In 2014, researchers at Carnegie Mellon University ran a study asking Android users to estimate how often apps accessed their data. Users guessed their apps collectively accessed their location around 30 times over a two-week period. The actual figure, recorded by the researchers' monitoring software: over 5,398 times — an underestimate by a factor of nearly 180. Users weren't lying. They genuinely had no idea.
When an app asks for permission, the request is deliberately framed around a single, reasonable-sounding use. A flashlight app needs camera access to turn on the LED. A weather app needs location to show your local forecast. A game needs storage to save your progress. Each request, isolated, sounds fine.
The problem is aggregation. The same camera permission that lets a flashlight work also gives the app access to the camera hardware at any time the app is running — and in older versions of Android, while it was backgrounded too. The same location permission that delivers your weather can ping your GPS every few minutes, building a detailed movement history that reveals your home address, your workplace, your medical appointments, your church, your political rallies.
This gap between stated purpose and actual capability is the sleight of hand.
The maker of "Brightest Flashlight Free" — which had over 50 million downloads — settled with the FTC after the agency found the app transmitted users' precise location and device ID to advertising networks. The app's permission screen mentioned location access. The privacy policy did not explain that this data was being sold to third parties in real time. The FTC called it deceptive. The app remained in the Play Store.
Modern smartphones group permissions into categories. Some are low-stakes. Others are essentially a master key to your private life. Security researchers at the International Computer Science Institute analyzed 17,260 apps in 2020 and found a category of data they called side channels — ways apps extract sensitive information using permissions that sound innocuous.
| Permission | Stated Use | What It Also Enables | Risk |
|---|---|---|---|
| Location (Precise) | Maps, weather | Home/work inference, movement tracking, religious/political profiling | High |
| Microphone | Voice search, calls | Ambient audio sampling, TV show detection, conversation fragments | High |
| Contacts | "Find friends" | Social graph mapping, email harvesting, relationship inference | High |
| Camera | Photos, QR codes | Facial recognition data, environment scanning, document capture | High |
| Storage / Files | Save files | Read all photos, documents, cached data from other apps | Medium |
| Network State | Check connectivity | Identify Wi-Fi networks you've connected to — reveals locations visited | Medium |
Both Apple and Google, under regulatory and reputational pressure, introduced runtime permissions — popups that ask for access exactly when a feature needs it rather than at install time. Apple added precise-vs-approximate location in iOS 14. Google introduced one-time permissions in Android 11.
These changes are genuinely meaningful. But they don't solve the underlying problem: the permission dialog describes a capability, not a business practice. Granting location to a navigation app and granting location to a free game are the same tap, the same dialog — but the business logic behind them is entirely different. The navigation app needs your location to function. The free game needs your location to sell it.
In 2021, Norway's Data Protection Authority fined Grindr €9.63 million for sharing users' precise GPS coordinates, HIV status, and other sensitive attributes with at least 87 advertising partners — without valid consent. Grindr's permission screen said it collected location for "functionality." The data was leaving the app within milliseconds of launch. Similar findings were made against Period Tracker Flo, which was sending ovulation and pregnancy data to Facebook and Google despite explicit promises in its privacy policy that it wouldn't.
Think of three apps on your phone that you use regularly. For each one, consider what permissions it has, what it claims to need them for, and whether that explanation actually holds up. Then discuss your findings with the AI below.
In December 2018, the New York Times obtained a dataset of over 50 billion location pings from the phones of more than 12 million Americans. The data had been collected by location data companies — firms whose names most users had never heard — operating as SDKs embedded silently inside popular apps. The Times was able to trace the movements of a Pentagon employee, identify regular visitors to a psychiatric facility, and track a person from their office to Alcoholics Anonymous meetings. All of this from a dataset that was described, in the contracts that authorized its collection, as "anonymous."
An SDK — Software Development Kit — is a package of pre-built code that app developers drop into their apps to add features without building them from scratch. When you download an app, you're often also installing code from Google (analytics), Facebook (the "Like" button login), AppsFlyer (attribution tracking), Adjust (ad measurement), and sometimes a dozen smaller firms you've never heard of.
These SDKs run inside the app with the same permissions the app has. If you granted the app location access, every SDK inside it can potentially access your location too. The app developer may not have fully audited what the SDK is doing — they accepted a terms-of-service document and moved on.
The FTC sued Premom after discovering the app was sending sensitive reproductive health data — including menstrual cycle tracking and pregnancy indicators — to two Chinese analytics companies, AppsFlyer and Umeng, as well as Google. Premom's privacy policy promised data would only be used "to provide services." The SDKs embedded in the app had a different agenda. The FTC required Premom to delete the data and pay $200,000 — and explicitly banned the app from sharing health data for advertising.
When you open an app that contains advertising, a silent auction takes place in approximately 100 milliseconds. Your device sends a bid request to an ad exchange — a packet containing your device ID, your approximate location, the app you're using, the time of day, and a profile built from your browsing and app history. Advertisers bid. The winner's ad loads. You see a banner for something you looked at two days ago.
This process is called Real-Time Bidding (RTB). The bid request itself — the packet your phone sends — is transmitted to potentially hundreds of companies simultaneously. Most of them don't win the auction. But they all received the data. RTB was designed to sell ads; it also functions as one of the most efficient personal data distribution systems ever built.
Ireland's Data Protection Commission investigated Google's RTB system and found that each time an auction occurs, Google's bid request shares users' personal data — including location, browsing habits, device identifiers, and inferred characteristics like income bracket and health conditions — with potentially thousands of advertising companies globally. The DPC noted this happens "billions of times per day." Google was fined €150 million by France's CNIL in 2022 for related cookie consent violations, and the RTB system investigation remains among the largest open cases in EU data protection law.
Beyond advertising, a parallel industry buys, aggregates, and resells this data: data brokers. Companies like LexisNexis Risk Solutions, Acxiom, Oracle Data Cloud, and hundreds of smaller firms purchase location pings, app usage data, purchase history, and behavioral profiles — then sell processed versions of this data to employers, insurers, lenders, law enforcement, and political campaigns.
In 2023, the Senate Judiciary Committee published a report finding that data brokers were selling Americans' location data to foreign adversaries, including firms with ties to Chinese military intelligence. The data had originated in ordinary apps — weather apps, games, utilities — that users had installed on their phones and granted location access.
Pick an app you use daily — a social media platform, a game, a news reader, or a utility. Now think about the invisible journey your data takes from the moment you open it. Use the AI to map that journey and identify who might be receiving your data downstream.
In 2018, as part of the Cambridge Analytica congressional hearings, internal Facebook documents revealed the company's data valuation models. Facebook estimated the average U.S. user generated approximately $26.76 in advertising revenue per quarter — roughly $107 per year. But this figure only captured direct advertising. Independent analyses of Facebook's data licensing, API access, and shadow profile construction suggested the total economic value extracted per active user was substantially higher — estimates ranged from $200 to $900 annually depending on demographic and behavioral profile richness.
Free apps generate revenue through several mechanisms, often simultaneously. Understanding them is the first step to understanding what you're actually exchanging when you install a free app.
Los Angeles City Attorney Mike Feuer sued IBM's The Weather Company (owner of the Weather Channel app, then with 45 million active users) for selling users' precise location data to third parties — including hedge funds, retailers, and energy companies — without making this clear in its disclosure screens. The app's prompts said location was needed "to provide weather forecasts to your exact location." It was also being used to power a commercial location data product. IBM settled in 2021, agreeing to change its disclosure practices. No fine was assessed.
Free VPNs represent one of the starkest examples of the "free = product" dynamic. A VPN is supposed to protect your privacy by encrypting your traffic and masking your IP address. A free VPN achieves this — and simultaneously routes your entire internet traffic through its servers, where it can be logged, analyzed, and sold.
In 2019, a report by Top10VPN analyzed 150 free VPN apps and found that 86% had unacceptable privacy policies, 26% contained tracking libraries, and 18% had no encryption at all. Several traced back to Chinese ownership, including Hotspot Shield's previous parent and, most notably, VPN Proxy Master, which was linked to Guangzhou-based developer Innovative Connecting — the same company behind other data-harvesting utility apps flagged by cybersecurity researchers.
In 2022, the FTC sued Kochava — a mobile analytics and data broker company — for selling geolocation data that could be used to track people's visits to reproductive health clinics, addiction treatment centers, and places of worship. The FTC alleged this data was sourced directly from apps that had embedded Kochava's SDK for attribution tracking. Kochava countersued and the litigation continued through 2024. The case established a significant legal precedent: that selling data enabling inference of sensitive conditions — even without a direct health record — could constitute an unfair trade practice.
Individual data points are cheap. A single location ping is worth fractions of a cent. What makes personal data economically powerful is combination and longitudinal depth. A data broker who has your location history for 18 months can infer your income bracket (neighborhoods you frequent), your religion (houses of worship), your health status (hospital visits, pharmacy trips), your political leanings (rallies, campaign offices), and your relationship status (co-location patterns with other devices).
This is why the standard industry defense — "we only collect anonymous, aggregate data" — is systematically misleading. Research by MIT and the University of Louvain has repeatedly shown that four location data points are sufficient to re-identify 95% of individuals in a dataset, even if names have been removed.
Think about the free apps you use most — social media, messaging, games, utilities. Using what you've learned about how these apps monetize data, try to estimate what those apps are actually worth from your data alone. Challenge the AI to help you think through the math and the logic.
In April 2021, Apple launched App Tracking Transparency — a requirement that all iOS apps explicitly ask users for permission before tracking them across other companies' apps and websites using the IDFA device identifier. Within six months, studies showed that only 24% of iOS users were opting in to tracking when given a clear choice. Meta reported a $10 billion revenue hit in the following fiscal year. The experiment demonstrated something important: when users are given a genuine, frictionless opt-out, most of them take it.
Both iOS and Android have meaningfully improved their privacy controls since 2020. These controls are real and worth using — but understanding their limits is as important as knowing their benefits.
Not every privacy action has the same impact. Some are high-leverage; others are theater. Here's a realistic assessment:
| Action | What It Stops | What It Doesn't Stop | Effort |
|---|---|---|---|
| Deny location to apps that don't need it | GPS coordinate collection, movement profiling | IP-based location estimation, Wi-Fi network inference | Low |
| Enable "Precise Location Off" for apps that only need city-level | Exact coordinate collection and movement tracking | Neighborhood-level inference from approximate location | Low |
| Opt out of ad personalization (iOS: Settings → Privacy → Tracking; Android: Settings → Privacy → Ads) | Cross-app tracking via device ID; IDFA/GAID-based profiles | First-party behavioral data; fingerprinting; cohort-based targeting | Low |
| Use a paid VPN from a verified no-logs provider (Mullvad, ProtonVPN) | ISP data collection; IP-based tracking; some Wi-Fi snooping | In-app tracking; HTTPS-level data; anything the app sends directly | Medium |
| Use Signal instead of SMS/iMessage for sensitive conversations | Message content interception; metadata analysis by platform | Device-level compromise; physical access attacks | Medium |
| Delete apps you don't actively use | Background data collection; periodic location pings; SDK activity | Data already collected; profiles already built | Low |
When Apple's ATT made IDFA-based tracking harder, the ad industry didn't stop tracking — it shifted to device fingerprinting: building a unique identifier from the combination of your screen resolution, installed fonts, GPU model, system language, time zone, battery level, and other signals that don't require a permission grant. The EFF's "Cover Your Tracks" tool can demonstrate how unique your browser fingerprint is. Most devices are unique among millions. Apple has continued to fight fingerprinting in iOS 17+ by restricting the API calls used to build fingerprints, but the cat-and-mouse dynamic continues.
Data brokers are required by several state laws — California's CCPA, Virginia's VCDPA, and others — to honor deletion requests from consumers. Services like DeleteMe (paid) and Privacy Bee (paid) automate the submission of removal requests to hundreds of brokers. Manual removal is possible but time-consuming; the major brokers include Spokeo, Whitepages, Intelius, BeenVerified, Acxiom, and LexisNexis. Critically: data re-aggregates. Removal is not permanent. Quarterly re-submission is typically required.
The FTC finalized rules in 2024 requiring data brokers to register with the agency and provide opt-out mechanisms — a significant step, though enforcement scope remains limited.
Perfect privacy on a modern smartphone connected to the commercial internet is not achievable. The data collection infrastructure is too deeply embedded in how apps are built, financed, and distributed. What is achievable is a meaningfully reduced profile: fewer tracking IDs, less precise location data, fewer third-party SDKs running on your device, and less data in broker databases. Each reduction lowers the value of your data to potential misusers — insurers, political operatives, malicious state actors — even if it doesn't eliminate it entirely.
Privacy advice is only useful if it matches your actual situation. Think about who you are, what you do, and what data you care most about protecting. Use the AI to build a personal, realistic privacy action plan — not a generic checklist.