Wow, what a fine illustration of app research.
Ahem, there is no evolving standard, if a user says no, then that means
no.
Thanks for sharing,
Kare
"No one is born hating another person because of the color of his
skin or his background or his religion ... People must learn to
hate, and if they can learn to hate, they can be taught to
love... For love comes more naturally to the human heart than its
opposite." Nelson Mandela.
On Tue, 22 Aug 2017, M. Taylor wrote:
AppleInsider - Frontpage News - Tuesday, August 22, 2017 at 4:39 PM
AccuWeather sends user location data to monetization firm despite iOS
privacy settings
Popular iOS weather app AccuWeather, often listed as a top-ten app in the
Weather section of the iOS App Store, has been collecting and forwarding
user location information to data monetization company Reveal Mobile even
when location sharing is disabled.
The potential breach of privacy was detailed by security researcher Will
Strafach on Monday.
Strafach, who monitored data traffic on a test phone running AccuWeather in
the background, discovered the app would send packets containing Wi-Fi
router name and BSSID information to Reveal Mobile every few hours. That
data can be crosschecked against publicly available router and MAC address
location information to determine a user's whereabouts with relative
precision.
Most troubling is that AccuWeather's Wi-Fi and MAC address data gathering
operation continues when location services are disabled.
When the app is first installed, users can opt in to location tracking,
which allows AccuWeather to push out severe weather alerts, critical updates
and "make the app launch faster." According to Strafach, the app logs
precise GPS coordinates, including current speed and altitude, router name
and MAC address information, and device Bluetooth status when background
location services are activated.
For Reveal Mobile, Bluetooth is an important piece of its core technology.
As detailed in documentation on its website (PDF link), the company helps
advertisers serve relevant content to consumers by harvesting location data
from partner apps.
Reveal Mobile "turns the location data coming out of those apps into
meaningful audience data. We listen for lat/long data and when a device
'bumps' into a Bluetooth beacon," the company says.
Users can decline app calls to activate location services, presented at
first launch and again when searching for weather in a specific area, to
limit the scope of data sent to offsite servers. However, as explained by
Strafach, the continued transmission of Wi-Fi router information is
problematic.
In a statement to ZDNet, Reveal Mobile said it does not use Wi-Fi and BSSID
information for location determination.
"Everything is anonymized," said Brian Handley, CEO of Reveal Mobile. "We're
not ever tracking an individual device." He went on to illustrate a
situation in which Reveal can use the information to deliver advertisements
to customers inside a Starbucks location.
In response to Strafach's revelations, Reveal Mobile issued a public
statement clarifying its location tracking technology. The firm maintains
that it follows all App Store guidelines and honors device level and app
level opt-outs and permissions. In particular, the company says it does not
reverse engineer device location based on "other data signals" when a user
opts out of location services.
In light of the recent findings, however, Reveal Mobile is releasing a new
iOS SDK that "no longer send[s] any data points which could be used to infer
location when someone opts out of location sharing."
For its part, AccuWeather vice president of emerging platforms David
Mitchell said the company plans to "use data through Reveal Mobile for
audience segmentation and analysis, to build a greater audience
understanding and create more contextually relevant and helpful experiences
for users and for advertisers."
Following Strafach's blog post, a number of AccuWeather users abandoned the
app over privacy concerns. As of this writing, the weather app stands in the
No. 6 spot in the Weather section of the App Store.
Update: In a statement to AppleInsider, AccuWeather confirms Wi-Fi network
information was available for "a short period" on the Reveal SDK, but went
unused by the app. Whether that same data was used by Reveal Mobile was left
unmentioned.
The statement in full:
Despite stories to the contrary from sources not connected to the actual
information, if a user opts out of location tracking on AccuWeather, no GPS
coordinates are collected or passed without further opt-in permission from
the user.
Other data, such as Wi-Fi network information that is not user information,
was for a short period available on the Reveal SDK, but was unused by
AccuWeather. In fact, AccuWeather was unaware the data was available to it.
Accordingly, at no point was the data used by AccuWeather for any purpose.
AccuWeather and Reveal Mobile are committed to following the standards and
best practices of the industry. We also recognize this is a quickly evolving
field and what is best practice one day may change the next. Accordingly, we
work to update our practices regularly.
To avoid any further misinterpretation, Reveal is updating its SDK and
pushing out new versions of the SDK in the next 24 hours, with the iOS
update going live tonight. The end result should be that zero data is
transmitted back to Reveal Mobile when someone opts out of location sharing.
In the meanwhile, AccuWeather had already disabled the SDK, pending that
update.
Reveal has stated that the SDK could be misconstrued, and they assure that
no reverse engineering of locations was ever conducted by any information
they gathered, nor was that the intent.
AccuWeather will work with Reveal to restore the SDK when it has been
amended and will continue to update its ULAs to be transparent and current
with evolving standards. AccuWeather and Reveal continue to enhance methods
for handling data and strive to provide superior, seamless, and secure user
experiences.
We are grateful to have a supportive community that highlights areas where
we can optimize and be more transparent.
Original Article at:
http://appleinsider.com/articles/17/08/22/accuweather-sends-user-location-da
ta-to-monetization-firm-despite-ios-privacy-settings
--
The following information is important for all members of the Mac Visionaries
list.
If you have any questions or concerns about the running of this list, or if you
feel that a member's post is inappropriate, please contact the owners or
moderators directly rather than posting on the list itself.
Your Mac Visionaries list moderator is Mark Taylor. You can reach mark at:
macvisionaries+modera...@googlegroups.com and your owner is Cara Quinn - you
can reach Cara at caraqu...@caraquinn.com
The archives for this list can be searched at:
http://www.mail-archive.com/macvisionaries@googlegroups.com/
---
You received this message because you are subscribed to the Google Groups
"MacVisionaries" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to macvisionaries+unsubscr...@googlegroups.com.
To post to this group, send email to macvisionaries@googlegroups.com.
Visit this group at https://groups.google.com/group/macvisionaries.
For more options, visit https://groups.google.com/d/optout.
