Location Data Firm Got GPS Data From Apps Even When People Opted Out

Huq, an established data vendor that obtains granular location information from ordinary apps installed on people's phones and then sells that data, has been receiving GPS coordinates even when people explicitly opted-out of such collection inside individual Android apps, researchers and Motherboard have found. From a report: The news highlights a stark problem for smartphone users: that they can't actually be sure if some apps are respecting their explicit preferences around data sharing. The data transfer also presents an issue for the location data companies themselves. Many claim to be collecting data with consent, and by extension, in line with privacy regulations. But Huq was seemingly not aware of the issue when contacted by Motherboard for comment, showing that location data firms harvesting and selling his data may not even know whether they are actually getting this data with consent or not.

"This shows an urgent need for regulatory action," Joel Reardon, assistant professor at the University of Calgary and the forensics lead and co-founder of AppCensus, a company that analyzes apps, and who first flagged some of the issues around Huq to Motherboard, said in an email. "I feel that there's plenty wrong with the idea that -- as long as you say it in your privacy policy -- then it's fine to do things like track millions of people's every moment and sell it to private companies to do what they want with it. But how do we even start fixing problems like this when it's going to happen regardless of whether you agree, regardless of any consent whatsoever."

Raises hand ...

[fahrbot-bot]

... they can't actually be sure if some apps are respecting their explicit preferences around data sharing.

Um, doesn't (shouldn't) the OS restrict that access rather than relying on apps to "respect" those settings? If not, why not, 'cause that's the way it should work.

Re:

[fahrbot-bot]

... they can't actually be sure if some apps are respecting their explicit preferences around data sharing.

Um, doesn't (shouldn't) the OS restrict that access rather than relying on apps to "respect" those settings? If not, why not, 'cause that's the way it should work.

Adding: Presuming the data is via some permission that can be controlled on the device and not data the app needs to operate but the user has opted out of sharing upstream. Circumventing the former is an OS problem, the latter an app-dick-move problem.

Re:

[rgmoore]

Circumventing the former is an OS problem, the latter an app-dick-move problem.

This is a good summary. The OS obviously can't stop the apps from breaking their own promises, but the app store should. If an app promises not to share your data but does, the company should be kicked out of the app store and not allowed back. It's the only way to make app makers take this kind of thing seriously.

Re:

[rgmoore]

Um, doesn't (shouldn't) the OS restrict that access rather than relying on apps to "respect" those settings?

This isn't about the OS level permissions regarding location information. This is about the app's own promise not to share that information. If there's an app that has legitimate need for your location and for internet access, there's nothing the OS can do to enforce the app's promises about what it will do with the data.

Re:

[fahrbot-bot]

Um, doesn't (shouldn't) the OS restrict that access rather than relying on apps to "respect" those settings?

This isn't about the OS level permissions regarding location information. This is about the app's own promise not to share that information.

Thanks for confirming that. I actually followed up to my own comment to include/ask about this situation.

Re:Raises hand ...

[Anubis IV]

I had the same question, so I skimmed the article and found this, which answers what’s going on:

In recent years, both Apple and Google have given users more control over which permissions they give to specific apps. In the case of Huq, the Android-level permissions to allow or block Huq-affiliated apps access to GPS data are working as expected, but settings within the apps include options for opting-out of that location data then being shared with others. These app-level data sharing opt-outs are being ignored, according to the AppCensus’ and Motherboard’s tests.

Re:

[fahrbot-bot]

I had the same question, so I skimmed the article and found this, which answers what’s going on:

In recent years, both Apple and Google have given users more control over which permissions they give to specific apps. In the case of Huq, the Android-level permissions to allow or block Huq-affiliated apps access to GPS data are working as expected, but settings within the apps include options for opting-out of that location data then being shared with others. These app-level data sharing opt-outs are being ignored, according to the AppCensus’ and Motherboard’s tests.

Thanks, I missed that.

Re:

[Aging_Newbie]

I turn off location in the settings and I think that kills everything. Then if I need a map or something I want, I turn location on, use it, and turn it off. I get plenty of spam, and don't need location based spam too.

Laws without teeth are merely suggestions

[frdmfghtr]

"This shows an urgent need for regulatory action," Joel Reardon, assistant professor at the University of Calgary and the forensics lead and co-founder of AppCensus, a company that analyzes apps, and who first flagged some of the issues around Huq to Motherboard, said in an email.âoe

Laws, regulations, rulesâ¦mere words unless there are real, enforceable consequences that actually HURT the offender. âoeOh no, we got hit with a multi-million dollar fine? Oh no what will we do? Now excuse me while I rake in billions in revenue to pay this pocket-change fine.â

Two strikes. Thatâ(TM)s all you get. First strike, 50% of the highest yearly revenue in the companyâ(TM)s history. Second strike, 100% fine and dissolution. Make it hurt.

Re:

[usedtobestine]

But it has to be the corporate death penatly, just allowing their assets to be purchased in a bankruptcy auction won't solve the problem.

Re:Laws without teeth are merely suggestions

[nicolaiplum]

In fact, allowing assets to be purchased when the company is dissolved makes the problem much, much worse. A dead company cannot attach conditions to the sale of its assets including its data, so if one of these personal data hoovering companies goes bust, even worse companies can buy their data and use it without any conditions except legal limitations.

That's why this needs to be regulated by national law, and collecting this sort of data to sell onwards needs to be entirely illegal.

Huq?

[Mister Transistor]

They should have known, it's right in the name!

Huq would be pronounced "Huck" as in "Huckster"!

Also, as far as I'm concerned, if an app requests system permission for something, assume the worst. Just because they "promise not to be evil" today, it may not be the case tomorrow, or with a new management someday.

No, if an app requests permission, it's fair to assume they will (ab)use it as far as they are able.

Re:

[Mister Transistor]

Alright, this is truly weird. In my personal profile, it shows a double print (duplicate) of the last 2 posts I made, prior to this one. IOW I had my most recent post from another thread in my profile, then after making the above post, I now see TWO of the older post from the other topic, instead of seeing the above post! I believe my profile is public so people can see it, if you don't believe it, check it out here:

https://slashdot.org/~Mister+T... [slashdot.org]

Something with the post database is fucked up somehow, a

Re:

[Mister Transistor]

Wow, it got even weirder.

The above post didn't show up AT ALL in my profile! The "most recent" post shown is the one from the other thread (the duplicate) but now it's different. The post title is duplicated, but the body is not. It shows the 2nd post down's body, but the title of the post is a dupe of the most recent, well the one at the top.

More disturbing, the duplicated post title of the 2nd post in my profile appears as the actual post title in the big thread to which it was posted, so the indexing

XKCD

[VeryFluffyBunny]

Why install apps at all? Don't most things work pretty well or usually better in web pages? Remember... https://xkcd.com/1367/ [xkcd.com] - "I felt pretty clever until I realised I'd invented web pages."

Permission and selling

[Majestic Fear]

Simple way to know if someone opted in. If the company is selling the data then no the person did not opt in.

A bit of a reality check

[Ol Olsoc]

Expect that if you have a smartphone, your GPS data will go somewhere. Always.

Expect that if you opt out of GPS tracking data being sent, you are more likely to have it collected.

Understand that if you are doing something where you don't want to be tracked, you turn your phone off, and place it in a metal box.

a It's a simple matter, really. Unless you see the code, and see who your phone is communicating with, you are placing a whole lot of trust in something that might be doing just about anything.

Y