Facebook Still ‘Secretly’ Tracks Your iPhone–This Is How to Stop It

So, this isn’t good. Your iPhone settings enable you to tell Facebook you don’t want your location tracked. It’s clear and non-ambiguous. Why then, if you tell Facebook “never” to access your location, is the data harvesting giant doing exactly that?

Apple’s iOS 14.5 is just a few weeks old, and the data already suggests it has delivered the expected strike against Facebook . Unsurprisingly, more than 80% of users do not opt in to being tracked. Millions of you have seen through the brazen warnings that Facebook’s free apps won’t remain free unless we surrender our right to privacy.

Facebook generates almost all its revenue from digital advertising—targeting ads by harvesting as much data from you and about you as it can. “Facebook marketing is generally dominated by iOS,” one ad industry article laments, “it’s pretty safe to assume Facebook has lost at least half their data, arguably the most valuable half.”

All of which means that Facebook will be doing ever more with the data that remains. And there’s a hidden danger in all the iOS 14.5 publicity—a false sense of security for iPhone users, thinking that the Facebook data issue is suddenly over, that everything has now changed. That would be very wrong—it really hasn’t.

Apple has clamped down on Facebook tracking you across third-party websites and apps, not harvesting your data on those it owns. Just like Google with Chrome, Photos and Gmail, Facebook apps compare miserably to their peers when it comes to helping themselves to your information. This isn't coincidence—it’s a philosophy at play.

Privacy Labels - Facebook Vs Rivals

@UKZak / Apple

iOS 14.5 is also fairly new—the impact is still being assessed. And so we’ll need to wait and see what workarounds the data giants find to keep tracking our web and app activity. The last major privacy innovation was to restrict location tracking. And here we can see exactly how it’s the letter and not the spirit of the rules that seems to apply.

Despite me telling my iPhone “never” to allow Facebook access to my location, despite me checking Facebook online to confirm it knows “location history for mobile devices” is set to “off.” Facebook continues to exploit a loophole, harvesting photo location tags and IP addresses, all of which it will, in its own words, “collect and process.”

I took a photo with my iPhone and then uploaded that to my Facebook account. I used Facebook’s app on my iPhone, the same app that has been told “never” to access my location, the same account that knows I have this switched off. But Facebook still collects the location tag from that photo, along with my IP address.

Facebook App and Website - Location Access Disabled


My iPhone adds GPS tags to photos—useful to sort and find images. I can use the share function in Apple Photos to strip location data as I send, and most messengers strip this data, but in Facebook’s app, when I upload a photo, the data is sent as well.

Facebook and Instagram do in fact strip the metadata, the so-called EXIF information, from photos that are saved to their platforms. You can see this, because if you save a photo from Instagram or your Facebook albums onto your phone, there will be no location information. That has been replaced with Facebook’s own codes.

And so, you might assume that Facebook has deleted this data. Wrong. If you go to your Facebook privacy settings and select “your Facebook information,” you can download a copy of the data it holds. If you select “photos and videos,” you will see the data that Facebook saved from the images you uploaded.

In the case of this specific photo, the one just uploaded from my iPhone, that data includes a very precise location and my “upload IP address.” Facebook doesn’t need any more than that. If I type those lat/long co-ordinates into Google Maps, I get an exact match to my location, and Google’s Street View shows me the front of my house. As you can imagine, this is not the kind of privacy I had in mind.

Location Data Harvested From Photo


So, is Facebook doing anything valuable with the data? Not for you. Gone are the days when your images could be seen by EXIF location—a huge privacy risk of a different kind. This data is now for Facebook’s own purposes. Remember its business model.

Facebook’s privacy policy says as much. The data “we collect,” it says, “can include information in or about the content that you provide (e.g. metadata), such as the location of a photo or the date a file was created.” The location data, it says, is used “to provide, personalize and improve our products, including ads.

This gets better. The privacy policy links you to “About Facebook Ads,” which explains why targeted ads are beneficial. Facebook tells you “we use location data to show you ads from advertisers trying to reach people in or near a specific place. We get this information from sources such as: Where you connect to the Internet, Where you use your phone, Your location from your Facebook and Instagram profile.”

Then you see a link inviting you to “learn more about your location data.” That link takes you to your account, where it asks if you want to “Turn on Location History for your mobile devices,” because, remember, this is switched off. Which begs the question—how can you collect my location data, and then explain this by taking me to an account setting which confirms I’ve told you not to capture my location?

If this seems Pythonesque to you, don’t worry, you’re not alone.

Data Used To Target Ads


You might not save many photos to Facebook these days, perhaps you use Instagram instead. Well, its data policy carries the very same warning, that the data harvested “can include information in or about the content you provide (like metadata), such as the location of a photo or the date a file was created.”

I asked Facebook about this capture of EXIF locations from Facebook and Instagram photos. The company confirmed that it “collects and processes” such data. I suggested to them that this data is used for advertising purposes, and that this is “regardless of the privacy settings selected by the user within the Facebook/Instagram app on their phones.” Facebook told me it was fine to proceed with those assumptions.

As regards Instagram, Facebook pointed me to its privacy policy, which confirms this type of metadata harvesting, and suggested that users strip EXIF data from their photos before uploading them. Easier said than done, but yes, clearly. The company also pointed out that EXIF data is not the same as a phone’s live location.

True, albeit photos uploaded from a mobile device are almost always taken on the mobile device. And combined with its vast data trove, this is all part of painting a more accurate picture of each of you, a profile to mine for ads.

So, what should you do? Don’t upload photos to Facebook or Instagram that have significant location data embedded, unless you want to share that data. You can use an app like iVerify, which will add a metadata stripping function to the share menu within photos, enabling you to save clean duplicates before you upload or share them.

EXIF data isn’t the only secret tracking taking place on your iPhone. If there’s one other setting you absolutely need to change, it’s the “load remote images” option within Apple Mail. This should be switched off, which will stop almost all the email tracking pixels you you are being sent from collecting your location data, your identifier and the date and time, every time you open a marketing email.

This is an absolutely scourge, and with Apple’s crackdown on website pixel tracking, these marketing email pixels are going to become even more important. You don’t lose anything by changing that setting. Apple will give you the option to load remote images on every email that has them. At least this way you get to choose who is checking where you are and storing that information to target you with ads later.

Remote Images

Apple Mail

As I’ve said, this is a philosophy, it’s about taking as much valuable information as possible, and then monetizing that information in myriad different ways. That’s why all Facebook’s data harvesting, per its privacy labels, link back to user identities, and it’s why it would never think to refuse that EXIF location data unless explicitly prohibited or prevented from gathering it.

With iOS 14.5 and the rising groundswell of privacy advocacy, the next few years will either be a pivot point for Facebook as it’s forced to examine its business model, or more likely the same kind of almost unnoticeable bump in the road that Cambridge Analytica ultimately proved to be. Just take a look at its stock chart in the years since that existential crisis hit the headlines—it tells you everything you need to know.

“Protecting people’s privacy,” Facebook says, “is central to how we’ve designed our ad system.” No, really, that’s what it says. Four simple steps to enhance your privacy: Say no to tracking when asked by iOS 14.5; disable location sharing for Facebook on your phone; for Facebook itself, delete the app and use a browser instead—Safari or Firefox, not Chrome; and don’t upload EXIF data unless you’re happy it’s collected.

In the meantime, Apple, please address these EXIF issues and also default to remote email images being disabled in iOS 15. Those would be two huge steps forward.

