By: Alfred Ng and Jon Keegan
There is an estimated $12 billion market of companies that buy and sell location data collected from your cellphone. And the trade is entirely legal in the U.S. Without legislation limiting the location data trade, Apple and Google have become the de facto regulators for keeping your whereabouts private—through shifts in transparency requirements and crackdowns on certain data brokers. Specifically, the app stores have cracked down on data brokers that market software development kits (SDKs) to app developers—like X-Mode (now known as Outlogic), which has come under scrutiny for selling data to military contractors. It’s common for app developers to embed SDKs to add features to their apps without having to build them from scratch, but these SDKs specifically were designed to send app user location data to brokers. But experts and location data industry workers tell The Markup that the moves have been insufficient; there are plenty of loopholes in Apple’s and Google’s policies that allow location data to still be collected, even without using those SDKs. “The challenge, and this is a challenge with data brokers in general, is that you’re playing whack-a-mole, where these companies have many different vectors through which they get people’s sensitive information,” Justin Sherman, a cyber policy fellow at the Duke Technology Policy Lab, said.
What kinds of location data sales do Apple and Google allow for apps in their stores?
Apple and Google both have policies for companies selling location data. But it’s not clear if the tech giants enforce those policies—or even how they would do so. Apple’s policy requires apps to disclose what data they are collecting from people and how it can be used and to get consent from users before sharing their data. However, it doesn’t require apps to disclose exactly who they are selling data to, and many apps simply state that they share data with partners. For instance, when The Markup uncovered the fact that Life360 was selling location data to nearly a dozen location data brokers in 2021, we relied largely on former employees of the company to tell us to whom and to what extent the company was selling data on its users’ movements. Only two companies, of about a dozen, were mentioned in the app’s privacy policy. The rest, according to CEO Chris Hulls, were hidden behind confidentiality clauses, which are common in the industry due to the competitive value of the data. That all appears to be in line with the Apple store policy. “In order to submit new apps and app updates, you need to provide information about some of your app’s data collection practices on your product page,” Apple says in its privacy policy for developers. “With iOS 14.5, iPadOS 14.5, and tvOS 14.5 and later, you’re required to ask users for their permission to track them across apps and websites owned by other companies.” For location data specifically, once the user has granted permissions, Apple’s policy notes that people are subject to apps’ privacy policy and practices, which can include selling their data. Google’s policy goes a step further, stating that developers cannot sell personal and sensitive user data, which includes device location. The company also requires disclosure, telling developers that they “must be transparent in how you handle user data.” Some policies are easy to audit (though not necessarily enforce), like Apple’s and Google’s ban on X-Mode’s SDKs. But the companies don’t give any indication of how they would enforce these rules around other methods of data collection that the very same banned brokers are using, like buying data directly from app publishers. “Google Play’s policy explicitly prohibits apps that collect sensitive and personal user data from selling it,” Google spokesperson Scott Westover said in a statement when we asked about how Google enforces against location data sales. Apple didn’t respond to The Markup’s requests for comment but in the past has also given vague statements on how it deals with server-to-server transfers from data brokers. When we reached out for an earlier story to ask Apple about direct server transfers from X-Mode while the broker’s SDK was banned, Apple spokesperson Adam Dema responded, “We do not allow apps to surreptitiously build user profiles based on collected user data. Apps found to be using the X-Mode SDK are required to remove it or risk removal from the App Store altogether.” And despite Google’s policy against selling location data, the company hasn’t explained how it would detect developers directly selling the data. Google didn’t answer why Life360 was able to sell location data when we reached out for comment in November. In January, Google simply restated the company’s policy when we followed up asking about X-Mode’s direct server transfers. Neither spokesperson addressed questions about how the companies can hope to enforce their policies and how they figure out what apps are doing with user location data, even as data brokers increasingly turn to less traceable ways to get location data from apps.
How can data brokers get around Apple’s and Google’s policies?
Workers in the location data industry told The Markup that data brokers are increasingly collecting data directly from app developers instead of relying on SDKs, which often leave a digital footprint. And it’s unclear how Apple and Google could even monitor how apps are sharing and selling data once they obtain it. “Looking at SDKs is one way to try and protect people’s privacy against data brokers. But you also have to look at all the other ways that it happens, including through commercial transactions, where Company A says to Company B, we’re going to sell you this dataset on people’s GPS location,” Sherman said. The Markup found that the family safety app Life360 had agreements to directly transfer location data about its users to some of its data customers’ servers. A former Life360 employee told us the data they supplied to Cuebiq was refreshed every five minutes, and a former X-Mode employee told us they had a daily process to pull fresh data from Life360 to their servers. The former employees spoke on the condition of anonymity because they both still work in the data industry. After The Markup’s report, Life360 announced it would end those relationships and stop selling precise location data to all brokers except for Allstate’s Arity, but would continue to sell aggregated location data to Placer AI. Two former X-Mode employees told The Markup the company has long used direct server transfers to scoop up location data from app developers and that more data came in this way than through the company’s SDK. The former X-Mode employees spoke to The Markup on the condition that we not use their names because they are still involved in the data industry. And The Wall Street Journal reported that after Google’s and Apple’s ban of its SDK, X-Mode leaned into this method of collecting data. A developer who used to sell location data to X-Mode also told The Markup that he had received many offers from other data brokers to share data through direct server-to-server transfers. The developer spoke to The Markup on the condition of anonymity because of a confidentiality clause in his contract with X-Mode. X-Mode is not the only broker using this method. In an email sent to an app developer and reviewed by The Markup, Veraset, a location data broker that is a subset of the company SafeGraph, pitched that the developer could “send data to Veraset server-to-server (no need to install or maintain an SDK).” The pitch also noted that apps can make from $12,000 to $1 million a year for sending their users’ location data to the company.
What could Apple and Google do to clamp down on location data sales?
Researchers say that Apple and Google could take some steps to better inform users of what’s happening to their data—but that a real clampdown on data sales would have to come from government intervention. “The only thing the app store can detect is whether the app contains various SDKs or, when you run it, does it send the data to various third-party servers,” Serge Egelman, a researcher at UC Berkeley’s International Computer Science Institute, said. “That’s pretty much the extent to what anyone can detect using technology. The rest comes down to a policy issue.” He said that Apple and Google could enforce policies against location data brokers by requiring apps to disclose who they sell user data to if they want to be in their app stores. But a policy like that would also rely heavily on the honor system. “If they do lie in those responses, there’s no one who can really audit them,” Egelman said. “If there are contractual relationships with these companies and third parties, whereby they give the data directly from their servers after they’ve received it from the apps, there’s no real way of detecting that. There’s not much that Apple or Google can do.” Without government regulation, the current approach from Apple and Google is to play catch-up with data brokers for each new way that location data can be shared, experts said. For example, while app developers could potentially lie to Apple and Google without any way to audit the companies, they face a bigger risk if they violate laws like the European Union’s General Data Protection Regulation. The law, which requires companies to disclose all third parties who could receive a person’s data, could be a stronger check on direct server transfers than app store scrutiny. “If the developer decides to directly collect the data and then sell it to another company … it would be a bit more tricky for users to be aware that this data is collected in order to be sold to another company,” Esther Onfroy, co-founder of Exodus Privacy, a tool that audits Android apps for trackers by seeking SDKs, said. “With the GDPR, when you decide to collect location data, you as a developer, you have to say that, ‘I will be collecting your location data and it will be sent or collected directly by this third party or by this partner,’ and you can refuse.” The U.S. doesn’t have a federal data privacy law, though some states, like California, have their own regulations. California’s privacy law, however, requires companies to disclose only the categories of third parties who receive data, not the data brokers specifically. “Whack-a-mole can work eventually maybe, but it’s more effective to have a systemic regulatory governance approach to this issue,” Duke’s Sherman said. This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.