Privacy is a classic game of cat and mouse. Just when you think your personal privacy stack is solid or at least good enough, some new scam threat or sketchy Big Tech data grab emerges. You can “set it and forget it”, but that is not a long term successful strategy with the current pace of tech advancements, particularly AI.

Two recent news stories illustrate this well. One involves Google deploying a highly invasive data collection technique. The other involves a surprising revelation from a data breach at a data broker. Below is a recap of these stories and the countermeasures we recommend implementing.

The Google Fingerprinting Fiasco

Let's start with Google's decision to reintroduce “digital fingerprinting” for advertising purposes. Beginning February 16, 2025, Google will loosen its restrictions on ad targeting across a wide range of devices, including the expected devices like smartphones, but also smart TVs and gaming consoles. This move allows advertisers to collect various unique data points from your devices, such as IP addresses, device IDs, and browsing activity.

For more information on digital fingerprinting, we did an overview here.

Why is this concerning? Unlike cookies, which you can easily delete, digital fingerprinting data is stored remotely and is much harder for users to control, change, or erase. This change represents a significant shift in how your online activities can be tracked and used for advertising purposes.

Google claims that advancements in privacy-enhancing technologies (PETs) now allow for more secure data management while still meeting users' privacy expectations. Privacy advocates and regulators, including the UK's Information Commissioner's Office (ICO), have expressed serious concerns about this change. We personally wouldn’t put any stock in Google’s privacy preserving claim. It is Google after all, and their privacy track record is terrible.

The Gravy Analytics Breach

Hackers recently stole a trove of personal information from Gravy Analytics, a location data broker. Data breaches and leaks happen all the time. So much so that most of us are numb to the news. This one is a little different. This breach exposed just how much of our personal information is being collected and sold without our knowledge or consent.

Gravy Analytics specializes in collecting sensitive phone location and behavior data, which it then sells to various clients, including the US government. The company claims to process location data from over a billion mobile devices daily.

The hackers claim to have stolen a massive 17 terabytes of data, including customer lists and precise location data harvested from smartphones. This breach could potentially be as significant as the National Public Data leak, which affected hundreds of millions of people.

What's particularly alarming is that many popular apps, including gaming apps like Candy Crush, dating platforms like Tinder, and even health apps like MyFitnessPal, have been compromised in this breach. This means that even if you've never heard of Gravy Analytics, your personal data may still be at risk if you use any of these popular apps.

And the real problem is that these apps were weaponized by data brokers and advertisers against you to collect sensitive information not necessarily required to use the service. Why does Candy Crush need your geolocation data? It doesn’t. But Big Data found a loophole in common mobile apps to grab your sensitive data.

“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients, appears to be acquiring their data from the online advertising ‘bid stream,’” rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.

The Privacy Implications

Both of these stories highlight a troubling trend in the tech industry: the increasing sophistication and pervasiveness of user tracking and data collection. Whether it's through digital fingerprinting or location data harvesting, companies are finding new ways to gather and monetize our personal information.

This data collection goes far beyond just serving you targeted ads. It can be used to infer sensitive information about your life, including your health status, political views, religious beliefs, and more. In the wrong hands, this information could be used for identity theft, discrimination, blackmail, or even physical harm.

Solutions

There are two solutions available immediately that can substantially reduce your risk, if not completely eliminate it with respect to phones, tablets and computers. Smart TVs and gaming consoles are more of a challenge if you need to connect those devices to the internet. We’ll have to research that some more.

Both of these solutions are ones we’ve discussed in detail here at Secrets of Privacy. Long time readers may already have implemented these practices. If so – well done! For those that haven’t, here they are.