Do you have access to documents about the location data industry? Do you sell location data, either as an app developer or a data broker? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
Google Tells Specific Apps to Disclose Location Gathering or Be Removed
Image: SOPA Images/Contributor
Google has sent a wave of warnings to specific Android app developers telling them to be much clearer with how they collect and process location data or face being removed from the Play Store entirely, Motherboard has learned.Google targeted apps that it believes worked with a company called Huq, which collects granular location data from ordinary smartphone apps and then sells products based on that to various industries. Google appears to have removed some offending apps too.
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
The move comes after Motherboard reported that some Huq-affiliated apps were sending location data to the company even when users explicitly opted-out. That report highlighted that smartphone users can’t necessarily be sure that an app is respecting their choices around data sharing.“It's certainly a positive development, and I'm glad it was enforced by removing apps that chose not to comply,” Joel Reardon, assistant professor at the University of Calgary and the forensics lead and co-founder of AppCensus, a company that analyzes apps, and who first flagged some of the issues around Huq to Motherboard, said in an email. “This kind of policy-based enforcement, however, requires continuing effort in monitoring for bad actors and broken consent going forwards. The location collection firms also have a responsibility to ensure that apps that include their intimate tracking software actually ensure that apps implement the consent structures that they claim in privacy policies correctly.”
A Google spokesperson told Motherboard in an email that "As part of our investigation, we have sent a warning to all app developers that we determined were in violation of Google Play policies.” Google added that the investigation was specifically concerning Huq.Huq is a UK-based firm that claims to collect and process over one billion location data events everyday, and says it sources that data from devices in 161 different countries, according to the company’s website. Huq then offers products based on that data to different sectors such as local governments, retail, real-estate, and financial investors, its website adds. Sometimes journalists use the company’s data too: in September the Financial Times published an article that used Huq data about UK drivers flocking to petrol stations during a recent fuel scare.Huq obtains this data by paying app developers to include its own software development kit (SDK) inside apps. This bundle of code then collects the app users’ location data and transfers it to Huq. Huq obtains data from both Android and iOS devices.
Motherboard’s and Reardon’s findings about Huq-affiliated apps collecting data without consent focused on a selection of specific apps, including one called “Network Signal Info” made by KAIBITS Software GmbH and “QR & Barcode Scanner” developed by AppSourceHub, each with more than 5 million downloads.Huq later admitted to the BBC that some of its data was gained without seeking permission from users."It is possible that we or our partners may uncover future technical issues, but what's important is how quickly we act and how seriously we take the issue," Huq told the BBC.Norwegian outlet NRK then reported on another app that Reardon found, Quran Mp3, also made by AppSourceHub, that sent location data to Huq even when a user had opted-out. Huq told the outlet it had stopped its partnership with AppSourceHub. A UK National Rail app also cut ties with Huq, NRK reported.Multiple apps that previously may have had links with Huq have since been removed from the Google Play Store. Those include “ONCE—Escaner de Cupones,” a Spanish language lottery app; “Acak,” a video chat app; a reference app for the popular game League of Legends “Champions of League of Legends;” and flight tracker “Airline Flight Status Track & Airport FlightBoard.” It is not clear if all of these apps were removed for the same reason or not.