If you assumed your phone's location was only shared when an app asked for permission, here's an uncomfortable reality check. Researchers at the Citizen Lab have identified two separate surveillance vendors who were caught abusing access to the backbone of cellular networks to quietly track people's physical locations - no app download required, no permission prompt in sight.

What actually happened

According to reporting by TechCrunch, the Citizen Lab found evidence that these vendors were exploiting legitimate-seeming access to telecom infrastructure to spy on victims spread across multiple countries. The details are technical, but the takeaway isn't: if you have a phone on a cellular network, the architecture that keeps you connected can also be used against you - and you'd have no way of knowing.

The part that makes this particularly unsettling is that this isn't a software vulnerability in the traditional sense. It's a misuse of access that already exists within the system, which makes it far harder to patch with a simple update.

Why this matters beyond the headlines

Stories about surveillance companies tend to fade fast - they feel abstract, like something that happens to activists or politicians in other countries. But the Citizen Lab's findings point to something broader. The commercial surveillance industry has been quietly expanding its toolkit, and telecom infrastructure is increasingly part of that arsenal.

Most of us never think about what actually happens when our phone pings a cell tower. That invisible layer - the signaling protocols that route calls, texts, and data - has known vulnerabilities that researchers have flagged for years. What's new here is documented evidence of vendors actively exploiting it against real people.

What you can (and can't) do

Honestly? There's no consumer-level fix here. You can't opt out of SS7 (the decades-old signaling system at the heart of this kind of tracking) the way you can turn off location services. This is infrastructure-level, and meaningful change requires pressure on telecoms and regulators to actually enforce who gets access to these systems and how.

That said, knowing this kind of tracking exists is genuinely useful. It reinforces why conversations about surveillance reform matter - not just for journalists or dissidents, but for anyone with a phone in their pocket. Which, at this point, is basically everyone.

The Citizen Lab's work serves as another reminder that the fight for digital privacy isn't just about your apps. It runs a lot deeper than that.