Using a maps app to plan a route, sending terms to a search engine and chatting online are ways that people actively share their personal data. But mobile devices share far more data than just what their users say or type. They share information with the network about whom people contacted, when they did so, how long the communication lasted and what type of device was used. The devices must do so in order to connect a phone call or send an email. When NSA whistleblower Edward Snowden disclosed that the National Security Agency was collecting Americans’ telephone call metadata – the Call Detail Records – in bulk in order to track terrorists, there was a great deal of public consternation. The public was rightly concerned about loss of privacy.
When Politico revealed Supreme Court Justice Samuel Alito’s draught ruling overturning Roe v. Wade, a number of observers noted how difficult it would be for women in areas where abortion is prohibited to travel securely to abortion facilities in other states. Their phones’ location histories, or maybe their search histories, would reveal their identities. It’s possible that their texts will do the same. According to well-intentioned advice, persons who wish to go anonymously to an abortion clinic should organise their journey as a CIA agent would — and buy a burner phone. As a cybersecurity and privacy researcher, I’m well aware that this would not be sufficient to ensure privacy.
The transmission information in internet-based communications – IP-packet headers – can reveal even more than call detail records do. When you make an encrypted voice call over the internet – a Voice over IP call – the contents may be encrypted but information in the packet header can nonetheless sometimes divulge some of the words you’re speaking.
Researchers at Stanford later showed that call detail records plus publicly available information could reveal sensitive information, such as whether someone had a heart problem and their arrhythmia monitoring device was malfunctioning or whether they were considering opening a marijuana dispensary. Often you don’t have to listen in to know what someone is thinking or planning. Call detail records – who called whom and when – can give it all away.
This sensor data could be attractive to businesses. For example, Facebook has a patent that relies on the different wireless networks near a user to determine when two people might have been close together frequently – at a conference, riding a commuter bus – as a basis for providing an introduction. Creepy? You bet. As someone who rode the New York City subways as a young girl, the last thing I want is my phone introducing me to someone who has repeatedly stood too close to me in a subway car. Uber knows that people really want a ride when their battery power is low. Is the company checking for that data and charging more? Uber claims not, but the possibility is there.
That’s not the only information given away by your communications device. Smartphones are computers, and they have many sensors. For your phone to properly display information, it has a gyroscope and an accelerometer; to preserve battery life, it has a power sensor; to provide directions, a magnetometer. Just as communications metadata can be used to track what you’re doing, these sensors can be used for other purposes. You might shut off GPS to prevent apps from tracking your location, but data from a phone’s gyroscope, accelerometer and magnetometer can also track where you’re going.What the sensors in your phone do and how they add up to a lot of data about you.
And it’s not just apps that get access to this data trove. Data brokers get this information from the apps, then compile it with other data and provide it to companies and governments to use for their own purposes. Doing so can circumvent legal protections that require law enforcement to go to court before they obtain this information. There’s not a whole lot users can do to protect themselves. Communications metadata and device telemetry – information from the phone sensors – are used to send, deliver and display content. Not including them is usually not possible. And unlike the search terms or map locations you consciously provide, metadata and telemetry are sent without you even seeing it.
Providing consent isn’t plausible. There’s too much of this data, and it’s too complicated to decide each case. Each application you use – video, chat, web surfing, email – uses metadata and telemetry differently. Providing truly informed consent that you know what information you’re providing and for what use is effectively impossible.
If you use your mobile phone for anything other than a paperweight, your visit to the cannabis dispensary and your personality – how extroverted you are or whether you’re likely to be on the outs with family since the 2016 election – can be learned from metadata and telemetry and shared.