{"id":10563,"date":"2022-03-13T11:00:46","date_gmt":"2022-03-13T11:00:46","guid":{"rendered":"http:\/\/TheNextWeb=1382450"},"modified":"2022-03-13T11:00:46","modified_gmt":"2022-03-13T11:00:46","slug":"who-is-policing-the-location-data-industry","status":"publish","type":"post","link":"https:\/\/www.londonchiropracter.com\/?p=10563","title":{"rendered":"Who Is policing the location data industry?"},"content":{"rendered":"\n

By: Alfred Ng and Jon Keegan<\/p>\n

\"Originally

There is an estimated $12 billion market of companies that buy and sell location data<\/a> collected from your cellphone. And the trade is entirely legal in the U.S.<\/p>\n

Without legislation limiting the location data trade, Apple and Google have become the de facto regulators for keeping your whereabouts private\u2014through shifts in transparency requirements and crackdowns on certain data brokers.<\/p>\n

Specifically, the app stores have cracked down on data brokers<\/a> that market software development kits (SDKs) to app developers\u2014like X-Mode (now known as Outlogic), which has come under scrutiny for selling data to military contractors. It\u2019s common for app developers to embed SDKs to add features to their apps without having to build them from scratch, but these SDKs specifically were designed to send app user location data to brokers.<\/p>\n

But experts and location data industry workers tell The Markup that the moves have been insufficient; there are plenty of loopholes in Apple\u2019s and Google\u2019s policies that allow location data to still be collected, even without using those SDKs.<\/p>\n

\u201cThe challenge, and this is a challenge with data brokers in general, is that you\u2019re playing whack-a-mole, where these companies have many different vectors through which they get people\u2019s sensitive information,\u201d Justin Sherman, a cyber policy fellow at the Duke Technology Policy Lab, said.<\/p>\n

What kinds of location data sales do Apple and Google allow for apps in their stores?<\/h2>\n

Apple and Google both have policies for companies selling location data. But it\u2019s not clear if the tech giants enforce those policies\u2014or even how they would do so.<\/p>\n

Apple\u2019s policy<\/a> requires apps to disclose what data they are collecting from people and how it can be used and to get consent from users before sharing their data. However, it doesn\u2019t require apps to disclose exactly who they are selling data to, and many apps simply state that they share<\/a> data<\/a> with<\/a> partners.<\/p>\n

For instance, when The Markup uncovered the fact that Life360 was selling location data to nearly a dozen location data brokers<\/a> in 2021, we relied largely on former employees of the company to tell us to whom and to what extent the company was selling data on its users\u2019 movements.<\/p>\n

Only two companies, of about a dozen, were mentioned in the app\u2019s privacy policy. The rest, according to CEO Chris Hulls, were hidden behind confidentiality clauses, which are common in the industry due to the competitive value of the data.<\/p>\n

That all appears to be in line with the Apple store policy.<\/p>\n

\u201cIn order to submit new apps and app updates, you need to provide information about some of your app\u2019s data collection practices on your product page,\u201d Apple says<\/a> in its privacy policy for developers. \u201cWith iOS 14.5, iPadOS 14.5, and tvOS 14.5 and later, you\u2019re required to ask users for their permission to track them across apps and websites owned by other companies.\u201d<\/p>\n

For location data specifically, once the user has granted permissions, Apple\u2019s policy notes that people are subject to apps\u2019 privacy policy and practices<\/a>, which can include selling their data.<\/p>\n

Google\u2019s policy<\/a> goes a step further, stating that developers cannot sell personal and sensitive user data, which includes device location. The company also requires disclosure, telling developers that they \u201cmust be transparent in how you handle user data.\u201d<\/p>\n

Some policies are easy to audit (though not necessarily enforce<\/a>), like Apple\u2019s and Google\u2019s ban on X-Mode\u2019s SDKs. But the companies don\u2019t give any indication of how they would  enforce these rules around other methods of data collection that the very same banned brokers are using, like buying data directly from app publishers.<\/p>\n

\u201cGoogle Play\u2019s policy explicitly prohibits apps that collect sensitive and personal user data from selling it,\u201d Google spokesperson Scott Westover said in a statement when we asked about how Google enforces against location data sales.<\/p>\n

Apple didn\u2019t respond to The Markup\u2019s requests for comment but in the past has also given vague statements on how it deals with server-to-server transfers from data brokers.<\/p>\n

When we reached out for an earlier story<\/a> to ask Apple about direct server transfers from X-Mode while the broker\u2019s SDK was banned, Apple spokesperson Adam Dema responded, \u201cWe do not allow apps to surreptitiously build user profiles based on collected user data. Apps found to be using the X-Mode SDK are required to remove it or risk removal from the App Store altogether.\u201d<\/p>\n

And despite Google\u2019s policy against selling location data, the company hasn\u2019t explained how it would detect developers directly selling the data. Google didn\u2019t answer why Life360 was able to sell location data when we reached out for comment in November. In January, Google simply restated the company\u2019s policy when we followed up asking about X-Mode\u2019s direct server transfers.<\/p>\n

Neither spokesperson addressed questions about how the companies can hope to enforce their policies and how they figure out what apps are doing with user location data, even as data brokers increasingly turn to less traceable ways to get location data from apps.<\/p>\n

How can data brokers get around Apple\u2019s and Google\u2019s policies?<\/h2>\n

Workers in the location data industry told The Markup that data brokers are increasingly collecting data directly from app developers instead of relying on SDKs, which often leave a digital footprint. And it\u2019s unclear how Apple and Google could even monitor how apps are sharing and selling data once they obtain it.<\/p>\n

\u201cLooking at SDKs is one way to try and protect people\u2019s privacy against data brokers. But you also have to look at all the other ways that it happens, including through commercial transactions, where Company A says to Company B, we\u2019re going to sell you this dataset on people\u2019s GPS location,\u201d Sherman said.<\/p>\n

The Markup found that the family safety app Life360 had agreements to directly transfer location data about its users to some of its data customers\u2019 servers. A former Life360 employee told us the data they supplied to Cuebiq was refreshed every five minutes, and a former X-Mode employee told us they had a daily process to pull fresh data from Life360 to their servers. The former employees spoke on the condition of anonymity because they both still work in the data industry.<\/p>\n

After The Markup\u2019s report, Life360 announced<\/a> it would end those relationships and stop selling precise location data to all brokers except for Allstate\u2019s Arity, but would continue to sell aggregated location data to Placer AI.<\/p>\n

Two former X-Mode employees told The Markup the company has long used direct server transfers to scoop up location data from app developers and that more data came in this way than through the company\u2019s SDK. The former X-Mode employees spoke to The Markup on the condition that we not use their names because they are still involved in the data industry.<\/p>\n

And The Wall Street Journal reported that after Google\u2019s and Apple\u2019s ban of its SDK, X-Mode leaned into this method of collecting data<\/a>.<\/p>\n

A developer who used to sell location data to X-Mode also told The Markup that he had received many offers from other data brokers to share data through direct server-to-server transfers. The developer spoke to The Markup on the condition of anonymity because of a confidentiality clause in his contract with X-Mode.<\/p>\n

X-Mode is not the only broker using this method.<\/p>\n

In an email sent to an app developer and reviewed by The Markup, Veraset, a location data broker that is a subset of the company SafeGraph, pitched that the developer could \u201csend data to Veraset server-to-server (no need to install or maintain an SDK).\u201d The pitch also noted that apps can make from $12,000 to $1 million a year for sending their users\u2019 location data to the company.<\/p>\n

What Could Apple and Google Do to Clamp Down on Location Data Sales?<\/strong><\/h2>\n

Researchers say that Apple and Google could take some steps to better inform users of what\u2019s happening to their data\u2014but that a real clampdown on data sales would have to come from government intervention.<\/p>\n

\u201cThe only thing the app store can detect is whether the app contains various SDKs or, when you run it, does it send the data to various third-party servers,\u201d Serge Egelman, a researcher at UC Berkeley\u2019s International Computer Science Institute, said. \u201cThat\u2019s pretty much the extent to what anyone can detect using technology. The rest comes down to a policy issue.\u201d<\/p>\n

He said that Apple and Google could enforce policies against location data brokers by requiring apps to disclose who they sell user data to if they want to be in their app stores. But a policy like that would also rely heavily on the honor system.<\/p>\n

\u201cIf they do lie in those responses, there\u2019s no one who can really audit them,\u201d Egelman said. \u201cIf there are contractual relationships with these companies and third parties, whereby they give the data directly from their servers after they\u2019ve received it from the apps, there\u2019s no real way of detecting that. There\u2019s not much that Apple or Google can do.\u201d<\/p>\n

Without government regulation, the current approach from Apple and Google is to play catch-up with data brokers for each new  way that location data can be shared, experts said.<\/p>\n

For example, while app developers could potentially lie to Apple and Google without any way to audit the companies, they face a bigger risk if they violate laws like the European Union\u2019s General Data Protection Regulation<\/a>.<\/p>\n

The law, which requires companies to disclose all third parties who could receive a person\u2019s data, could be a stronger check on direct server transfers than app store scrutiny.<\/p>\n

\u201cIf the developer decides to directly collect the data and then sell it to another company \u2026 it would be a bit more tricky for users to be aware that this data is collected in order to be sold to another company,\u201d Esther Onfroy, co-founder of Exodus Privacy, a tool that audits Android apps for trackers by seeking SDKs, said. \u201cWith the GDPR, when you decide to collect location data, you as a developer, you have to say that, \u2018I will be collecting your location data and it will be sent or collected directly by this third party or by this partner,\u2019 and you can refuse.\u201d<\/p>\n

The U.S. doesn\u2019t have a federal data privacy law, though some states, like California, have their own regulations. California\u2019s privacy law<\/a>, however, requires companies to disclose only the categories of third parties who receive data, not the data brokers specifically.<\/p>\n

\u201cWhack-a-mole can work eventually maybe, but it\u2019s more effective to have a systemic regulatory governance approach to this issue,\u201d Duke\u2019s Sherman said.<\/p>\n

This article was originally published on The Markup<\/a> and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives<\/a> license.<\/a><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

By: Alfred Ng and Jon Keegan There is an estimated $12 billion market of companies that buy and sell location data collected from your cellphone. And the trade is entirely legal in the…<\/p>\n","protected":false},"author":1,"featured_media":10564,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts\/10563"}],"collection":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10563"}],"version-history":[{"count":0,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts\/10563\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/media\/10564"}],"wp:attachment":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}