Edgar Cervantes / Android Authority
TL;DR
- Hackers have stolen a database that appears to include location data from tens of millions of devices.
- This location info seems to have originated from the ad-bidding process used by popular apps.
- While the FTC has already attempted to limit the ability of companies to gather this data, more work is needed.
Of all the types of personal information that we like to limit who gets access to, location data has to be right up there at the top of the list. This is exactly why platforms like Android try to be very explicit with privacy permissions, offering users transparency over how apps are able to read their location. But now a concerning new report is shining a spotlight on ways that third parties have been taking advantage of many popular apps to follow our movements.
When you’re using an app like Tinder, granting permission to your location makes perfect sense; the app wants to connect us with people in our area, so it has to know where everybody is. And if you’re smart, you take a moment to read through the app’s data management policies, clarifying exactly what it intends to do with your location info, and how long it plans to save it. But how much concern do you pay to the advertisements that run within these apps?
Gravy Analytics is a data collection firm that’s part of the modern advertising ecosystem that uses real-time bidding (RTB), a process where apps sell advertisers access to your eyeballs as you use the software, as outlined in an exposé by 404 Media (via Wired).
To help target you with relevant messages, and ensure that you’re part of the audience the advertiser is interested in, apps share your info with potential advertisers as part of this bidding process — and that can include location information. Not all of it necessarily comes from anything as explicit as GPS data, and likely involves a mix of sources, including your IP address.
Eric Zeman / Android Authority
It turns out that Gravy’s been collating vast swaths of this RTB demographic info and compiling its own database, available to clients interested in paying for access to your location data. Now this is all coming to light thanks to Gravy getting hacked, and the hackers sharing datasets revealing the scope of this ad-driven surveillance.
Developers behind individual apps likely had no idea any of this was going on, but a spreadsheet of affected apps paints the picture of this being an industry-wide problem, touching popular titles like Candy Crush and Microsoft 365. The FTC has already pushed back against the ad industry using location data for purposes like this, including Gravy in particular, but its efforts to curtail the practice clearly need a bit more work.
Got a tip? Talk to us! Email our staff at [email protected]. You can stay anonymous or get credit for the info, it's your choice.
English (US) ·