- Apr 24, 2016
Think that your innocent-looking weather app is not tracking you on your way to a doctor's appointment? Well, maybe it's true, but you can't be so sure nowadays. Let's assume that it does track you, but then what becomes of all that data? Surely it's not falling into the hands of some third-party actors that are abusing it. Oh, wait.
In a scoop that is certain to add fuel to the already raging debate about abortion rights in the US, Motherboard has revealed that it bought user location data from more than 600 Planned Parenthood centers around the country for a mere $160 for a week's worth of data. Some of the centers offer abortion. The data showed where the people traveled from, how long they were at the location, and where they set off after the visit.
The feat has become possible thanks to the services of SafeGraph, a company that is notorious for bulk-selling of location data to the US public health agency (CDC) and to The New York Times.
So how exactly does SafeGraph get access to user location data? The answer is in plain sight. The company harvests this sensitive information from the apps that use its software development kit (SDK). App developers are fond of SDKs because they make their life easier, allowing them to cut costs on developing their own features from scratch — for instance, a location-tracking feature. In the case of SafeGraph SDK, that is precisely what happened. Say you enable a geo-tracking feature in your weather app. Rest assured — SafeGraph SDK would inherit this permission.
After helping the apps to pinpoint and track location, SafeGraph repackaged this information and sold it as a separate product to anybody who was willing to pay for it, and, apparently, for peanuts.
Users, as it often happens in such cases, were most likely unaware of this scheme. SafeGraph SDK was embedded not only in weather, travel and sports apps. The majority of its clients were forums that cater to a broad range of interests, from cars to psychology and even plastic surgery.
Thus, If you granted such an app permission to use your location, SafeGraph could also receive this data. Note that many of SafeGraph's most popular apps have been downloaded more than 10,000 times. Among the top apps that contain SafeGraph are a basketball forum (RealGM Forum), a forum for firearms enthusiasts (Ruger Forum), an off-road travel forum (SA 4x4 Community Forum), an Apple products discussion forum (iMore Forums) — the list goes on.
We have only briefly touched on the possible applications of this method of data collection. That does not mean you can feel safe if you don't visit the aforementioned locations. It will be possible to obtain information on any places that you frequent from your data — the technology allows it.
"How not to get into such a situation?" you may ask. There's no need to become paranoid and throw away your phone. We have always called on users to grant only the most essential permissions to their apps. Isn't it strange, when, say, a weather app requests your call history? And if the app really requires this data — and there are many such apps — then you need to protect yourself.
At present, AdGuard blocks the collection of data through this particular SDK. Moreover, the list of blocked threats is being updated on a regular basis. We constantly monitor new threats to users' confidentiality and block them, which allows us to limit the risks stemming from unscrupulous data collectors.