the story via the daily.

There are a few options that could improve anonymization, including some mentioned in other responses. One company we covered for this story used an interesting technique to better anonymize people's home locations.

Their code would run for some time on the phone before sending location data to the server. It would determine which place was likely the user's home and then scramble data in a 1,000-foot box around that location, such that the likely home location was not somewhere in the box but not in the center. People might still be identified using other data points, but it did seem that they were attempting to address that concern.

I'm impressed that a NYT journalist broke this story. It's rare for large news organisations to do such ground-breaking research into this kind of issue. More often journalists piggy back on other tech writers who have actually done the original graft, but present it as if they've 'uncovered' it themselves. So kudos for your hard work.

Can you tell us what gave you the original insight that prompted your research?

Hi. Thanks so much. I have been covering technology, surveillance and privacy since 2010, when I was at the Wall Street Journal. So this subject is one with which I’m familiar. In fact, I have written other, smaller, articles about the growth in location tracking over time.

This spring, I wrote a story about a company called Securus and a “location aggregation” company called LocationSmart. TL;DR data from the major cellular carriers was being funneled to law enforcement, which was using it to track people without warrants.

After that, I started getting tips that this market had exploded in the past couple years and that location data was being used for all sorts of things beyond the location-targeted ads I had written about in earlier years. I started working with a team of great reporters and technologists here at The Times, and that culminated in this recent article.

(Edited to fix a problem with the link.)

How did you identify Lisa Magrin from the location information from her phone? While location data collection itself is scary, you still need other data points to compare to in order to determine personal details of that individual.

You do need other information to identify people in this data. There are two ways this could be done, generally. In one, you could follow someone you know, say an ex or a friend, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, you could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.

In our work, we got people’s permission to look them up, so they were giving us addresses where we might find them. Lisa is actually a co-worker of my sister-in-law. Elise, the nurse we identified, allowed us to get her information after we found her when we were looking for her husband, actually. He gave us his address, and we found someone there, but it turned out it wasn’t him. So we shut that down and waited until we could talk to her personally and know that she was OK with it.

20 m ago you started this AMA yet haven’t answered a single question. Do you regret doing an AMA Instead of a self “TIL”?

I'm here! I was just eating lunch, but now I'm ready to tackle these great questions.