Of all the privacy protections in macOS, Location Services is the most complex, and is the only one which is managed not by TCC but by its own service,
locationd. It’s also unique in that, when its services are enabled, location data are invariably shared in iCloud, a feature which can’t be controlled in the normal iCloud settings. The only way that you can stop the sharing of locations across your iCloud-connected devices is to turn the whole service off, which is also true for your iOS and iPadOS devices.
Although it may seem tempting to disable Location Services altogether, that augmented privacy comes at the cost of some valuable services. In particular, Find My… and Activation Lock, and many system services and apps do benefit from Location Services being enabled.
The Location Services list in the Privacy tab of the Security & Privacy pane is the most complex of all its lists, and nests many of its controls in its final item, System Services. Above that are those apps over which you have direct control of their access to your location data.
Unusually, the About Location Services & Privacy button drops a sheet down which contains a mixture of help and privacy information, which is worth reading to give you better insight into what’s managed and how data is shared. It points out one important message: by giving a third-party app access to your location, that app’s vendor is in control of your location data in accordance with their terms and privacy policies, not those of Apple. If your location data are sensitive, then you shouldn’t give third-party apps access to it unless you can be confident that they will protect it appropriately.
Further important controls are revealed in another drop-down sheet when you click on the Details… button for System Services. This list some of the purposes for which macOS uses location data, giving you fine control over those.
The final layer in this onion-like feature is revealed when you click on the Details… button next to Significant Locations: a full listing of all those locations which macOS considers to be ‘significant’. On a static Mac with mobile iOS devices, those are largely based on location data gathered from those devices, and are echoed in similar lists on each of those iOS devices.
If you’ve never inspected these Significant Locations, you may be shocked at how much detail they contain: exact location, shown here on a local street map, with time periods, over the last year or more. It’s possible to reconstruct a lot of your life and activities from them. This sheet allows you to remove records too, in case you don’t want anyone to know where you’ve been at any particular time.
If these controls and sensitive information isn’t managed by TCC, what is behind it? The answer is the system service
locationd and its database locked away under the protection of root permissions in /var/db/locationd. The official description of
locationd is that it obtains geographic location data and manages access to it. When you’re prompted to give access to location data, that’s the CoreLocationAgent in action on its behalf. Apps which can ask for location data from Location Services should have the
com.apple.security.personal-information.location entitlement and
NSLocationUsageDescription information, something you can check using Taccy. You’ll also notice that Location Services are sometimes identified using their internal name of Liverpool.
The /var/db/locationd directory contains one file which is simple to read and holds important information, clients.plist, and various opaque data files. A sub-directory /Library has a surprising collection of scripts, cached data, and private keychains too.
clients.plist is a standard Property List which contains a dictionary of all the apps and other software which could access Location Services data. Those which are currently granted access contain the key
Authorized. In general, these should match apps and other items in the Location Services list in the Privacy tab, although that doesn’t apply to public or private frameworks which are included. There’s also a flag available for the key
Hide which suggests that some apps or services can be given access to locations but won’t be displayed in the Privacy pane.
Although this Property List has root permissions, some users have edited it successfully, to give them better control over some of the apps which have access to location data. Normally this shouldn’t be necessary, as all apps and services should be exposed in the Privacy pane’s controls.
Overall, Catalina gives users the control they need over access to location data except for the overriding fact that, when Location Services are enabled, they’re inevitably shared across all devices connected to the same iCloud account. This is a potential security risk, as it could be used by an unfriendly and prying app running on your Mac to gain access to data gathered on your iPhone, for example. Users don’t appear to have any ability to segregate their location data between different devices which are connected to the same iCloud account. If you want to do that, you’ll have to use more than one iCloud account, which brings its own disadvantages. Apple really does seem to want you to collect and share location data.
I’m very grateful to Rafael for pointing me in the right direction here.