Last week, Google sent a seven-day warning to app developers on its Android platform telling them to remove code from location data broker Predicio or face having their apps removed from the Play Store, Google told Motherboard on Monday.
Predicio is a France-based firm that pays app developers for access to their users' granular location data, which then sells that data to its own clients. Predicio is part of a complex supply chain connected to Venntel, a U.S. government contractor that has sold location data to law enforcement agencies such as Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP).
The news signals a continuing crackdown from the two mobile platform giants around companies that buy location data from apps. The move comes after Motherboard published an investigation showing that Salaat First, a Muslim prayer app downloaded more than 10 million times, sold location data to Predicio without users' knowledge or consent.
Do you work at Predicio, X-Mode, Venntel, or one of the apps mentioned in this piece? Did you used to, or know anything else about the location data industry? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Google told Motherboard that if app developers don't remove the Predicio software development kit (SDK)—the bundle of code that Predicio uses to collect location data—their app will be removed from the Play Store. Motherboard previously found Predicio's SDK was called Telescope.
"We build the most accurate mobile data products available," since deleted documentation for the SDK Motherboard found online read. The Play Store prohibits app developers selling personal or sensitive data collected via their apps, including location data.
A source provided Motherboard with a large dataset of precise geolocations of users of apps that had the Predicio SDK embedded within them. Some of that data showed a user of Salaat First walking through a park a few blocks south of an Islamic cultural center. Multiple other examples showed users nearby mosques.
Motherboard also reverse engineered individual apps to find others that had the Predicio SDK installed. They included weather app Weawow, which removed the code after originally approached for comment. The developer of Salaat First also removed the code themselves as a precaution in December, they previously said.
In December, Motherboard and Norwegian media organization NRK showed how Predicio was connected to a supply chain that funneled data from individual apps, through SDK providers and middlemen firms, before ending up with mobile advertising firm Gravy Analytics and its subsidiary Venntel. In one document, Gravy said it obtained data from Predicio.
After Motherboard's and NRK's article, Predicio briefly took its website offline. When it returned, it included a new disclaimer trying to distance itself from the tracking of religious groups.
"Predicio does not support any governmental, commercial, or private use cases that aim to use business intelligence data to identify ethnic, religious, or political groups for human tracking or people identification of any sort. We do not tolerate the abuse of our solutions for the use cases that do not follow our global moral, social, and ethical code of conduct," the message read. The message did not mention that Predicio was, still at that time, collecting location data from an explicitly Muslim-focused app.
Predicio did not respond to a request for comment on Google's actions.
In December, Google and Apple both banned X-Mode, another location data SDK from their app stores. That move came after Motherboard showed X-Mode was gathering data from Muslim Pro, a prayer app with more than 98 million downloads, and that X-Mode was selling data to military contractors, and by extension, U.S. military intelligence. The ban was mostly successful, although Google missed around two dozen apps that were still sending data to X-Mode before removing them this month. Last month Motherboard reported how five more Muslim-focused apps had a relationship with X-Mode.
Both Predicio and X-Mode operated for years, however, before Apple and Google enforced their own policies around the sale of personal data.
A memo provided by the Defense Intelligence Agency to the office of Senator Ron Wyden said that staff at the agency had been granted permission to query similar U.S. location data without a warrant five times in the past two and half years, The New York Times reported.
"Google’s announcement is more proof that Americans won’t put up with shady data brokers siphoning information from Americans’ apps and selling it without our knowledge. My Fourth Amendment is Not For Sale Act will put warrant protections for Americans’ rights into black-letter law and make sure these slimy data leeches don’t come back," Senator Wyden told Motherboard in a statement.
Update: This piece has been updated to include a statement from Senator Ron Wyden.
Subscribe to our cybersecurity podcast CYBER, here.