So, this isn’t good. Your iPhone settings enable you to tell Facebook you don’t want your location tracked. It’s clear and non-ambiguous. Why then, if you tell Facebook “never” to access your location, is the data harvesting giant doing exactly that?
Apple’s iOS 14.5 is just a few weeks old, and the data already suggests it has delivered the expected strike against Facebook . Unsurprisingly, more than 80% of users do not opt in to being tracked. Millions of you have seen through the brazen warnings that Facebook’s free apps won’t remain free unless we surrender our right to privacy.
Facebook generates almost all its revenue from digital advertising—targeting ads by harvesting as much data from you and about you as it can. “Facebook marketing is generally dominated by iOS,” one ad industry article laments, “it’s pretty safe to assume Facebook has lost at least half their data, arguably the most valuable half.”
All of which means that Facebook will be doing ever more with the data that remains. And there’s a hidden danger in all the iOS 14.5 publicity—a false sense of security for iPhone users, thinking that the Facebook data issue is suddenly over, that everything has now changed. That would be very wrong—it really hasn’t.
Apple has clamped down on Facebook tracking you across third-party websites and apps, not harvesting your data on those it owns. Just like Google with Chrome, Photos and Gmail, Facebook apps compare miserably to their peers when it comes to helping themselves to your information. This isn’t coincidence—it’s a philosophy at play.
Despite me telling my iPhone “never” to allow Facebook access to my location, despite me checking Facebook online to confirm it knows “location history for mobile devices” is set to “off.” Facebook continues to exploit a loophole, harvesting photo location tags and IP addresses, all of which it will, in its own words, “collect and process.”
I took a photo with my iPhone and then uploaded that to my Facebook account. I used Facebook’s app on my iPhone, the same app that has been told “never” to access my location, the same account that knows I have this switched off. But Facebook still collects the location tag from that photo, along with my IP address.
My iPhone adds GPS tags to photos—useful to sort and find images. I can use the share function in Apple Photos to strip location data as I send, and most messengers strip this data, but in Facebook’s app, when I upload a photo, the data is sent as well.
Facebook and Instagram do in fact strip the metadata, the so-called EXIF information, from photos that are saved to their platforms. You can see this, because if you save a photo from Instagram or your Facebook albums onto your phone, there will be no location information. That has been replaced with Facebook’s own codes.
And so, you might assume that Facebook has deleted this data. Wrong. If you go to your Facebook privacy settings and select “your Facebook information,” you can download a copy of the data it holds. If you select “photos and videos,” you will see the data that Facebook saved from the images you uploaded.
In the case of this specific photo, the one just uploaded from my iPhone, that data includes a very precise location and my “upload IP address.” Facebook doesn’t need any more than that. If I type those lat/long co-ordinates into Google Maps, I get an exact match to my location, and Google’s Street View shows me the front of my house. As you can imagine, this is not the kind of privacy I had in mind.
Then you see a link inviting you to “learn more about your location data.” That link takes you to your account, where it asks if you want to “Turn on Location History for your mobile devices,” because, remember, this is switched off. Which begs the question—how can you collect my location data, and then explain this by taking me to an account setting which confirms I’ve told you not to capture my location?
If this seems Pythonesque to you, don’t worry, you’re not alone.
You might not save many photos to Facebook these days, perhaps you use Instagram instead. Well, its data policy carries the very same warning, that the data harvested “can include information in or about the content you provide (like metadata), such as the location of a photo or the date a file was created.”
I asked Facebook about this capture of EXIF locations from Facebook and Instagram photos. The company confirmed that it “collects and processes” such data. I suggested to them that this data is used for advertising purposes, and that this is “regardless of the privacy settings selected by the user within the Facebook/Instagram app on their phones.” Facebook told me it was fine to proceed with those assumptions.
True, albeit photos uploaded from a mobile device are almost always taken on the mobile device. And combined with its vast data trove, this is all part of painting a more accurate picture of each of you, a profile to mine for ads.
So, what should you do? Don’t upload photos to Facebook or Instagram that have significant location data embedded, unless you want to share that data. You can use an app like iVerify, which will add a metadata stripping function to the share menu within photos, enabling you to save clean duplicates before you upload or share them.
EXIF data isn’t the only secret tracking taking place on your iPhone. If there’s one other setting you absolutely need to change, it’s the “load remote images” option within Apple Mail. This should be switched off, which will stop almost all the email tracking pixels you you are being sent from collecting your location data, your identifier and the date and time, every time you open a marketing email.
This is an absolutely scourge, and with Apple’s crackdown on website pixel tracking, these marketing email pixels are going to become even more important. You don’t lose anything by changing that setting. Apple will give you the option to load remote images on every email that has them. At least this way you get to choose who is checking where you are and storing that information to target you with ads later.
With iOS 14.5 and the rising groundswell of privacy advocacy, the next few years will either be a pivot point for Facebook as it’s forced to examine its business model, or more likely the same kind of almost unnoticeable bump in the road that Cambridge Analytica ultimately proved to be. Just take a look at its stock chart in the years since that existential crisis hit the headlines—it tells you everything you need to know.
“Protecting people’s privacy,” Facebook says, “is central to how we’ve designed our ad system.” No, really, that’s what it says. Four simple steps to enhance your privacy: Say no to tracking when asked by iOS 14.5; disable location sharing for Facebook on your phone; for Facebook itself, delete the app and use a browser instead—Safari or Firefox, not Chrome; and don’t upload EXIF data unless you’re happy it’s collected.
In the meantime, Apple, please address these EXIF issues and also default to remote email images being disabled in iOS 15. Those would be two huge steps forward.
Zak is a widely recognized expert on surveillance and cyber, as well as the security and privacy risks associated with big tech, social media, IoT and smartphone platforms. He is frequently cited in the international media and is a regular commentator on broadcast news, with appearances on BBC, Sky, NPR, NBC, Channel 4, TF1, ITV and Fox, as well as various cybersecurity and surveillance documentaries.
Zak has twenty years experience in real-world cybersecurity and surveillance, most recently as the Founder/CEO of Digital Barriers, which develops advanced surveillance technologies for frontline security and defence agencies as well as commercial organizations in the US, Europe and Asia. The company is at the forefront of AI-based surveillance and works closely with flagship government agencies around the world on the appropriate and proportionate use of such technologies.
Zak can be reached at email@example.com.
- “Identifier for Advertisers (IDFA) | Meaning”. http://www.adjust.com. Adjust GmbH. Retrieved 2020-12-25.
roughly 20% of iOS users cannot be tracked using the IDFA because they have enabled LAT.
- Krasnoff, Barbara (2021-04-26). “How to use iOS 14.5’s new app tracking blocker”. The Verge. Retrieved 2021-04-27.
- “User Privacy and Data Use”. Apple Developer. Retrieved 2021-04-26.
- Axon, Samuel (2021-05-07). “96% of US users opt out of app tracking in iOS 14.5, analytics find”. Ars Technica. Retrieved 2021-05-08.
- Statt, Nick (2021-01-28). “Apple’s next iOS 14 beta will begin forcing developers to ask for permission to track you”. The Verge. Retrieved 2021-01-29.
- Rodriguez, Salvador (2020-07-30). “Facebook says Apple’s iOS 14 changes could hurt its ad targeting”. CNBC. Retrieved 2020-07-31.
- Cox, Kate (2020-08-26). “iOS 14 privacy settings will tank ad targeting business, Facebook warns”. Ars Technica. Retrieved 2020-08-27.
- Wagner, Kurt (2020-08-26). “Facebook Says Apple’s Changes to iOS Will Dramatically Hurt Ads”. Bloomberg. Retrieved 2020-09-08.
- Statt, Nick (3 September 2020). “Apple delays privacy feature that would let iPhone owners keep ad tracking at bay”. The Verge. Retrieved 16 September 2020.
- “Mozilla Urges Users to Support Apple’s Planned Anti-Tracking Changes: ‘A Huge Win for Consumers‘“. MacRumors. Retrieved 2020-12-17.
- “Facebook Says It’s Standing Up Against Apple For Small Businesses. Some Of Its Employees Don’t Believe It”. BuzzFeed News. Retrieved 2020-12-25.
- “Google to Stop Collecting Advertising Identifiers in iOS Apps in Response to iOS 14’s Upcoming Tracking Prompt”. MacRumors. Retrieved 2021-01-28.
- “Almost 2 in 5 consumers say they’ll provide IDFA access”. No IDFA? No Problem. 2021-03-16. Retrieved 2021-05-20.
- “Advertisers flee to Android as majority of iOS users opt out of ad tracking”. AppleInsider. Retrieved 2021-05-20.
- Axon, Samuel (2021-03-19). “Zuckerberg: Facebook could be in “stronger position” after Apple tracking change”. Ars Technica. Retrieved 2021-03-19.
- Koetsier, John. “Apple Rejecting Apps With Fingerprinting Enabled As iOS 14 Privacy Enforcement Starts”. Forbes. Retrieved 2021-04-03.
- Axon, Samuel (2021-04-02). “New wave of App Store rejections suggests iOS 14.5, new iPad may be imminent”. Ars Technica. Retrieved 2021-04-03.
- “Version 4.28.0 by nonelse · Pull Request #526 · adjust/ios_sdk”. GitHub. Retrieved 2021-04-04.
- “Apple Now Rejecting App Updates That Defy iOS 14.5 App Tracking Transparency Rules”. MacRumors. Retrieved 2021-04-04.
- “Apple Explains Why ‘Allow Apps to Request to Track’ May Be Grayed Out on iOS 14.5”. MacRumors. Retrieved 2021-04-29.
McGee, Patrick; Yang, Yuan (March 16, 2021). “TikTok wants to keep tracking iPhone users with state-backed workaround”. Ars Technica. Retrieved March 28, 2021.