Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Wolfie Christl Profile picture
@WolfieChristl
Sep 15, 2020 17 tweets 8 min read Read on X
Scrolly
Android apps from dating to fertility to selfie editors share personal data with the Chinese company Jiguang via its SDK that is embedded in the apps, including GPS locations, immutable device identifiers and info on all apps installed on a phone.

Report: blog.appcensus.io/2020/09/15/rep…
Jiguang, also known as Aurora Mobile, claims to be present in >1 million apps and >26 billion mobile devices. Which seems wildly exaggerated.
jiguang.cn/en/

Anyway, researchers found Jiguang's SDK in about 400 apps, some of them with hundreds of millions of installs.
According to the paper, Jiguang’s SDK is "particularly concerning because this code can run silently in the background without the consumer ever using the app in which it is embedded". Also, the SDK uses several methods to "obfuscate and hide" its "behavior and network activity".
While many "previous research efforts focused on SDKs specialized in analytics and advertising services, the results of our analysis call for the need of analyzing and regulating …the whole third-party SDK ecosystem due to their privacy and consumer protection implications"

Yes
Study is by @AppCensusInc and @IDACwatchdog. Here's the link to the PDF report:
icsi.berkeley.edu/pubs/privacy/T…

Please note that there are hundreds, if not thousands of data companies based in the US, Europe, Russia, Singapore, India or in other countries that are doing similar stuff.
Nevertheless, Jiguang/Aurora is special in some way.

Like many other mobile data brokers all across the world, they sell so-called audience data, i.e. extensive user profiles with hundreds of attributes that can be used for surveillance-based advertising:
jiguang.cn/en/iaudience
On the same website they openly suggest that customers can use eight years of accumulated data on '1 billion+ monthly active mobile users' also for 'financial risk control':
jiguang.cn/en/fintech
They say they identify the 'user's risk level' for 'corporate lending', 'relying on years of data accumulation'.

'JIGUANG’s data service objectively reflects user’s repayment willingness' ... 'highly correlative to the overdue behavior of loan clients'
jiguang.cn/en/anti-fraud
They also sell data for other purposes not related to advertising.
jiguang.cn/en/izone

According to a press release, they provide data solutions for 'targeted marketing, financial risk management, market intelligence and location-based intelligence':
globenewswire.com/news-release/2…
Is this a purely Chinese enterprise? Not at all. Aurora Mobile is listed on Nasdaq.

According to a SEC filing, "Jiguang” is the brand and Aurora consists of a network of companies based in China, the British Virgin Islands, Cayman Islands and Hong Kong: ir.jiguang.cn/static-files/c…
(like many of their 'western' counterparts)

There's lots of interesting info in the SEC filing. Aurora emphasizes to 'assist financial institutions and financial technology companies in making informed lending and credit decisions' based on data from its 'developer services'.
"We develop the risk features based on anonymous* device-level mobile behavioral data… We believe [the] risk features we offer, such as those relating to payment behaviors and usage of consumer finance mobile apps, are most relevant to credit assessments"

*most likely not true
Listed companies must disclose all kinds of information including business risks.

Here they disclose to the SEC that they may have to 'obtain approval or license for personal credit reporting business' in China to 'continue offering its financial risk management solutions'.
"Due to the lack of further interpretations of the current regulations governing personal credit reporting businesses, the exact definition and scope of 'information related to credit standing' and 'personal credit reporting business' ... are unclear"

…same issues everywhere 🤖
One more SEC filing tidbit, Aurora states it has "accumulated data from over 33.6 billion installations of [its] software development kits (SDKs)". So, they're counting every app install that contained their SDKs. And they claim to harvest data from 90% of Chinese mobile devices.
Enough for today.

TL;DR Chinese data companies provide cheap services to app vendors, harvest personal data on hundreds of millions without their knowledge, and exploit it for all kinds of business purposes, in many ways very similar to companies in the US and in other regions.
Btw. Aurora/Juguang lists the huge US-based data broker Nielsen as a customer:
jiguang.cn/en/izone

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wolfie Christl

Wolfie Christl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WolfieChristl

Wolfie Christl Profile picture
Feb 29
Some more findings from our investigation of LiveRamp's ID graph system (), which maintains identity records about entire populations in many countries, including name, address, email and phone, and aims to link these records with all kinds of digital IDs:crackedlabs.org/en/identity-su…
Identity data might seem boring, but if a company knows all kinds of identifying info about everyone, from home address to email to device IDs, it is in a powerful position to recognize persons and link profile data scattered across many databases, and this is what LiveRamp does.
LiveRamp aims to provide clients with the ability to recognize a person who left some digital trace in one context as the same person who later left some trace elsewhere.

It has built a sophisticated system to do this, no matter how comprehensive it can recognize the person.
Read 12 tweets
Wolfie Christl Profile picture
Nov 14, 2023
As part of our new report on RTB as a security threat and previously unreported, we reveal 'Patternz', a private mass surveillance system that harvests digital advertising data on behalf of 'national security agencies'.

5 billion user profiles, data from 87 adtech firms. Thread: Image
'Patternz' in the report by @johnnyryan and me published today:


Patternz is operated by a company based in Israel and/or Singapore. I came across it some time ago, received internal docs. Two docs are available online.

Some more details in this thread. iccl.ie/wp-content/upl…
Image
Here's how Patternz can be used to track and profile individuals, their location history, home address, interests, information about 'people nearby', 'co-workers' and even 'family members', according to information available online:

isasecurity.org/patternz
web.archive.org/web/2021062210…
Image
Read 30 tweets
Wolfie Christl Profile picture
Nov 6, 2023
, a 'social risk intelligence platform' that provides digital profiles about named individuals regarding financial strain, food insecurity, housing instability etc for healthcare purposes.

Incredibly intrusive, horrifying that this can exist in the US. sociallydetermined.com
Image
"It calculates risk scores for each risk domain for each person", according to the promotional video, and offers "clarity and granularity for the entire US".

Not redlining, though. They color it green. Image
Making decisions based on these metrics about individuals and groups seems to be highly questionable and irresponsible bs.

Safegraph, a shady location data firm, is among the data providers:
safegraph.com/customers/soci…
Read 6 tweets
Wolfie Christl Profile picture
Oct 16, 2023
Bazze, a US data broker that purchases smartphone location data from mobile apps and advertising firms, and sells to the US Dept of Defense, according to the WSJ (), openly promotes a commercial location mass surveillance system for 'government customers'. wsj.com/tech/cybersecu…
Image
I extracted information about mobile location data they claim to sell per country from their website:


Japan: 920m records, 5.5m devices
Brazil: 370m records, 6.3m devices
Australia: 280m records, 1.7m devices

...and data on people in 200 other countries. bazze.io/cdi
Image
explains that it does not 'collect or sell data from individuals within the United States, Canada, and European Economic Area countries'.

So, global commercial location data except US/Canada/Europe, for national security (and finance, as a side business). bazze.io

Image
Image
Read 19 tweets
Wolfie Christl Profile picture
Oct 13, 2023
New WSJ report found that 'Near', a consumer data broker based in India, Singapore and the US with an office in France, obtained massive location data via digital advertising firms like OpenX, Smaato and AdColony and sold it to US defense/intel agencies:
wsj.com/tech/cybersecu…
Image
Near's general counsel and chief privacy officer:

The US govt "gets our illegal EU data twice per day", a "massive illegal data dump".

"We sell geolocation data for which we do not have consent to do so", "we sell data outside the EU for which we do not have consent to do so" Image
If this isn't reason for EU data protection authorities to take urgent action than I don't know what is.
Read 18 tweets
Wolfie Christl Profile picture
Sep 22, 2023
Yesterday, I published a case study that examines enterprise software for process mining, workflow automation and algorithmic management.

I identified a list of mechanisms that involve personal data processing and can affect workers individually (right) or collectively (center). Image
I guess rarely anyone has ever examined this kind of software at such a level of detail, from a worker perspective.

The case study explores how employers can exploit worker data based on enterprise software docs. The chart is an excerpt from section 7:
crackedlabs.org/en/data-work/p…
The case study is largely based on an analysis of enterprise software docs from a single vendor and its partners, which has its limitations. It's the third in a series of case studies, which are part of a larger project that aims to map how employers use personal data on workers.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(