Data location

Proposed Massachusetts law to ban sale of your mobile location data

Cellular location phone data may be banned from sale in the state of Massachusetts, under a proposed law set to ruffle some data broker feathers.

The selling of location data has long been a point of contention for privacy experts. As with so much bulk user data, claims of anonymity from the sellers are never far behind. The reality is often quite different, with individuals or more general patterns routinely revealed in ways nobody thought possible. People were singled out from 500k AOL search records, and interesting findings were made from comparing a Netflix dataset to IMDB ratings back in 2006/07.

With location services, it’s even more important that anonymity is done correctly. Indeed, some would claim that attempts to anonymise data can never be 100% successful. Meanwhile location data can illustrate precise movements, patterns, a daily routine, or information regarding specific activities and pastimes—all of which can be used for nefarious purposes in the wrong hands.

Even when precautions have been taken, user data can still slip through the net in unusual ways. Not so long ago, researchers found it was possible to look at aggregate data from Strava and track the beginning and end positions of user routes via heat maps and social features.

It’s important, then, to try and get it right the first time with mobile data. Sadly, the odds are stacked against this when dedicated firms exist to tie IDs to names and addresses. With brokers selling the data behind the scenes, this proposed law aims to tackle the problem by simply taking the data off the table.

The Location Shield Act would do the following in Massachusetts:

It shall be unlawful for a covered entity or service provider that lawfully collects and processes location information to:—

(1)collect more precise location information than necessary to carry out the permissible purpose;

(2)retain location information longer than necessary to carry out the permissible purpose;

(3)sell, rent, trade, or lease location information to third parties; or

(4)derive or infer from location information any data that is not necessary to carry out a permissible purpose.

(5)disclose, cause to disclose, or assist with or facilitate the disclosure of an individual’s location information to third parties, unless such disclosure is (i) necessary to carry out the permissible purpose for which the information was collected, or (ii) requested by the individual to whom the location data pertains.

As the American Civil Liberties Union Massachusetts (ACLU) notes, the buying and selling of this data is unregulated and can impact on all manner of privacy and safety issues. Domestic abusers can track ex-partners. Foreign governments can use data for intelligence and tracking purposes. Employers can track and discriminate against employees. A variety of health and abortion access situations could lead to prosecution or harassment.

Owning a mobile device should not lead to this data being potentially made available to anyone with a credit card. There is strong voter support in Massachusetts for a law which would prevent this selling of personal location data, and the bill seems likely to pass.

The big question is whether or not it will inspire other states to follow suit and draft their own versions of a privacy issue sorely in need of rebalancing. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.