Profile picture
, 27 tweets, 33 min read
My Authors
Read all threads
NEW: We examined in detail how 10 popular smartphone apps secretly share extensive personal information with at least 135 companies, systematically breaking EU data protection law. This must end.

Two massive reports + legal complaints against 6 companies: forbrukerradet.no/side/new-study…
I helped with the investigation, led by the Norwegian Consumer Council. It took several months and also involved @thezedwards, technical analysis by security firm Mnemonic and legal expertise by @NOYBeu.

25 orgs in the EU/US are urging authorities to act:
@thezedwards @NOYBeu We observed 8 data companies receiving detailed GPS location info, in combination with unique personal IDs, when using the gay/bi dating app Grindr, including MoPub (owned by Twitter), Bucksense, PubNative, OpenX, AdColony, Braze, Smaato and Vungle.

p125: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu We observed location data brokers receiving data from the period tracking app MyDays, e.g. Placer (received GPS/WiFi/celltower data) and Placed/Foursquare (received GPS location >250 times + a list of installed apps).

p40: fil.forbrukerradet.no/wp-content/upl…
p95+99: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu We observed 70 firms receiving data from the makeup app Perfect365, including data brokers Fysical (claims to have 'human movement data on 25% of the population') & Safegraph (claims to track the location of 35m devices).

p34: fil.forbrukerradet.no/wp-content/upl…
p83: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu Overall, we observed the 10 apps sending more than 88000 http requests to 216 hosts, owned by at least 135 companies.

Several third-party companies received data from multiple apps. Knowing just when and how often people use certain apps is enough to create personal profiles.
@thezedwards @NOYBeu Our findings include many interesting details. Check @finnmyrstad's summary for an overview:


Some background info:


Summary:
consumerreports.org/privacy/popula…

In-depth articles NYT+TechCrunch:
nytimes.com/2020/01/13/bus…
techcrunch.com/2020/01/14/dat…
@thezedwards @NOYBeu @finnmyrstad The examined apps transmitted data to many widely unknown data firms, but also to well-known tech giants. Most apps transmitted data to Google+FB.

➡️Also, FB received accelerometer/gyroscope sensor data, and Amazon received GPS coordinates 🤔

p15+35+52: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu @finnmyrstad Advertising firms and data brokers often claim to share only 'anonymized' data, which is usually a lie. In most cases, they use personal identifiers to combine profile data across many companies.

Google's so-called 'Advertising ID' is key to track and follow Android app users.
@thezedwards @NOYBeu @finnmyrstad The 10 apps examined transmitted the 'Advertising ID' to 70 companies.

This ID is then used across the surveillance marketing ecosystem and tied to data on our interests+behaviors.

They may sound a bit boring, but IDs are *key* for everything else.

p29: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu @finnmyrstad We also observed that many companies create their own proprietary identifiers. 13 firms received identifiers such as IP addresses and WiFi SSIDs. Many firms received detailed device metadata, which can be used for fingerprinting. Also, location data can be used to match profiles.
@thezedwards @NOYBeu @finnmyrstad It's impossible to observe how companies further share personal data between their servers. But:

We observed 19 firms receiving data via Grindr. One of them potentially further shares data with 170 partners. Again, one of those potentially further shares data with 4259 partners.
@thezedwards @NOYBeu @finnmyrstad And take a look at the sections on 'cascading data sharing through Grindr'. It was hard work to understand and document how all those data companies interact, without being able to see what is happening on their servers.

p123: fil.forbrukerradet.no/wp-content/upl…
p23: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu @finnmyrstad Like Google, Facebook, Amazon and other well-known companies, Twitter doesn't only act as a consumer-facing platform, but also as a 'third party'.

In case of Grindr, we observed Twitter's subsidiary MoPub playing a key role in personal data sharing with yet other data companies.
@thezedwards @NOYBeu @finnmyrstad In response to our report, Twitter's MoPub suspended Grindr from its ad network today.

But this is hardly enough. First, MoPub cannot merely shift responsibility to the app vendor. Second, MoPub claims to serve 49,000 apps, tracking 1.5 billion devices.
adage.com/article/digita…
@thezedwards @NOYBeu @finnmyrstad But MoPub is not alone. Take a look at this ad request to OpenX, a data company that claims to have relationships with 50,000 apps.

OpenX received GPS data via Grindr, and data related to real-time bidding ('openrtb').

p140: fil.forbrukerradet.no/wp-content/upl…
p28: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu @finnmyrstad We know how real-time bidding in today's digital advertising works in theory. Every time people visit a website or use an app their profile data is being sold to the highest bidder. It's been called a massive data breach, happening millions of times a day.
@thezedwards @NOYBeu @finnmyrstad Now OpenX, who received data related to RTB via Grindr, *recommends* publishers to send the Advertising ID, GPS coordinates and other kinds of personal data, and thus broadcast it across the data economy.

All parties involved must be held accountable.
docs.openx.com/Content/develo…
@thezedwards @NOYBeu @finnmyrstad They are not. And this is why our report is titled 'Out of Control'.

There is no way for users to understand how personal data is being shared when using those apps.

Unfortunately, I'm pretty sure the practices we observed are representative for the majority of Android apps.
@thezedwards @NOYBeu @finnmyrstad Or, how @natashanyt puts it:

"Grindr is transmitting users' unique IDs, app name and precise locations to numerous ad tech companies, essentially broadcasting their sexual orientation to the entire consumer surveillance ecosystem"

Recommended thread:
@thezedwards @NOYBeu @finnmyrstad @natashanyt Plus:
@thezedwards @NOYBeu @finnmyrstad @natashanyt Guidance for further examination:

- Don't only focus on the apps, but also on the companies who receive data (the reports contain many details)
- Don't only focus on clearly sensitive data, but also on systemic issues that look less obvious yet enable pervasive digital profiling
@thezedwards @NOYBeu @finnmyrstad @natashanyt Some more stuff.

This is Bucksense. We observed them receiving Ad ID, IP and GPS data. The website of their ad platform Directopub (directopub.com/platform/) suggests they provide data to target age groups 'children', 'teens', and even 'infants' (?)

p135: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu @finnmyrstad @natashanyt What surprised me a bit is that so many companies received exact GPS location data - not in the US but in GDPR-land.

While some of them try to obfuscate how they utilize it, others openly present themselves as data brokers.

See e.g. fysical.com: 'BUY and SELL DATA'
@thezedwards @NOYBeu @finnmyrstad @natashanyt We also observed an unidentified host receiving GPS location data via the Perfect365 app.

References in the requests point to location data brokers Fluxloop (Oslo) and Unacast (US). Either one or both may be responsible.

p38: fil.forbrukerradet.no/wp-content/upl…
p89: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu @finnmyrstad @natashanyt In addition to location data brokers Fysical, Safegraph, Placer, Placed/Foursquare (as well as Fluxloop and/or Unacast), we also observed location data firm Tutela receiving GPS location +Wifi data, but were not able to attribute it to a certain app.

p72: fil.forbrukerradet.no/wp-content/upl…
@thezedwards @NOYBeu @finnmyrstad @natashanyt So, our testing phone transmitted location data to quite some of the companies listed in this recent piece by @stuartathompson+@cwarzel on this '50 billion location records from 12 million phones' file obtained by the NYT.

Still curious about the source.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Wolfie Christl

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @WolfieChristl see all

Profile picture
Wolfie Christl
@WolfieChristl
Ok, this is devastating. It seems that almost the whole database of People Data Labs, a MASSIVE data broker who claims to have detailed profiles on 1.5 billion people, was left open on the Internet.
This is from the company's website:
peopledatalabs.com

All this data being exposed is only the final stage of the drama. The real scandal is that this company has been selling extensive data on hundreds of millions to anyone already before, largely without their knowledge.
People Data Labs has a page with detailed stats on 'their' database. It includes 91m birth dates, 413m educational records, 783m email addresses, 678m phone numbers, 809m records on work experience, 2,362m names, plus inferred salary, skills, interests etc
docs.peopledatalabs.com/docs/stats
Read 13 tweets
Profile picture
Wolfie Christl
@WolfieChristl
Die Financial Times hat gestern darüber berichtet, wie globale Gesundheits-Websites sensible Daten an Dritte weiterleiten. Wie sieht das in AT aus?

Ich hab die netdoktor.at-Seite über Brustkrebs aufgerufen. Im Hintergrund wurden 26 Drittparteien über meinen Besuch informiert.
Jetzt mal abgesehen von Google, wer sind diese Drittparteien? Großteils Firmen, die digitale Profile über (hunderte) Millionen Menschen sammeln und damit handeln.

BlueKai/Oracle (US), Neustar (US), Weborama (FR) und Cleverdata (RU) sind etwa ganz klar Datenhandelsfirmen.
Aber auch Online-Werbefirmen wie Adform, AppNexus (AT&T), Dataxu (Roku), MediaMath, Pubmatic, Teads (Altice), The Trade Desk, Turn (Singtel), Brightcove und Virtual Minds (mehrheitlich im Eigentum von ProSiebenSat1) verarbeiten umfassende Daten über den Großteil der Bevölkerung.
Read 13 tweets
Profile picture
Wolfie Christl
@WolfieChristl
Very interesting stuff in the leaked Facebook documents, indeed.

See e.g. from page 1561:
dataviz.nbcnews.com/projects/20191…

For example, Facebook did actually analyze "call log data (e.g. duration/frequency/recency of incoming/outgoing calls/texts)" and use it for friend suggestions.
See also @PrivacyMatters's thread:
@PrivacyMatters Facebook was "working with Cisco and other manufacturers to collect insights about users whose mobile devices are detected by in-store wifi".

(the whole table is from an email dated December 11, 2013)
Read 13 tweets

Related threads

Profile picture
Steve Peers
@StevePeers
CJEU, data protection law

New AG opinion in cases of @privacyint and others concludes that UK, French and Belgian laws on data retention of communications are at least partly in breach of EU law
If the CJEU judges agree with the Advocate General's opinion that the UK is in breach of EU data protection law, it is likely to impact upon whether the Commission can/will adopt a post Brexit adequacy decision for the UK.
Some initial comments on today's CJEU opinion on retention of communication data
Read 5 tweets
Profile picture
Arab News
@arabnews
#BREAKING: Oman’s ruler Sultan Qaboos has called on the US and Iran to resolve their issues diplomatically and asked the international community to intensify efforts for peace in the region arab.news/pyz8x
#BREAKING: #UK Foreign Minister Raab says war in #MiddleEast is in no one’s interests arab.news/pyz8x
#BREAKING: #UK Foreign Secretary @DominicRaab says route is open to #Iran to engage in meaningful diplomacy arab.news/pyz8x
Read 53 tweets
Profile picture
Yannis Koutsomitis
@YanniKouts
#BREAKING -- #EU Parliament's #Brexit Committee sees UK govt's new proposal 'not a basis for an agreement'.
UK's proposal to give Northern Ireland assembly a say over regulatory arrangements not acceptable ~senior #EU official
The Northern Ireland issue is extremely problematic over any Brexit solution. Even if unionists now agree to an Irish Sea customs border, there are no possible guarantees that a future Stormont constellation will not blow the whole thing up and claim alignment with the UK.
Read 7 tweets
Profile picture
Michael Veale
@mikarv
There are a small handful of interesting aspects to the Planet49 cookie-consent CJEU judgement today (only in FR/DE right now): curia.europa.eu/juris/fiche.js…
Firstly, unlike the AG, the Court expressly says that because they were not asked about bundling services (e.g. tracking walls, conditional/coerced consent), they will no comment on it.
The most interesting thing is how the Court justifies that info on cookie duration/those who can access should be provided. ePrivacy refers to data protection law on the information provided, but as ePrivacy is not always about personal data, the info reqs in DP don't always fit
Read 10 tweets
Profile picture
Steve Peers
@StevePeers
EU data protection and external trade
Commission adopts adequacy decision on EU/Japan data protection flows
Full text: ec.europa.eu/info/sites/inf…
Press release: europa.eu/rapid/press-re…
Factsheet: ec.europa.eu/info/sites/inf…
Q and A: europa.eu/rapid/press-re…
The data protection adequacy decision is technically separate from the EU/Japan free trade agreement that comes into force next week, but is implicitly linked to it politically - and note that it's reciprocal, data flows in both directions are simplified -
Compare to Brexit
Under the withdrawal agreement EU data protection law still applies to UK during transition period, & an adequacy decision process would be started.
If no deal, no adequacy decision, although this limits data flows, not bans them - p 11: ec.europa.eu/transparency/r…
Read 6 tweets
Profile picture
UCCat20
@UCC_Official
UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Read 17 tweets

Trending hashtags

#OOTT #DataProtection #illegitimate #SDC #PAMFAM #dataprotectionKE #Soleimani #InCaseYouMissedIt #privacy #bomb #Uruguay #Darbasiyah #CambridgeAnalytica #RussianAirDefenses #PSC #geopoiltics #Tech #LNG #Colorado #Mexico #UPDATE #military #RGPD #Kurds #QassemSoleimani
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!