"I'll get right to the point," the March 2017 email from advertising firm Ogury to an Android app developer read. Ogury had a proposal: allow Ogury to put its code that serves adverts into the Android developer's app, and it would pay him depending on how large the app's user base is. The cold email is not unusual in the app development world—lots of companies pitch these bundles of code, called software development kits (SDKs)—but Ogury claimed it had something different.
"What makes Ogury special is, we have an opt-in data collection method which gives us granular user-level data which no other ad platforms have—not even Facebook," the email from an Ogury employee read. The app developer who received the emails provided them to Motherboard; Motherboard granted the source and others anonymity to speak more candidly about industry practices.
For some time Ogury had particularly insightful data because once its code was embedded in an app, it would also record a user's website browsing history outside of the app itself. Ogury then took this data and used it to serve more relevant adverts to users in the apps as well.
"Ogury leverages every web page browsed by the user. Every product the user has viewed, regardless of site. All research performed by the user online, via urls, etc. All bookmarks made by the user. All apps downloaded by the user. All the usage on the apps. All social media consumed," another document provided to people inside the technology and advertising industries and obtained by Motherboard reads.
Do you have documents showing how any other companies collect data? We’d love to hear from you. Using a non-work computer or phone you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
The data collection is no longer happening in this form in part because of a change in how the Android operating system handles app permissions, Thomas Pasquet, founder and CEO of Ogury told Motherboard through a spokesperson. Pasquet said that Ogury now "probabilistically extrapolate[s] browsing history" at a domain level rather than the full URL.
But emails, presentations, and other industry documents about Ogury's business still give some insight into how companies behind these kind of SDKs have installed their code into everyday apps in order to collect data. They also highlight how valuable a person's web browsing data can be to some companies. In January, Motherboard reported that the anti-virus company Avast was gathering this sort of data from users.
In one of the presentations obtained by Motherboard, Ogury says "We only exploit 1st party data that we collect directly."
Kumar Mettu founder and CEO of Dexati, a company that makes photography focused apps, told Motherboard he has received more than 50 emails from Ogury asking him to integrate its SDK into Dexati's apps. "Most of them promising high eCPM (Typical of any ad company)," he added, referring to how much Ogury would pay for ceach one thousand users that see Ogury advertisements.
App analysis companies MightSignal and Apptopia also provided Motherboard with lists of apps that they said contained the Ogury SDK. They include maps, games, horoscopes, and a bevvy of other types of apps.
Pasquet said Ogury partners with 9,000 apps, but added that data collection doesn't happen in all of them. In one of the earlier Ogury presentations obtained by Motherboard, the company said it has a reach of 300 million unique users, including 15 million in China and 14 million in India.
On its website Ogury heavily emphasises that it obtains consent from app users to gather information. Pasquet also said Ogury obtains consent from users via a pop-up in an app.
"If the consumer does NOT give consent for us to collect their data through the consent manager, the consumer will still see ads, but they will not be targeted, because absolutely no data was collected," Pasquet said. He added that 55 percent of users don't grant Ogury consent. (One of the older documents obtained by Motherboard said, at the time, over 80 percent of users opted-in).
After Android 7, which was released in August 2016, Ogury changed what data it collected because Google changed the permissions structure around collecting browsing data, Pasquet said.
"Therefore, with Android 7 and the versions after, we stopped collecting deterministic browsing history, we extrapolate it from raw network information. We start by displaying our first-party consent notice to the user, and only if the user accepts do we collect network information that we use to probabilistically extrapolate browsing history at a domain level (for example the domain “amazon.com” as opposed to the specific url “amazon.com/printers/epson”)," he explained.
Pasquet said Ogury stores data for 90 days for active use, 120 days for reporting use, and then up to 1080 days for backup purposes, after which the company deletes the data.
Earlier this year, anti-virus maker Avast closed down its data collection arm which was harvesting the browsing data of users' of the company's software after Motherboard and PCMag investigated the practice.
Subscribe to our cybersecurity podcast, CYBER.