They Stormed the Capitol. Their Apps Tracked Them

In 2019 two New York Times opinion writers obtained cellphone app data “containing the precise locations of more than 12 million individual smartphones for several months in 2016 and 2017.” (It’s data that they say is “supposed to be anonymous, but it isn’t. We found celebrities, Pentagon officials and average Americans.”)

Now they’ve obtained a remarkable new trove of data, “this time following the smartphones of thousands of Trump supporters, rioters and passers-by in Washington, D.C., on January 6, as Donald Trump’s political rally turned into a violent insurrection.”

And here the stakes for a privacy violation were even higher: [The data set] shows how Trump supporters traveled from South Carolina, Florida, Ohio and Kentucky to the nation’s capital, with pings tracing neatly along major highways, in the days before the attack. Stops at gas stations, restaurants and motels dot the route like bread crumbs, each offering corroborating details. In many cases, these trails lead from the Capitol right back to their homes… Unlike the data we reviewed in 2019, this new data included a remarkable piece of information: a unique ID for each user that is tied to a smartphone. This made it even easier to find people, since the supposedly anonymous ID could be matched with other databases containing the same ID, allowing us to add real names, addresses, phone numbers, email addresses and other information about smartphone owners in seconds.

The IDs, called mobile advertising identifiers, allow companies to track people across the internet and on apps. They are supposed to be anonymous, and smartphone owners can reset them or disable them entirely. Our findings show the promise of anonymity is a farce. Several companies offer tools to allow anyone with data to match the IDs with other databases. We were quickly able to match more than 2,000 supposedly anonymous devices in the data set with email addresses, birthdays, ethnicities, ages and more…

Smartphone users will never know if they are included in the data or whether their precise movements were sold. There are no laws forcing companies to disclose what the data is used for or for how long. There are no legal requirements to ever delete the data. Even if anyone could figure out where records of their locations were sold, in most states, you can’t request that the data be deleted. Their movements could be bought and sold to innumerable parties for years. And the threat that those movements could be tied back to their identity will never go away.

If the January 6 rioters didn’t know before, they surely know now the cost of leaving a digital footprint…
The article argues that de-anonymizing the data “gets easier by the day,” warning this latest data set demonstrates “the looming threat to our liberties posed by a surveillance economy that monetizes the movements of the righteous and the wicked alike.”

But it also warns that “The location-tracking industry exists because those in power allow it to exist… The dark truth is that, despite genuine concern from those paying attention, there’s little appetite to meaningfully dismantle this advertising infrastructure that undergirds unchecked corporate data collection.

“This collection will only grow more sophisticated.”