Share this page!

Wolfie Christl Profile picture
Twitter logo
28 Jan, 12 tweets, 7 min read
New: Perhaps the most comprehensive report on how mobile apps secretly share location data with companies most people never heard of, who then sell it to all kinds of interested parties from advertisers to US military contractors, by @seanodiggity+@U039b:
expressvpn.com/digital-securi… Image
Details on the findings on GitHub:
github.com/expressvpn/xot…

Articles:
techcrunch.com/2021/01/28/x-m…
vice.com/en/article/epd… Image
In December, Google+Apple announced to ban apps that embed tracking software operated by X-Mode, a location data broker who has sold location data to US military contractors.

The investigation found 199 apps with X-Mode embedded, 1 billion downloads, 90% of them still available. Image
Many more apps than we previously knew of contain tracking software by X-Mode, including muslim prayer apps, dating apps, navigation apps, travel guides, weather apps, compass apps, games, fitness apps, QR code scanners…

Here's the full list of 199 apps:
github.com/expressvpn/xot… Image
The investigation is based on static analysis of the apps' source code that contained X-Mode tracking at some point over the past year.

TC did some additional testing of the most popular apps and found that several were sending location data to X-Mode: techcrunch.com/2021/01/28/x-m… Image
X-Mode complains that it's being singled out as it "collected similar mobile app data as most advertising SDKs".

True. All of them must be banned. Not by Google/Apple, but by law.

And #whatabout platform utilities? Yep, they shouldn't be allowed to *exploit* location data, too. Image
Btw. I love that X-Mode openly admits that only 'a majority' of its app publishers had 'secondary consent' to sell location data.

(not to mention that 'secondary consent' might be a synonym for 'non-informed consent' or 'no consent') Image
The report didn't only find tracking software by X-Mode in mobile apps, but also by several other location data brokers.

Placed, for example, was owned by Snap until 2019 and is now owned by Foursquare, formerly a location-based social network, now a major location data broker. Image
In 2019, we observed Placed/Foursquare (and Fysical) receiving location data from users in GDPR space:

forbrukerradet.no/side/complaint…

Predicio is a French data broker who was caught selling location data to a US firm who sells to ICE+FBI:
SignalFrame? The WSJ reported on the company and its national security business/projects in Nov 2020:

"SignalFrame’s product can turn civilian smartphones into listening devices ... that detect wireless signals from any device that happens to be nearby"
wsj.com/articles/next-… Image
There is lots of evidence in the report, for further investigation by journalists and regulators, especially EU data protection authorities.

Not least, with regards to data flows and business relationships between X-Mode, Placed/Foursquare and other location data brokers: ImageImage
"When we reported on the findings earlier this week, Google told us that all Android apps with X-Mode's code had been removed"

But Google didn't remove all of them, surprise!
theregister.com/2021/02/06/goo…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wolfie Christl

Wolfie Christl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WolfieChristl

Wolfie Christl Profile picture
10 Feb
Council proposal for the EU ePrivacy regulation:
data.consilium.europa.eu/doc/document/S…

This, brought to you by publisher lobbyists, is bad: Image
And this looks unclear and/or just broken.

What is an "equivalent offer"? Would this allow "tracking or pay"?

The other recital basically doesn't say anything, does it?

("consent directly expressed by an end-user should always prevail") ImageImage
If so then bad. I want people to pay for content and quality journalism, but "tracking or pay" is unacceptable. Those who cannot afford to pay for myriads of subscriptions would continue being exposed to tracking. Acceptable: "non-intrusive ads or pay".
Read 13 tweets
Wolfie Christl Profile picture
9 Feb
Antitrust probes against Google data/advertising empire are much needed and very worthy. They bring light into the dark, but the conclusions are often a two-edged sword.

The Australian regulator seeks submissions for proposals that would increase data sharing with third parties.
The ACCC also seeks submissions for proposals to regulate Google's internal data sharing, from prohibiting certain data uses to purpose limitation...

This would also decrease Google's data advantage, and in my opinion this is the way to go, of course.
Very similar issues in the UK/CMA report:
Read 5 tweets
Wolfie Christl Profile picture
7 Feb
The CFPB "is preparing to change its rules on financial data, and a battle is brewing between existing financial institutions that control it, such as banks, and the upstart fintechs looking to unlock this data"

Fintechs want better financial data access:
protocol.com/cfpb-banks-fin…
"The fintech companies argue that this data belongs to consumers and they should be able to share it with whichever app or company they want"

Translation:

"This data belongs not only to banks and credit unions, but also to us, the fintechs. We want to exploit it, too"
Are traditional financial institutions exploiting financial data for business purposes? I'm sure they do.

Is it necessarily better if a wide range of fintech companies and apps are also able to exploit it, perhaps in even more invasive and problematic ways? Not sure.
Read 8 tweets
Wolfie Christl Profile picture
6 Feb
RTL Group, a large European media company majority-owned by Bertelsmann, sells its US adtech subsidiary SpotX, yet keeps operating its EU subsidiary Smartclip.

Both SpotX and Smartclip engage in large-scale personal data processing and digital profiling.
rtlgroup.com/en/press_relea…
Smartclip states it uses 'anonymous identifiers' and 'anonymous user IDs for TV devices' and the 'advertiser ID' for devices, and it is 'synchronizing anonymous user IDs' with DMPs and DSPs to 'match users to user information on that 3rd party systems' 🙄
privacy-portal.smartclip.net
On their privacy info page, they use the word 'anonymous' 22 times.

IDs cannot be 'anonymous' according to the GDPR, this is just misleading.
Read 4 tweets
Wolfie Christl Profile picture
5 Feb
The location data set included a "unique ID for each user that is tied to a smartphone. This made it even easier to find people, since the ... ID could be matched with other databases containing the same ID, allowing us to add real names, addresses" nytimes.com/2021/02/05/opi…
Many app vendors + data brokers are still using the deceptive notion that the use of mobile advertising IDs would make personal data somehow 'anonymous' both in marketing materials and legal docs.

But everyone knows that information linked to mobile ad IDs is just PERSONAL DATA.
Data linked to ad IDs is 'personal data' according to the GDPR, and also according to Californian privacy law. To be more specific, it is 'pseudonymous' personal data.

It cannot get 'de-anonymized', because it's not anonymized at first. Perhaps, it can get 'de-pseudonymized'.
Read 5 tweets
Wolfie Christl Profile picture
5 Feb
"We periodically analyze the 1000 most used web sites in France in order to reveal these practices and follow their evolution"

Very basic examination of web tracking vs third-party cookies by French data protection authority @CNIL_en /ht @montezumachavez

linc.cnil.fr/obs-cookies/en/
- Why focus on cookies only? What about web storage, cache headers etc?
- Why focus on client storage at all and not on the processing/transmission of personal data, its purposes and legal bases?
- What about enforcement rather than analysis w/o any assessment of compliance? 😬
Btw. Classifying third parties based on the purposes mentioned in their privacy policies is not very helpful.

I'd classify most adtech firms as data brokers, but classifying LiveRamp, BlueKai, Neustar, ID5, Weborama etc as 'advertising agencies' really doesn't make much sense.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @WolfieChristl has new unrolls!

Check out other threads from @WolfieChristl!

Read all threads by @WolfieChristl