You downloaded a free flashlight app three years ago and forgot about it. It still runs in the background. It knows your location, it's read your contact list twice this week, and somewhere in a data broker's warehouse, your phone number is attached to a profile that includes your approximate income bracket, your health concerns, and the fact that you've been searching for divorce lawyers.
That's not a hypothetical. That's Tuesday.
The Permission You Already Gave
Here's the thing that trips most people up: this isn't technically illegal. You agreed to it. Buried inside a terms-of-service document you scrolled past in four seconds was a clause allowing the app to share your "usage data with trusted partners." Those partners sell it to other partners. By the time your information lands somewhere you'd object to, it's passed through six different hands and there's no legal trail you can follow.
The apps doing the most damage often aren't the sketchy ones. They're the ones you trust — free VPNs, weather apps, period trackers, games your kids play.
According to the Norwegian Consumer Council, a detailed investigation found that popular apps were sharing intimate user data — including menstrual cycle details and mood logs — with advertising companies and data brokers in ways that users had no realistic way of knowing or consenting to meaningfully.
What's Actually Being Taken
Let's be specific, because vague warnings don't change behavior.
Your phone's sensors are remarkably chatty. An app with microphone access doesn't need to record your conversations to learn about you — it can detect ambient sound patterns to infer whether you're in a car, a restaurant, or a hospital waiting room. That's valuable targeting data.
Location data is the crown jewel. Your phone's GPS logs aren't just tracking where you are — they reveal where you sleep (your home), where you work, which church or mosque or clinic you visit, and how often. According to The New York Times investigation into location data, a single dataset they obtained contained over 50 billion location pings from millions of Americans' phones — collected by apps most people would consider completely harmless.
Contact list access is one people consistently underestimate. When an app reads your contacts, it's not just learning about you. It's learning about your mother, your doctor, your ex-spouse — people who never agreed to anything.
The Counterintuitive Part Nobody Talks About
Most people assume the solution is to audit which apps look suspicious. So they delete the weird ones, keep the big-name apps, and feel safer.
This is backwards.
The major apps — Facebook, Google Maps, TikTok, even LinkedIn — are in many cases collecting more data than the sketchy flashlight app, not less. They're just better at it, and they have legal teams that have bulletproofed their consent language. The sketchy app might sell your data to one broker. A major platform has built an entire advertising empire on data collection so sophisticated it can predict life changes before you've announced them publicly.
Your real threat isn't the app that looks shady. It's the one you use every day without thinking.
What You Can Actually Do
First, do a permission audit right now — not someday. On iPhone, go to Settings → Privacy & Security and work through each category: Location, Microphone, Contacts, Photos. For every app that has access, ask yourself: does this app need this to function? A recipe app does not need your microphone. A shopping app does not need your precise location. Revoke what you can't justify.
On Android, go to Settings → Privacy → Permission Manager. Same logic applies.
Second, location access specifically deserves attention. The options matter:
- "Never" — the correct choice for most apps
- "While Using" — acceptable for maps and navigation
- "Always" — almost never necessary for any app you're thinking of
Third, delete apps you haven't opened in 90 days. Dormant apps still run background processes. They still phone home. They're not doing anything for you, but they're doing things with your data.
Fourth, for free VPNs specifically: stop using them. A VPN that costs nothing is making money somehow, and the most profitable way is selling your browsing data to the same brokers a VPN is supposed to protect you from. According to research published by the CSIRO analyzing hundreds of free Android VPNs, a significant portion contained tracking libraries or malware. Pay for a VPN from a company with an audited no-logs policy, or don't use one.
The Honest Limitation
Here's what I won't pretend: even if you do all of this, it won't make you invisible.
Doing a permission audit reduces your exposure. It doesn't eliminate it. Your data is already in dozens of broker databases from apps you used years ago. Other people's apps — your friends, your family — share contact data that includes you. The advertising ecosystem has enough historical data on most adults that new collection is almost supplementary at this point.
This isn't permission to do nothing. Reducing the flow of new data matters, and the steps above genuinely help. But if you're expecting a technique that fully opts you out of the surveillance economy, it doesn't exist yet. The architecture wasn't built to accommodate that preference.
What you can do is make yourself a less easy target. That's a realistic goal. Full privacy, on a smartphone, in the current legal environment, is not.
Sources:
- Norwegian Consumer Council – Out of Control
- The New York Times – Twelve Million Phones, One Dataset
- CSIRO Research on Free VPNs