It used to be commonplace for a data broker to create SDKs (software development kits) that would be useful to app developers as a quick and easy way to add commonly needed features. The catch was that these SDKs also collected user data – including location data – which brokers could then sell.
One crucial weakness in Apple’s protections was highlighted last month, when it was revealed that Apple relies on developers being honest about the labels – and many of them aren’t.
Apps sell your location data using workaround
A report in The Markup found that many apps continue to sell location data to brokers simply by doing so directly rather than via an SDK – and relying on an innocuous-sounding phrase in their privacy policies.
Now, data brokers are moving to a new method. If the app developer has an agreement with a location data broker, they can supply user data directly through “server-to-server” transfers.
This method appears to happen outside of the view of app stores and is becoming more common in the industry […]
Apple’s policy requires apps to disclose what data they are collecting from people and how it can be used and to get consent from users before sharing their data. However, it doesn’t require apps to disclose exactly who they are selling data to, and many apps simply state that they “share data with partners.”
There’s plenty of incentive for popular apps to do this.
In an email sent to an app developer and reviewed by The Markup, Veraset, a location data broker that is a subset of the company SafeGraph, pitched that the developer could “send data to Veraset server-to-server (no need to install or maintain an SDK).” The pitch also noted that apps can make from $12,000 to $1 million a year for sending their users’ location data to the company.
The piece argues that Apple and Google have no realistic way to audit this practice, and that only privacy laws can prevent it from happening.
FTC: We use income earning auto affiliate links. More.