So, you think that what happens on your iPhone, stays on your iPhone? Well, think again. Nasty little workarounds secretly harvest information from your iPhone without you realizing. Some track your location even if you disable that setting on your phone. Here’s what you should do to stop them dead in their tracks.
Your iPhone is being tracked.
With Apple’s very public crackdown on data tracking, you’ll be shocked and irritated to discover that there are workarounds on your iPhone, right now, that enable companies to track your movements without seeking your permission. This clearly needs to end. And so here are some easy steps you can take to stop this on your iPhone.
Let’s start with Facebook—the most avaricious data harvester of all. With settings now in place to provide you with more control of data tracked on and off Facebook, there has definitely been an improvement. But old habits die hard. Facebook seemingly can’t help but collect any data that crosses its path—and while its privacy protections are better than they were, we can easily find alarming gaps.
And so it is with the location data embedded in the images you upload to Facebook’s app on your iPhone. Even if you go into your iPhone’s location privacy settings, and set Facebook to “never,” the platform will still strip out that embedded location metadata, which is very precise, as well as your IP address, and store both for its own use.
Facebook location settings disabled on iPhone.
You can see this for yourself. Disable Facebook’s location access on your iPhone (which you should anyway), and then upload a photo to Facebook. If you then download that same photo, you’ll see the location metadata has been stripped out—which is good. But if you request “your Facebook information,” you will see that Facebook has stored this stripped out location and IP address data against your profile.
“Tracking locations without knowledge is a serious invasion of privacy,” warns ESET’s Jake Moore. “Facebook has long harvested data from users when they upload an image but has always stripped this metadata, so others aren’t able to see it. When Facebook learns a user’s location plus their IP address and links them, it is simply learning its userbase in order to sell targeted adverts.”
Location data secretly harvested from iPhone, creation time of download in PT, not GMT.
This next secretive location tracking on your iPhone is much more pervasive—fortunately, it’s also much easier to stop.
You may be familiar with tracking pixels—although most people are not. These are tiny image files included in most of the emails you’re sent—whether they’re from your service providers or just unsolicited SPAM. And when I say tiny, I mean tiny. These images are often just 1×1 pixels in size and they’re transparent, camouflaged, so as to be invisible when you open the email. And the images are not actually embedded, they’re downloaded from a remote server when you open the email.
And that’s the issue. Because when you open the email, when that sneaky little pixel downloads its remote, invisible image, you’re sending the date and time you opened the email, which is linked to your email address, and more worryingly, you’re also sending your IP address, which can be used to track your location. Hey, so you opened my email three times, once at work and twice at home, that’s good to know.
IP addresses are not as accurate as GPS, and that accuracy can vary based on all kinds of factors. But you can likely be placed within a few hundred feet—or closer—of your actual location. If I know where you work and where you live, most of which is readily available in marketing databases, I can build a neat little pattern around those emails. It’s much better than iOS 14’s approximate location setting, which apps still need to seek your explicit permission to access. Not with pixel tracking, though.
“Not only do these pixels track whether or not a user goes to a brand’s website,” says one email marketing website, “but they also catalog behaviors such as OS, mailbox type, screen resolution, time spent on email, IP address, and actions a user takes on the actual site. Pixels work like cookies on a web browser. But unlike cookies, pixels can’t be blocked just yet. That’s what makes pixel tracking such a successful strategy for all digital marketers… Because of the behaviors they uncover.”
So, how do you feel now about all those trivial emails you open when you’re casually scrolling through your inbox? The marketing industry says we all want personalized emails, that it’s all set out in (usually unread) privacy policies, that this pixel tracking is providing us with a welcome service. “This is great news because, through the use of tracking pixels, marketers can give consumers exactly what they want in the form of more personalized messaging… related links, content, and more.”
Despite us all “wanting” to be tracked through our emails, these pixels aren’t banner-sized, they’re not highlighted, they don’t make their purpose clear. Here’s a tip to the marketing industry: If you need to hide an invisible and secretive 1×1 image in an email image, then it seems reasonable to conclude that this isn’t want people want at all.
“It’s a cat and mouse game,” says security researcher Sean Wright. “And advertisers will find ways to ensure that they get what they want.”
Of the leading iPhone mail clients, Apple Mail, Google Gmail and Microsoft Outlook, only Gmail harvests location data. But, despite this, the insertion of pixel tracking into emails in those apps can return IP addresses. And that can track locations with more accuracy than “approximate locations,” which would need to be disclosed.
iOS email apps
If the marketing industry is wrong, if you don’t want to be secretly tracked, you can disable remote images from being automatically loaded in each of those mail apps. You will then see a single click option to restore images in specific emails as you open them—you will still likely be tracked by those emails, but at least you have some control.
The settings in each app are different—you can see what to change in the image below.
Disable remote images autoloading.
These tracking pixels are not the exception. They’re now used by the largest and most trusted brands around. They have become a default direct marketing tool. All without most of you knowing anything about it. Why these haven’t been banned or blocked or restricted to opt-in only, alongside website and GPS trackers, is a very good question. Let’s hope Apple has this on the cards as it continues to enhance user privacy.
Apple itself is not immune from criticism when it comes to location tracking. I have advised users before to disable “significant locations” on their iPhones. “Your iPhone and iCloud connected devices will keep track of places you have recently been,” Apple says, “as well as how often and when you visited them, in order to learn places that are significant to you… It is used to provide you with personalised services, such as predictive traffic routing, and to build better Memories in Photos.”
This is a creepy dataset of where you go and why, how you get there and how long it takes, with some assessment as to how important a location it is. All of this, Apple says, is fully secured by your device and not shared. But I don’t see this as a proportionate level of tracking. Just because you can, as they say, doesn’t mean you should.
ESET’s Moore is a former police officer. “Significant locations,” he says, “is one of those features hidden within the privacy section which many users tend not to be familiar with. I cannot think of a positive or useful reason why Apple would include this feature on any of their devices… When I used to investigate digital forensics for the police, this little-known feature became extremely useful when searching for evidence on iPhones.”
Disable significant locations.
Apple also says that it needs this tracking to enable its questionably effective optimized battery charging. I disabled this setting a long time ago, and my battery seems to charge just fine. Anything that I’m missing by not allowing my phone to compile a surveillance database of my movements, I’m happy to say I have not noticed.
All that said, Apple is a privacy posterchild compared to Google. Thankfully, Google now offers you the option to visit your account online and to turn off “Web and App Activity” from within its “Data and Personalization” settings. You can adjust various settings, deciding for yourself how detailed a timeline you’d like Google to build for you. This goes to the heart of privacy versus convenience. It’s a personal choice.
Disabling Google web and app activity.
Even if you don’t make changes to your Google account settings, spinning through your search history, limiting location tracking, changing your autodelete settings, reminding yourself of all the YouTube videos you have watched, listed by date, is a stark reminder of how much of a digital footprint we leave behind. The privacy protections now in place are hard fought for—make sure you use them.
While you’re tweaking these settings, visit the location services tab in your iPhone’s privacy settings, scroll down, and limit any app’s access if you don’t think it needs to know where you are. You might be surprised at what you find.
Zak is a widely recognized expert on surveillance and cyber, as well as the security and privacy issues associated with big tech, social media and communication