My Phone Was Spying on Me, so I Tracked Down the Surveillants
THREAD on the location data industry and how European personal data ended up at a U.S. government contractor.
There are 160 apps on my phone. What they’re actually doing, I don’t know. So I decided to figure it out by using the power of the GDPR - or the more lame name of subject access requests (SAR).
Long story short – I got a lot of data on my movements. Actually more than 75.000 data points on my precise location.
Home and work:
How: I designed an experiment where I installed a lot of apps on an Android phone. I then consented to sharing my location data. Then I turned the tables: By using SARs I stitch together the data flows from me to different companies. (Better graphics in article.)
The app Funny Weather appeared in the metadata provided by Venntel and Gravy Analytics. The data might have been shared through Predicio, but the company did not respond to any requests for an interview.
Complementics and Predicio sent my personal data to Gravy Analytics, a major data broker in the marketing business. This is according to the SAR from Gravy. Gravy did not respond to comment.
Venntel is a subsidiary of Gravy Analytics. Venntel has a lot of government contracts – CBP, ICE, IRS, FBI, DEA. What these agencies actually use the data for @ByronTau (WSJ) and @josephfcox (Motherboard) have a lot of good reporting on.
Venntel told me in a subject access request that my data was shared, but they did not provide to whom. When contacted later - they told me in a short statement that the data was not shared with ICE or CBP.
Uncovering the Disqus data machine pt.2: This figure shows the difference between the regular European experience of using a site with @disqus and the American one. (LONG THREAD)
My reporting on @disqus started with a tip - the consulting company @conzentio thought it was weird that the comment section widget from Disqus could share so much data. They had a fair point, and it turned out that it breached the #GDPR
The chart is actually lying - @LiveRamp refuses to receive data from Norwegians (451 status code) - so far fewer companies receive private information.
One might say that LiveRamp boosts the data sharing between companies. (They have not responded to my request for comment)
Uncovering the Disqus data machine: @disqus shared the personal data of tens of millions of users without them or the websites knowing about it. thread - 1/13
The company says that 2 billion unique users hit their platform each month, but the number could likely be far lower. Disqus would not disclose the % that have their data shared. 3/13