I helped with the investigation, led by the Norwegian Consumer Council. It took several months and also involved @thezedwards, technical analysis by security firm Mnemonic and legal expertise by @NOYBeu.
25 orgs in the EU/US are urging authorities to act:https://twitter.com/finnmyrstad/status/1216988443961634816 …
-
-
Prikaži ovu nit
-
We observed 8 data companies receiving detailed GPS location info, in combination with unique personal IDs, when using the gay/bi dating app Grindr, including MoPub (owned by Twitter), Bucksense, PubNative, OpenX, AdColony, Braze, Smaato and Vungle. p125: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf …pic.twitter.com/d8IkuZwkSV
Prikaži ovu nit -
We observed location data brokers receiving data from the period tracking app MyDays, e.g. Placer (received GPS/WiFi/celltower data) and Placed/Foursquare (received GPS location >250 times + a list of installed apps). p40: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/mnemonic-security-test-report-v1.0.pdf … p95+99: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf …pic.twitter.com/0s5V8grqqc
Prikaži ovu nit -
We observed 70 firms receiving data from the makeup app Perfect365, including data brokers Fysical (claims to have 'human movement data on 25% of the population') & Safegraph (claims to track the location of 35m devices). p34: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/mnemonic-security-test-report-v1.0.pdf … p83: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf …pic.twitter.com/wcF24uFxEj
Prikaži ovu nit -
Overall, we observed the 10 apps sending more than 88000 http requests to 216 hosts, owned by at least 135 companies. Several third-party companies received data from multiple apps. Knowing just when and how often people use certain apps is enough to create personal profiles.pic.twitter.com/h63GWBxvhc
Prikaži ovu nit -
Our findings include many interesting details. Check
@finnmyrstad's summary for an overview: https://twitter.com/finnmyrstad/status/1216988370632695809 … Some background info: https://twitter.com/thezedwards/status/1216968396023070721 … Summary: https://www.consumerreports.org/privacy/popular-apps-share-intimate-details-about-you/ … In-depth articles NYT+TechCrunch: https://www.nytimes.com/2020/01/13/business/grindr-apps-dating-data-tracking.html … https://techcrunch.com/2020/01/14/dating-and-fertility-apps-among-those-snitching-to-out-of-control-adtech-report-finds/ …pic.twitter.com/W9fbiaHrgt
Prikaži ovu nit -
The examined apps transmitted data to many widely unknown data firms, but also to well-known tech giants. Most apps transmitted data to Google+FB.
Also, FB received accelerometer/gyroscope sensor data, and Amazon received GPS coordinates
p15+35+52: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/mnemonic-security-test-report-v1.0.pdf …pic.twitter.com/3ahPA92RyI
Prikaži ovu nit -
Advertising firms and data brokers often claim to share only 'anonymized' data, which is usually a lie. In most cases, they use personal identifiers to combine profile data across many companies. Google's so-called 'Advertising ID' is key to track and follow Android app users.pic.twitter.com/xHSgc8fj8w
Prikaži ovu nit -
The 10 apps examined transmitted the 'Advertising ID' to 70 companies. This ID is then used across the surveillance marketing ecosystem and tied to data on our interests+behaviors. They may sound a bit boring, but IDs are *key* for everything else. p29: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf …pic.twitter.com/bjl2yO27MF
Prikaži ovu nit -
We also observed that many companies create their own proprietary identifiers. 13 firms received identifiers such as IP addresses and WiFi SSIDs. Many firms received detailed device metadata, which can be used for fingerprinting. Also, location data can be used to match profiles.pic.twitter.com/oNpyJq3Unf
Prikaži ovu nit -
It's impossible to observe how companies further share personal data between their servers. But: We observed 19 firms receiving data via Grindr. One of them potentially further shares data with 170 partners. Again, one of those potentially further shares data with 4259 partners.pic.twitter.com/1PDJ0pkwsX
Prikaži ovu nit -
And take a look at the sections on 'cascading data sharing through Grindr'. It was hard work to understand and document how all those data companies interact, without being able to see what is happening on their servers. p123: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf … p23: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/mnemonic-security-test-report-v1.0.pdf …pic.twitter.com/s9Wcgh3P1R
Prikaži ovu nit -
Like Google, Facebook, Amazon and other well-known companies, Twitter doesn't only act as a consumer-facing platform, but also as a 'third party'. In case of Grindr, we observed Twitter's subsidiary MoPub playing a key role in personal data sharing with yet other data companies.pic.twitter.com/bmgfM1nZCo
Prikaži ovu nit -
In response to our report, Twitter's MoPub suspended Grindr from its ad network today. But this is hardly enough. First, MoPub cannot merely shift responsibility to the app vendor. Second, MoPub claims to serve 49,000 apps, tracking 1.5 billion devices.https://adage.com/article/digital/twitter-suspends-grindr-its-ad-platform-it-investigates-privacy-concerns/2227116 …
Prikaži ovu nit -
But MoPub is not alone. Take a look at this ad request to OpenX, a data company that claims to have relationships with 50,000 apps. OpenX received GPS data via Grindr, and data related to real-time bidding ('openrtb'). p140: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf … p28: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/mnemonic-security-test-report-v1.0.pdf …pic.twitter.com/PofWJU75iq
Prikaži ovu nit -
We know how real-time bidding in today's digital advertising works in theory. Every time people visit a website or use an app their profile data is being sold to the highest bidder. It's been called a massive data breach, happening millions of times a day.https://twitter.com/johnnyryan/status/1039906334542622720 …
Prikaži ovu nit -
Now OpenX, who received data related to RTB via Grindr, *recommends* publishers to send the Advertising ID, GPS coordinates and other kinds of personal data, and thus broadcast it across the data economy. All parties involved must be held accountable. https://docs.openx.com/Content/developers/ad_request_api/openrtb_parameters.html …pic.twitter.com/Fnf7q6xAPS
Prikaži ovu nit -
They are not. And this is why our report is titled 'Out of Control'. There is no way for users to understand how personal data is being shared when using those apps. Unfortunately, I'm pretty sure the practices we observed are representative for the majority of Android apps.pic.twitter.com/JCJu22Gm1F
Prikaži ovu nit -
Or, how
@natashanyt puts it: "Grindr is transmitting users' unique IDs, app name and precise locations to numerous ad tech companies, essentially broadcasting their sexual orientation to the entire consumer surveillance ecosystem" Recommended thread:https://twitter.com/natashanyt/status/1217089288149467139 …Prikaži ovu nit -
Guidance for further examination: - Don't only focus on the apps, but also on the companies who receive data (the reports contain many details) - Don't only focus on clearly sensitive data, but also on systemic issues that look less obvious yet enable pervasive digital profiling
Prikaži ovu nit -
Some more stuff. This is Bucksense. We observed them receiving Ad ID, IP and GPS data. The website of their ad platform Directopub (https://directopub.com/platform/ ) suggests they provide data to target age groups 'children', 'teens', and even 'infants' (?) p135: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf …pic.twitter.com/PWUSGDiVZ6
Prikaži ovu nit -
What surprised me a bit is that so many companies received exact GPS location data - not in the US but in GDPR-land. While some of them try to obfuscate how they utilize it, others openly present themselves as data brokers. See e.g. http://fysical.com : 'BUY and SELL DATA'pic.twitter.com/ZHtL8YyMrb
Prikaži ovu nit -
We also observed an unidentified host receiving GPS location data via the Perfect365 app. References in the requests point to location data brokers Fluxloop (Oslo) and Unacast (US). Either one or both may be responsible. p38: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/mnemonic-security-test-report-v1.0.pdf … p89: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf …pic.twitter.com/3LSR0Kl3Jw
Prikaži ovu nit -
In addition to location data brokers Fysical, Safegraph, Placer, Placed/Foursquare (as well as Fluxloop and/or Unacast), we also observed location data firm Tutela receiving GPS location +Wifi data, but were not able to attribute it to a certain app. p72: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/mnemonic-security-test-report-v1.0.pdf …pic.twitter.com/xvA4TX3YaV
Prikaži ovu nit -
So, our testing phone transmitted location data to quite some of the companies listed in this recent piece by
@stuartathompson+@cwarzel on this '50 billion location records from 12 million phones' file obtained by the NYT. Still curious about the source.https://twitter.com/WolfieChristl/status/1207641167573241856 …
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.