In our recent post Pointr Deep Location® Platform - user privacy by design, we looked at how the apps in your phone collect your personal data and how unscrupulous organizations are exploiting that data.
The issue is receiving attention from Google with the recent banning of SafeGraph, a location data broker that captured and sold Android users’ location data.
In this article, we will:
Look at who’s collecting and storing personal and business data and for what purposes
Examine the technology used to capture data, often without the owner’s consent
Reveal the “unauthorized” location data brokers and the fight against them
Discuss how the Pointr Deep Location® Platform was built from the ground up with “security by design” ensuring the safety of our users’ data
Who are the main data collection culprits?
Data brokers are by far the biggest culprits when it comes to selling personal data. They work by aggregating, re-identifying, and enhancing seemingly de-identified personal data before selling it on.
The data is often collected through supposedly innocent applications that are actually capable of feeding back location information. Data is sold for a profit without the owner's express permission. In the case of SafeGuard, the data was sold on to government entities, publications like The New York Times, and anyone willing to pay for it.
Technologies used to capture personal data
The technology deployed in the SafeGraph case was their software development kit (SDK) used by software developers in various Android applications. The SDK was used to capture user’s location data. Developers involved were given seven days to remove the SafeGraph SDK from their applications or face the prospect of being thrown off the Play Store.
But why are these free SDKs being used if they potentially pose such a risk to the security of personal location data? App developers often don’t build apps for Android and iOS from scratch. It’s often not fast enough, cost-effective, or practical. Also, they may not possess the skills necessary to do so. This is where an SDK provided by third parties such as SafeGraph comes into play.
Tools like SDKs speed up the process of constructing apps cost-effectively and getting them to market quickly. Couple a malicious SDK with an API (Application Programming Interface), software that allows two applications to talk to each other, and you have the technology necessary to steal personal data.
The fight against “unauthorized” location data capture and broking
Thankfully, it’s not all bad news in the fight against unscrupulous actors who want to capture, de-anonymize, and sell your location data. There have been some notable successes with Google and Apple taking action against some of the worst offenders, here are a couple of examples.
According to The Wall Street Journal, Apple and Google have banned a major culprit, data broker X-Mode, from collecting users’ location data. X-Mode’s tracking software was exposed as collecting location data from Android and iOS devices without users’ permission.
The two biggest mobile app platforms told developers to remove X-Mode’s tracking software from their applications or face being removed from their respective app stores (which account for most mobile devices worldwide).
The action by Apple and Google comes hot on the heels of revelations about X-Mode's national security contracts, and investigation by Congress over how government agencies purchase location data from private companies in the US.
Predico is a French company that pays app developers for details of their users’ location data which they then sell on to their own customers.
This data broker has been linked to a complex data broking trail implicating Venntel, a U.S. government contractor, that sells data to law enforcement agencies such as Immigration and Customs Enforcement (ICE), and Customs and Border Protection (CBP).
Predico was caught selling user data harvested via the Muslim Prayer app Salaat First which was downloaded more than 10 million times. App developers were given a seven-day warning by Google to remove code supplied by Predico from their apps or face the prospect of being removed from their app store.
Unauthorized use of location data continues at the highest level
Despite a few successful takedowns of malicious Android and iOS apps, it seems the exploitation of user location data continues to present an enormous challenge. An article from Protocol that examines the extent to which government departments are complicit in buying location data clearly illustrates the extent of the problem.
It describes how U.S. law enforcement agencies signed millions of dollars worth of contracts with Virginia-based Babel Street to use their tool “Locate X”. Locate X uses data from mobile apps to pinpoint the location of mobile devices.
Federal law enforcement can use Locate X to track movements via your cell phone and can see where you’ve travelled going back months (according to Protocol and sources familiar with its functionality). The software tracks the location of devices anonymously using the data that popular apps collect via mapping features and targeted ads.
However, it appears that federal law enforcement, using Locate X, now had the ability to track phones through apps, without warrants.
Relax, your data is 100% safe with Pointr
The Pointr Deep Location® Platform has security by design built-in, and that means that you can rest assured you’re in complete control of your data at all times.
Our platform was built from the ground up on enterprise-grade systems such as Microsoft Azure and does not use third-party SDKs. We comply fully with all modern security standards.
Unlike applications capable of collecting personal data without the user’s consent, the Pointr Deep Location® Platform works in a totally different way. We don’t capture device IDs. We actually assign our own unique IDs that are totally unrelated to our users’ devices. This means we never capture any data from our users that can be re-identified and enhanced.
Moreover, we don’t store customer data on our own servers which ensures your data is anonymous by default - venues where our platform is deployed own their own data. We equip people and businesses with transparent consent and preference management tools to help them stay in better control of their location data.
We employ strong encryption, and no customer data is accessible from the internet. All access to our platform, both internally and externally, is logged to prevent malicious interactions and any unexpected events are immediately reported.
In addition to all of the above we:
Continuously improve our information security management system
Constantly carry out risk analysis to take risks above the acceptable levels under control
Sustain awareness of information security among our team members
Prioritize business continuity above all else
Commit to and exceed our promised SLAs
Fully comply with all laws and regulations regarding information security
Pointr’s information security is ISO 27001 and ISO 27017 certified and approved by Cisco, Microsoft, Siemens, Extreme Networks, CBRE, ISS, DHS, and many others.
We’re proud to say we’re trusted by our users worldwide and work with major customers in healthcare, smart workplace, retail, and aviation across North America, Europe, and Asia including UCHealth, international corporations (CBRE), the U.S. Department of Homeland Security, U.S. Airports (Washington Regan and National), two major U.S. Airlines and one of the major U.S. department store retailers across 1,000 locations with millions of mobile application users.
If you're interested in finding out more about Pointr's Deep Location® Platform and indoor positioning system, please contact our team.
Author: Les Blythe