Location Data Firm Got GPS Data From Apps Even When People Opted Out

Huq, an established data vendor that obtains granular location information from ordinary apps installed on people’s phones and then sells that data, has been receiving GPS coordinates even when people explicitly opted-out of such collection inside individual Android apps, researchers and Motherboard have found.

The news highlights a stark problem for smartphone users: that they can’t actually be sure if some apps are respecting their explicit preferences around data sharing. The data transfer also presents an issue for the location data companies themselves. Many claim to be collecting data with consent, and by extension, in line with privacy regulations. But Huq was seemingly not aware of the issue when contacted by Motherboard for comment, showing that location data firms harvesting and selling his data may not even know whether they are actually getting this data with consent or not.

“This shows an urgent need for regulatory action,” Joel Reardon, assistant professor at the University of Calgary and the forensics lead and co-founder of AppCensus, a company that analyzes apps, and who first flagged some of the issues around Huq to Motherboard, said in an email. “I feel that there's plenty wrong with the idea that—as long as you say it in your privacy policy—then it's fine to do things like track millions of people's every moment and sell it to private companies to do what they want with it. But how do we even start fixing problems like this when it's going to happen regardless of whether you agree, regardless of any consent whatsoever.”

In recent years, both Apple and Google have given users more control over which permissions they give to specific apps. In the case of Huq, the Android-level permissions to allow or block Huq-affiliated apps access to GPS data are working as expected, but settings within the apps include options for opting-out of that location data then being shared with others. These app-level data sharing opt-outs are being ignored, according to the AppCensus’ and Motherboard’s tests.

Huq is based in the UK and claims to collect and process over one billion mobility events every day, and says it sources that data from 161 different countries, according to the company’s website. Like many other firms in the location industry, Huq sells access to or products based upon that harvested location data to a range of different sectors, including local governments, financial investors, retail, and real-estate, its website adds. An article from the Financial Times published earlier this month about UK drivers flocking to petrol stations used data from Huq.

Huq obtains this data by paying app developers to include its software development kit (SDK) in apps, a bundle of code that transfers location data to Huq. Huq sources data from both iOS and Android devices.

“Join our Partner Network today and earn ad-free revenue for your mobile apps,” a section of Huq’s website where app developers can apply reads. “It’s fast, privacy-secured and financially rewarding for your mobile app business.” The site adds that developers can “begin earning” after a decision is made by Huq within 7 days. (The Google Play Store prohibits app developers selling personal or sensitive data collected via their apps, including location data; Google has banned other location vendors that bought location data such as X-Mode and Predicio after Motherboard’s reporting).

Huq does not publicly say which apps it has relationships with. Earlier this year Motherboard started to investigate Huq by compiling a list of apps that contained code related to the company. Some of the apps have been downloaded millions or tens of millions of times, including “SPEEDCHECK,” an internet speed testing app; “Simple weather & clock widget,” a basic weather app; and “Qibla Compass,” a Muslim prayer app.

Independently, Reardon and AppCensus also examined Huq and later shared some of their findings with Motherboard. Reardon said in an email that he downloaded one app called “Network Signal Info” and found that it still sent location and other data to Huq after he opted-out of the app sharing data with third parties.

Motherboard also downloaded the Network Signal Info app and intercepted its traffic. Motherboard granted the app the relevant Android permission to access location data in the first place, but selected a setting in the app that should have stopped the transfer of that data to other companies. Motherboard saw that even when the option in the app’s settings said no data would be shared with third parties, the app still sent location information to Huq. The data included precise GPS locations of the phone, timestamps, and the name of the WiFi network the device was connected to and other nearby WiFi networks.

“Data collection is disabled, there will be no data shared with third parties,” the setting read. That was false.

Reardon said he also observed similar behavior from another app called “QR & Barcode Scanner” with 5 million downloads. Reardon shared a capture of the traffic between his device and Huq; the transfer of location data names the app specifically.

“Again never consented, escaped the screen after seeing it,” Reardon wrote in an email.

KAIBITS Software GmbH, the developer of Network Signal Info, did not respond to requests for comment. Neither did AppSourceHub, the company behind QR & Barcode Scanner.

On its website Huq says that its direct, first-party relationship with apps “allows us to guarantee control over data quality and the collection of end-user consent.” But in an email to Motherboard, Huq Chief Technology Officer Isambard Poulson said app developers are the ones responsible for obtaining that consent.

“Our SDK should only be initialised when users provide consent. The app developer is responsible for the implementation of their own consent management system,” Poulson wrote. Poulson said Huq has not yet verified that Network Signal Info is sending data to Huq without consent, but that the company is investigating and will work with the app publisher to fix any issue.

“We work with our publishers regularly to check their consent processes and guide them on best practices. If issues are found then we consult with the publisher to rectify them,” Poulson said in another email.

In a letter sent to the Danish Data Protection Authority (DPA) earlier this year, Huq said it performs automated testing on a monthly basis to ensure compliance by participating apps. Motherboard also tested an earlier version of the Network Signal Info app from 2020 and found it also sent location data to Huq after opting-out, raising further questions on how effective Huq’s own compliance efforts are.

When asked if Huq’s dataset is compliant under the General Data Protection Regulation (GDPR)—Europe’s privacy legislation—or the California Consumer Protection Act (CCPA)—the state’s own privacy law—Poulson said “Our systems and processes are compliant with relevant regulations and if issues arise then we work with our partners to remedy them.” In order for the data processing to be legal under the GDPR, personal data should be processed on the basis of consent of the data subject—that is, the app user—or some other legitimate basis. Under CCPA, consumers have a right to demand companies stop using their data in certain ways and companies must follow this demand.

Johnny Ryan, a fellow at the Irish Council for Civil Liberties and formerly chief policy officer of the Brave web browser, said the issue of Huq receiving location data without consent “reflects a wider pattern of behaviour.”

“The industry standard consent system (IAB Transparency and Consent Framework) has no technology built in to it to stop data being passed around, so it does not matter what people click. In other words, the mere appearance of control,” he added.

Google told Motherboard in a statement that “We are aware of the report and are investigating.”

Google also said the company is updating its policies to prohibit linking persistent device identifiers to personal and sensitive user data or resettable device identifiers unless they are being used for pre-approved use cases. A resettable device identifier might include an Android advertising ID, a unique code provided by Google that advertisers often use to cross-correlate activity; Android users can reset their advertising ID in their device settings. Google said those changes would come into effect on October 28.

Subscribe to our cybersecurity podcast CYBER, here. Subscribe to our new Twitch channel.