SYLVIE DOUGLIS, BYLINE: NPR.
(SOUNDBITE OF DROP ELECTRIC SONG, "WAKING UP TO THE FIRE")
WAILIN WONG, HOST:
The brightest flashlight app was developed for something very simple. This was during the time when a lot of Android phones didn't have built-in flashlights like the iPhone. So this app would turn on all the available lights, essentially making the phone into a flashlight.
DARIAN WOODS, HOST:
But the brightest flashlight was also doing something else. It was recording users' locations and sending that information to advertisers. And this landed the company in hot water with the Federal Trade Commission.
WONG: That was almost a decade ago. Since then, the market for location data has continued to flourish. It is a multibillion-dollar industry where information on people's precise whereabouts is still being collected from mobile apps and sold to companies or government agencies, often without users' knowledge or direct consent. This is THE INDICATOR FROM PLANET MONEY. I'm Wailin Wong.
WOODS: And I'm Darian Woods. Today on the show, we're going to look at mobile location data, how it's gathered, sold and used. And we're going to talk to one developer about his experience to try to build a weather app that takes privacy seriously.
(SOUNDBITE OF MUSIC)
WONG: Our phones contain a treasure trove of information about us - what we're watching, buying, searching for and where we are.
LENA GHAMRAWI: Precise geolocation data is really your longitude and latitude, so exactly where you are. Like, you are in your living room in your apartment.
WONG: Lena Ghamrawi's a privacy lawyer. A couple of years ago, she helped launch a watchdog group that investigated mobile apps. This was also when more investigative journalism was coming out about the industry. Like in 2020, Vice reported that the U.S. military was buying location data collected from a variety of apps.
GHAMRAWI: Usually what happens is that apps are collecting information about you. The apps then turn around and sell that information to data brokers, third parties who then package that data, repurpose it and then sell it to anyone that wants to buy the data.
WOODS: Lena says location data can be helpful. Like, say, an epidemiologist wants to track the spread of infectious diseases in a population, or a real estate company might want to analyze foot traffic patterns when deciding where to open a store.
WONG: And then there are apps that simply wouldn't work without knowing their users' locations. Think of navigation and mapping apps or ride-sharing apps like Lyft and Uber.
GHAMRAWI: So it's not all nefarious and bad, but unfortunately, the way that it's been used today has exploited individuals because this information is really sensitive.
WOODS: One high-profile example from last year involved a Catholic priest. He resigned after a news site claimed to have linked his phone with data showing that he had visited gay bars and used the location-based dating app Grindr.
WONG: And location data came under renewed scrutiny after Roe v. Wade was overturned. Congress is investigating privacy concerns related to period tracking apps and how they collect data, including location. And in August, the FTC sued a data broker named Kochava. It said the company's data could be used to track people visiting sensitive places like reproductive health clinics and domestic violence shelters.
WOODS: So how does location data get from an app to a data broker to companies that are paying for this information? Lena says that often the app developers have no idea that this data is being collected in the first place, and that's because of something called software development kits or SDKs.
GHAMRAWI: Basically, they're pieces of code that app developers use when creating an app instead of writing the code from scratch.
WONG: So think about making spaghetti. You could spend hours simmering a complex bolognaise sauce on the stove. Or you could buy a jar of pre-made sauce and get dinner on the table in 15 minutes.
WOODS: Yeah. So SDKs are these pre-made, jarred pasta sauces of the mobile app industry. They contain pre-made software for functions like taking credit card payments or sending instant messages.
WONG: So SDKs can be very useful. But unbeknownst to app developers, some SDK creators insert location tracking capabilities into their software and sell that data to brokers.
GHAMRAWI: What happens a lot of time is that the SDK has what we call invisible code, and the code can then extract your location information. And the app developers actually sometimes don't even know that they're putting this into the app.
WOODS: Some developers choose to avoid SDKs altogether for this very reason, developers like Brian Mueller.
BRIAN MUELLER: I'm Brian Mueller, and I'm the founder of CARROT Weather, this snarky, little weather app that has this personality built into it.
WOODS: I'm sick of these vanilla weather apps, Wailin.
WONG: Yeah. Well, if you want a weather app kind of spicing up your life, CARROT Weather might be your thing because...
WONG: ...Every time you open this app, you are greeted with a rude message.
WONG: Like, if it's sunny and warm, CARROT might say...
AUTOMATED VOICE: I hope you get a horrible sunburn.
WOODS: This is quite the app. I don't know why people would want this in their life, but maybe, I don't know, self-flagellation is a thing.
WONG: Maybe just to feel alive.
WOODS: To feel alive, you know. I have learned that CARROT's personality is pretty acerbic, and it's sometimes bordering on homicidal. But one thing that CARROT does not do, despite being a weather app, is collect and store precise location data.
WONG: A few years ago, when Brian started reading about how invisible code could be lurking inside SDKs, he decided to remove them from his app. He also doesn't sell ads because he didn't want to expose his customers' data to third-party advertising companies.
MUELLER: I remember joking that CARROT wants your location data so that she can use it to, like, send an assassin after you, not give it to someone else to market stuff to you.
WOODS: So one challenge for Brian is that he has to rely on third-party weather data providers, you know, the companies that actually do the forecasts. And he can't control what those companies do with his customers' data. So he's built a couple of safeguards.
WONG: For example, he puts his own servers in between his customers and the weather data providers. That way, those companies don't see his customers' IP addresses. They only see requests coming from Brian's servers.
MUELLER: And another thing that I do is my requests to the weather data providers don't use the most precise GPS coordinates. I round those coordinates up so that they'll never be able to, like, say that this user is at this specific address.
WOODS: Brian says though as a consumer, he personally doesn't mind his location being used for targeted ads. And this is a pretty common mindset. Like, our online experience can be more tailored to our interests because of the information that we provide to apps and advertisers. And ads are what enables so many apps and services to be free.
WONG: But the conversation around how sensitive personal information gets used is prompting people like Brian to take a hard look at the tradeoffs between privacy, convenience and, in his case, making a living as an app developer.
MUELLER: There are so many cases out there where location data can be used to really hurt people, and that's the kind of stuff that I don't want to contribute to.
WOODS: Both Brian and Lena say that because the U.S. doesn't have a federal privacy law like Europe's GDPR law, it's largely been left up to individual companies and developers to figure out their own policies.
WONG: Apple, for example, introduced privacy features last year that let iPhone users opt out of getting tracked by advertisers. Privacy advocates applauded the features, but those changes also resulted in billions of lost dollars in ad revenue and sales for companies.
WOODS: And for individual people like Lena, the Wild West nature of the mobile app industry means that she has to stay personally vigilant not only for herself but her parents, too, who aren't as tech savvy as she is.
GHAMRAWI: I look at their phone, and I'm like, do you really need these apps?
WONG: What's, like, the most random app you found on your parent's phone where you're like, no, you don't need this?
GHAMRAWI: My mom had this, like, flower of the day app.
WONG: (Laughter) That sounds nice.
GHAMRAWI: I was like, what is this? And she was like, I don't know. It looked nice. And so I was like, you don't need this.
WOODS: Well, a sunflower might look nice, but you can also get insulted by a really mean weather app if you want.
WONG: Who wouldn't want that?
AUTOMATED VOICE: Twenty-four thousand people are killed by lightning every year. Will you be one of them?
(SOUNDBITE OF MUSIC)
WONG: Well, that estimate sounds a little high, but I wouldn't dare contradict CARROT. She will come for me.
WOODS: I wouldn't either. She knows where you live, maybe not the address but where you live generally.
WONG: This episode was produced by Nicky Ouellet, with engineering by Katherine Silva. Dylan Sloan checked the facts. Viet Le is our senior producer. Kate Concannon edits the show, and THE INDICATOR is a production of NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.