BreachExpress

Cybersecurity, explained for the rest of us.

VPN & Privacy

What your phone's location history reveals — and what it doesn't

Margot 'Magic' Thorne@magicthorneJune 18, 202611 min read
Smartphone displaying a map with location pins and a timeline of visited places

Your phone knows where you've been. That much is common knowledge. But the specifics of what gets collected, how accurate it is, and who can see it are widely misunderstood.

The reality check: your phone tracks location constantly, through multiple systems, with varying degrees of precision. Some of that data lives on your device. Some syncs to cloud accounts. Some gets shared with apps. Some ends up in databases you'll never see.

This isn't paranoia. It's mechanism. Here's how location tracking actually works, what the data reveals, what it misses, and what you can control.

How your phone determines location

Your phone uses three primary methods to figure out where you are: GPS, WiFi triangulation, and cell tower positioning. Each method trades accuracy for speed and battery life.

GPS is the most precise. It uses signals from satellites orbiting Earth to calculate your exact coordinates. Under clear skies, GPS can pinpoint your location to within 5-10 meters. Inside buildings or under heavy tree cover, accuracy degrades or fails entirely. GPS also drains battery faster than other methods because it requires continuous communication with satellites.

WiFi triangulation uses the unique identifiers of nearby wireless networks to estimate your position. Your phone scans for WiFi signals, matches them against a database of known network locations, and triangulates your position based on signal strength. This works indoors where GPS doesn't, but accuracy drops to around 20-50 meters. Google and Apple maintain massive databases of WiFi network locations, built from years of mapping and user data.

Cell tower positioning is the least accurate but most widely available. Your phone constantly communicates with cell towers to maintain service. The network can estimate your location based on which tower you're connected to and how strong the signal is. In urban areas with dense tower coverage, accuracy might reach 50-100 meters. In rural areas, it can be several kilometers off.

Your phone combines all three methods when available. This hybrid approach is why location works so reliably in most situations. Turn off GPS, and your phone falls back to WiFi and cell towers. Disable WiFi, and it uses GPS and towers. The system is designed for redundancy.

What gets stored and where

Location data doesn't live in one place. It fragments across your device, cloud accounts, app databases, and third-party servers.

Your phone's operating system maintains a local location history. On iPhones, this is called Significant Locations. On Android, it's part of Location History. Both features are optional, but they're often enabled by default during setup. These logs track where you go, how long you stay, and how frequently you visit. The data lives in encrypted form on your device and syncs to your cloud account if you've enabled that feature.

Individual apps also store location data. A weather app might log your current city. A fitness app records your running route. A ride-sharing app keeps a history of pickups and drop-offs. Each app maintains its own database, and you typically can't see what it contains unless the app provides a history view. Some apps upload this data to their servers. Some keep it local. The app's privacy policy describes this, though reading it won't always clarify what actually happens.

Your cellular carrier logs your approximate location as part of normal network operation. Every time your phone connects to a cell tower, the network records which tower you used and when. Carriers store this data for billing, network optimization, and compliance with legal requirements. You can't opt out. It's inherent to how cellular networks function.

Third-party location databases aggregate data from apps that sell or share user information. Data brokers purchase location data from app developers, strip out direct identifiers, and resell it as "anonymized" datasets. Researchers have repeatedly demonstrated that this anonymization fails under scrutiny. Given enough data points, you can re-identify individuals by their movement patterns. Your daily commute, the gym you visit, the grocery store you prefer, these patterns are distinctive enough to serve as fingerprints.

The precision question

Location data isn't uniformly accurate. The precision varies based on method, environment, and how the data gets processed.

GPS is accurate outdoors but fails indoors. If you spend eight hours inside an office building, your phone's GPS might show you standing in the parking lot the entire time. WiFi triangulation fills this gap, but only if your phone can see enough networks. In a basement with no WiFi, your location might not update at all.

Cell tower positioning is coarse by design. In a dense city, it might place you within a few blocks. In a rural area, it could be kilometers off. Law enforcement agencies sometimes request cell tower data during investigations, and the imprecision creates problems. A tower dump might show your phone connected to a tower near a crime scene, but that doesn't prove you were at the scene. You could have been anywhere within that tower's range.

Timestamp accuracy matters as much as spatial accuracy. Your phone logs when it recorded each location, but apps don't always sync in real time. A fitness app might batch-upload your run an hour after you finish. A navigation app might cache location data and sync it later. The timestamps in your location history might not match the timestamps in an app's server logs.

Movement patterns reveal more than static locations. Even if your phone only logs your position every few minutes, the pattern of those points tells a story. Researchers have shown that four spatio-temporal points, locations with timestamps, are enough to uniquely identify most people. You don't need continuous tracking. Sparse data works fine if you have enough of it over time.

Who sees your location data

Your location data flows to more parties than you've explicitly granted permission.

Your operating system provider sees everything. Apple and Google collect location data to improve their services, build traffic maps, and refine location accuracy. Both companies publish transparency reports detailing government requests for user data, including location information. In 2025, Apple received thousands of such requests, and compliance rates varied by jurisdiction.

Apps with location permission can access your position whenever their permission level allows. Foreground permission means the app can see your location only while you're actively using it. Background permission means it can track you continuously, even when the app is closed. Many apps request background permission for features that don't obviously require it. A shopping app might claim it needs background location to show you nearby stores, but that feature could work with foreground permission instead.

Your cellular carrier logs your location as part of network operation. Carriers share this data with law enforcement in response to warrants, subpoenas, and emergency requests. Some carriers have sold aggregated location data to third parties, though public pressure has reduced this practice. The data still exists in carrier databases, and the legal standards for accessing it vary by country and jurisdiction.

Data brokers purchase location data from apps and resell it. Apps with free business models often monetize by selling user data. The app's privacy policy might mention "trusted partners" or "service providers" without naming them. Those partners are often data brokers who aggregate location data from multiple apps to build detailed profiles. These profiles get sold to advertisers, marketers, and sometimes government agencies.

Law enforcement can access location data through various legal mechanisms. In the U.S., a warrant is typically required for historical location data, but real-time tracking standards are murkier. Emergency requests bypass normal procedures. Tower dumps collect location data for everyone connected to a specific tower during a specific time window, which can include thousands of people. Geofence warrants request data for everyone who was in a specific area during a specific time, which has raised significant Fourth Amendment concerns.

The background location problem

Background location permission is where tracking becomes pervasive. An app with this permission can monitor your movements continuously, even when you're not using the phone.

Apps justify background location with features that sound reasonable. A weather app wants to send you alerts about storms in your area. A fitness app wants to automatically log your runs. A shopping app wants to notify you when you're near a sale. These features work, but they also enable continuous surveillance.

The technical mechanism is straightforward. When you grant background location permission, the app registers with the operating system to receive location updates. The OS wakes the app periodically and feeds it your current position. The app logs this data locally, uploads it to its servers, or both. You have no visibility into this process unless the app provides a location history view.

Battery impact is real but often overstated. Modern smartphones optimize background location to minimize drain. The OS doesn't wake apps every second. It batches updates, uses low-power location modes, and limits how often apps can request position. A well-designed app with background location might add 5-10% to your daily battery usage. A poorly designed app can drain 20-30%. You won't know which you have until you test it.

Revoking background permission is the most effective control. Both iOS and Android let you downgrade an app from background to foreground permission without uninstalling it. The app still works, but it can only see your location when you're actively using it. Most apps function fine with this restriction. The ones that don't are often the ones you shouldn't trust with continuous tracking anyway.

What location history actually reveals

Location data doesn't just show where you've been. It reveals patterns, relationships, and behaviors that you might not consciously recognize.

Your daily routine becomes visible. The data shows when you leave home, how long your commute takes, where you work, when you take lunch, and when you return. Over weeks and months, this pattern solidifies into a profile. Researchers have demonstrated that most people follow predictable routines, and location data captures those routines with precision.

Relationships emerge from co-location patterns. If two phones consistently appear at the same locations at the same times, they're likely connected. This could be a spouse, a colleague, a friend, or a family member. The data doesn't name the relationship, but the pattern implies it. Law enforcement and private investigators use co-location analysis to map social networks.

Sensitive locations reveal personal information. A phone that regularly appears at a medical clinic might indicate a chronic condition. A phone that visits a religious institution reveals faith. A phone that stops at a therapist's office suggests mental health treatment. A phone that frequents a specific address might indicate a romantic relationship. You don't need to explicitly disclose these facts. The location data does it for you.

Behavioral changes stand out. A sudden deviation from routine, visiting an unfamiliar neighborhood, staying out late, traveling to a new city, shows up clearly in location history. This matters for more than surveillance. Advertisers use behavioral changes to target ads. If you start visiting baby stores, you'll see diaper ads. If you visit car dealerships, you'll see auto loan offers. The targeting works because location predicts intent.

In The Good Place, the characters learn that every action they've ever taken has been recorded and judged. Location tracking isn't quite that comprehensive, but it's closer than most people realize. Your phone doesn't judge, but it remembers. And that memory is accessible to more parties than you've consciously agreed to share it with.

The law enforcement angle

Law enforcement access to location data operates under different rules than commercial access, and those rules vary by jurisdiction.

In the U.S., the Supreme Court ruled in Carpenter v. United States (2018) that accessing historical cell site location information requires a warrant. This was a significant privacy win, but it only applies to data held by carriers. It doesn't cover location data held by app developers, data brokers, or the phone's operating system provider. Those require different legal standards, and the case law is still evolving.

Real-time location tracking has murkier legal protections. Some courts have held that tracking a suspect's current location requires a warrant. Others have allowed it under less stringent standards. Emergency situations often bypass normal procedures entirely. If police believe someone is in immediate danger, they can request real-time location data without a warrant.

Geofence warrants request data for everyone in a specific area during a specific time. Law enforcement provides Google or another provider with geographic coordinates and a time window. The provider returns anonymized data for every device that was in that area. Police then narrow the list and request identifying information for specific devices. Civil liberties groups argue this is a general search that violates the Fourth Amendment. Courts have split on the issue.

Tower dumps collect data for everyone connected to a specific cell tower during a specific time. This can include thousands of people, most of whom have no connection to the investigation. The data shows which phones were in the area, but it doesn't prove those phones were at the crime scene. Tower range can extend for miles.

Border searches operate under different rules. U.S. Customs and Border Protection can search phones at borders without a warrant, and that includes accessing location history. If you've traveled internationally, your phone's location log might be inspected when you re-enter the country. Encrypting your device doesn't prevent this. If you refuse to unlock it, CBP can seize it.

What you can actually control

Location tracking is pervasive, but you're not powerless. The controls exist. They're just not always obvious, and using them requires tradeoffs.

Disable location services entirely. Both iOS and Android let you turn off location globally. This breaks every app that relies on location, including maps, weather, ride-sharing, and fitness tracking. It also disables Find My Phone, which matters if your device gets stolen. But it stops continuous tracking cold.

Review app permissions and downgrade background access. Go through every app that has location permission and ask whether it needs it. If the app works fine without location, revoke it. If the app needs location but doesn't need continuous tracking, downgrade from background to foreground. This is the most effective control that doesn't break functionality.

Disable location history in your OS. Apple calls it Significant Locations. Google calls it Location History. Both are optional. Turning them off stops your OS from building a detailed timeline of your movements. It doesn't stop apps from tracking you, but it removes one layer of data collection.

Use airplane mode when you need true location privacy. Airplane mode disables all wireless radios, including cellular, WiFi, and Bluetooth. Your phone can't connect to towers or networks, which means it can't report your location. GPS still works in airplane mode because it's receive-only, but without a network connection, your phone can't upload the data. This is the only reliable way to prevent real-time tracking.

Delete location history periodically. Both Apple and Google let you view and delete your stored location data. This doesn't affect data that apps have already uploaded to their servers, but it clears what's stored in your account. If you're concerned about historical data exposure, deletion is your only option.

Understand the limits. You can't stop cell tower logging without turning off your phone. You can't prevent data brokers from buying location data from apps unless you stop using those apps. You can't control what happens to data that's already been collected and sold. The controls you have are prospective, not retroactive.

The commercial tracking ecosystem

Commercial location tracking operates differently than OS-level tracking, and it's far less regulated.

Apps with location permission often share that data with third parties. The app's privacy policy might disclose this in vague language about "partners" and "service providers." Those partners are often ad networks, analytics companies, and data brokers. The data gets aggregated, anonymized (poorly), and resold.

Anonymization fails under scrutiny. Researchers have repeatedly demonstrated that location data remains identifiable even after direct identifiers are stripped out. Your home and work addresses are unique. Your daily routine is distinctive. Given enough data points, re-identification is trivial. Data brokers sell "anonymized" location datasets, but the anonymization is often cosmetic.

Location data fuels targeted advertising. If you visit a car dealership, you'll see car ads. If you visit a competitor's store, you'll see ads from their rivals. If you visit a medical clinic, you'll see health-related ads. This targeting works because location predicts intent better than search history or browsing behavior. Where you go reveals what you're thinking about.

Retailers use location data for foot traffic analysis. They want to know how many people walk past their store, how many enter, and how long they stay. Some retailers install beacons that ping nearby phones via Bluetooth. Others purchase aggregated data from apps. The data helps them optimize store layouts, staffing, and marketing.

Political campaigns use location data for voter targeting. They buy datasets showing who attended rallies, who visited campaign offices, and who lives in specific neighborhoods. They cross-reference this with voter registration data to build targeting profiles. This isn't hypothetical. It's standard practice in modern campaigns.

The myth of "nothing to hide"

The argument goes: if you're not doing anything wrong, why does location tracking matter? This framing misunderstands both privacy and power.

Privacy isn't about hiding wrongdoing. It's about controlling who knows what about you. Location data reveals sensitive information that you might not want to share broadly, even if it's entirely legal. Visiting a therapist, attending a religious service, meeting a divorce attorney, or seeking medical treatment are all legal activities that most people prefer to keep private.

Location data can be weaponized. Domestic abusers use location tracking to stalk victims. Employers use it to monitor off-duty employees. Governments use it to identify protesters and dissidents. The data itself is neutral, but the uses are not. Once collected, it can be accessed by parties you never intended to share it with.

Behavioral targeting creates manipulation risk. When advertisers know your location patterns, they can serve you ads at moments of vulnerability. Visiting a fertility clinic? Here's an ad for IVF financing. Visiting a funeral home? Here's an ad for grief counseling. The targeting works because it exploits emotional states that location data reveals.

Aggregated data isn't anonymous. Data brokers claim their datasets are anonymized, but research consistently shows otherwise. Your location history is a fingerprint. Given enough points, you're identifiable. This matters because aggregated data gets sold without your consent to buyers you'll never know about.

The international angle

Location tracking rules vary dramatically by country, and traveling exposes you to different legal frameworks.

The EU's GDPR requires explicit consent for location tracking and gives users the right to access, delete, and port their data. Apps operating in the EU must provide clear disclosures and easy opt-outs. Enforcement is real. Regulators have fined companies millions for GDPR violations related to location data.

China requires apps to store user data on servers within Chinese borders, which means the government has easier access. Location data for Chinese users stays in China, subject to Chinese law. If you travel to China, your phone's location data becomes accessible to Chinese authorities under their legal framework.

Russia has similar data localization laws. Apps serving Russian users must store data on Russian servers. The government can access this data through legal process that's less transparent than in Western democracies.

Border crossings create exposure. When you cross an international border, your phone's location data may be inspected by customs officials. Some countries require you to unlock your device for inspection. Others can seize it if you refuse. The legal protections you have at home don't necessarily travel with you.

Roaming data reveals international travel. When your phone connects to foreign cell towers, your carrier logs it. This data can be subpoenaed in legal proceedings. If you're involved in a lawsuit, divorce, or criminal investigation, your international travel history might become evidence.

What's actually changing

Location tracking has been possible for years, but the scale and precision are increasing.

5G networks enable more precise location tracking. The technology supports centimeter-level positioning in some configurations. This level of precision isn't widely deployed yet, but the infrastructure is being built. When it arrives, indoor location tracking will become as accurate as outdoor GPS.

App developers are building more features that require location. Augmented reality, local recommendations, and social features all depend on knowing where you are. The more features that require location, the more users grant permission without thinking through the implications.

Data brokers are consolidating. The market for location data is maturing. Smaller brokers are being acquired by larger ones. The datasets are getting richer and more interconnected. This makes re-identification easier and increases the value of individual profiles.

Legal frameworks are slowly catching up. The EU's GDPR set a high bar. California's CCPA followed. Other jurisdictions are considering similar laws. But legislation moves slowly, and the technology evolves faster. The gap between what's legal and what's technically possible keeps widening.

The practical takeaway

Your phone tracks your location constantly through GPS, WiFi, and cell towers. The data lives on your device, syncs to cloud accounts, flows to apps, and ends up in databases you'll never see. Precision varies, but patterns emerge. Those patterns reveal sensitive information about your routine, relationships, and behavior.

You can't eliminate location tracking entirely without giving up core phone functionality. But you can reduce it. Review app permissions. Disable background location for apps that don't need it. Turn off location history in your OS. Use airplane mode when you need true privacy. Delete historical data periodically.

The controls exist. They're just not defaults. Using them requires conscious effort and accepting tradeoffs. That's the reality. Your phone knows where you've been, and that knowledge is valuable to more parties than you've explicitly agreed to share it with. What you do with that information is up to you.

Phone settings screen showing location services toggle and app permissions list
→ Filed under
location trackingmobile privacyGPSsmartphone securitydata collectionapp permissions
ShareXLinkedInFacebook

Frequently asked questions

Yes. Your phone collects location data continuously as long as location services are enabled, even when the screen is off. Apps with background location permission can access this data without your active involvement.
GPS uses satellites to pinpoint your exact coordinates, accurate to around 5-10 meters outdoors. WiFi triangulation uses nearby network signals to estimate location, which works indoors but is less precise—typically accurate to 20-50 meters.
Apple and Google both store location history if you've enabled it, and you can review it through your account settings. But individual apps also maintain their own location logs, which aren't always accessible to you.
No. Even with location services disabled, your phone still connects to cell towers and WiFi networks, which creates a rough location trail. True location anonymity requires airplane mode or powering off the device.
Your operating system provider, any app you've granted location permission, your cellular carrier, and potentially law enforcement with proper legal process. Data brokers may also purchase aggregated location data from apps.

You might also like

Abstract visualization of data flowing through browser APIs with layered privacy boundaries
VPN & Privacy

Privacy Sandbox: What Google Is Actually Doing Instead of Third-Party Cookies

Google's Privacy Sandbox replaces third-party cookies with new APIs that track you differently. Here's the underlying mechanism, what changes, and what stays the same.

12 min · Margot 'Magic' Thorne · Jun 4

Laptop open on cafe table showing checkout page, coffee cup beside it, WiFi symbol visible on screen
VPN & Privacy

Online Shopping on Public WiFi: Separating Real Risk from Security Theater

Public WiFi isn't the universal threat security advice suggests. Here's what actually matters when you shop online at Starbucks in 2026, what's changed, and what hasn't.

11 min · Margot 'Magic' Thorne · Jun 6

Split illustration showing a locked door (security) and closed curtains (privacy)
VPN & Privacy

Privacy vs Security: Not the Same Thing

Privacy and security protect different things. Here's how they differ, where they overlap, and why confusing them weakens both.

11 min · Margot 'Magic' Thorne · May 9