Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.
Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university’s law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers.
Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital “signatures” distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived “hash” summary of the file itself.
The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking.
“I think people are used to the idea, whether they should be or not, that Lyft might be tracking them,” said Sean O’Brien, a visiting fellow at Yale Privacy Lab. “And they’re used to the fact that if Lyft is on Android and coming from Google Play, that Google might be tracking them. But I don’t think that they think that their data is being resold or at least redistributed through these other trackers.”
Among the Android apps identified by the researchers were, with six or seven trackers each, dating apps Tinder and OkCupid, the Weather Channel app, and Superbright LED Flashlight; the app for digital music service Spotify, which embedded four trackers, including two from Google; ridesharing service Uber, with three trackers; and Skype, Lyft, Accuweather, and Microsoft Outlook.
(A Spotify spokesperson wrote,
Some apps have their own analytics platforms but include other trackers as well. For example, Tinder uses a total of five trackers in addition to its own.
“The real question for the companies is, what is their motivation for having multiple trackers?” asked O’Brien.
“Data is the oil in the machinery here, and I think they’re just trying to find different ways to extract it.”
Tinder’s heavy use of trackers means the company has been able to make use of behavior analytics, and also to accept payment from shaving supply company Gillette for highly targeted research: Do college-aged male Tinder users with neatly-groomed facial hair receive more right swipes than those with untidy facial hair?
Capabilities of the trackers uncovered by Exodus include targeting users based on third-party data, identifying offline movement through machine learning, tracking behavior across devices, uniquely identifying and correlating users, and targeting users who abandon shopping carts. Most trackers work by deriving an identification code from your mobile device or web browser and sharing it with third parties to more specifically profile you. App makers can even tie data collected from trackers with their own profiles of individuals, including names and account details. Some tracking companies say they anonymize data, and have strict rules against sharing publicly identifiable information, but the sheer wealth of data collected can make it possible to identify users even in the face of such safeguards.
“How many people actually know that these trackers are even there?” said Michael Kwet, another visiting fellow at Yale Privacy Lab. “Exodus had to create this software to even detect that they were in there.”
A few of the trackers offer users the option to opt out via email or through their privacy settings. But tracking can resume even after this step is taken. For example, one app requires that users who clear their cache set up the opt-out again. Some opt-outs are temporary. Even if the opt-outs do end up being permanent, few users would even know to activate them in the first place.
Google has a vested interest in allowing liberal use of trackers in apps distributed through Google Play: One of the most ubiquitous in-app trackers is made by Google’s DoubleClick ad platform, which targets users by location and across devices and channels, segments users based on online behavior, connects to personally identifiable information, and offers data sharing and integration with various advertising systems. DoubleClick’s tracker is found in many popular apps, including Tinder and OkCupid, Lyft and Uber, Spotify, the Weather Channel and Accuweather, and the popular flashlight apps Superbright LED flashlight and LED light.
A Google spokesperson confirmed that its ad platforms DoubleClick for Publishers and AdMob serve ads on both Android and iOS devices, and that it ties information collected by the networks to a persistent identifier to measure engagement. Although users can control information Google uses to show them ads, they cannot specifically opt out of DoubleClick.
DoubleClick prohibits vendors from sharing personally identifiable information or other unique identifiers, and states that it only stores general location data like city and zip code rather than precise location information unless users enable location history in their Google account. App developers who use the DoubleClick Ad Exchange are required to disclose in their privacy policies that the user’s identifier will be shared unless the user opts out of ad tracking, and to explain how the user can reset their identifier. Google shares attribution data with advertisers and third party measurement partners using these identifiers.
Perhaps the most invasive of the trackers is Fidzup, a France-based mobile performance marketing platform for brick and mortar retailers. The company has stated in its advertising copy that it has developed communication between a sonic emitter and a mobile phone (either iOS or Android) by emitting an inaudible tone to locate a user within a shopping mall or a store. User phones receive the signal and decode it to give away their location. The company further uses geofencing to track users to a so-called “catchment area,” such as a specific section within a store, where it can serve them targeted ads, possibly for a competing retailer.
Mathieu Vaas, a spokesperson for Fidzup, said that the company has not used inaudible tones in two years, but is instead using wifi-based technology to obtain data regarding how customers behave within stores and to retarget them with ads. But information on sonic technologies is posted on Fidzup’s website (as of November 21st) and detailed further in an older version of the site accessed on October 15. Vaas stated that these pages are outdated and inaccessible from the main page, and will be scrubbed from a new website that’s currently being prepared.
Vaas also confirmed that, even just using wifi technology, Fidzup can track highly specific in-store behavior such as aisles visited, the time spent in them, the number of visits to a store, and so forth. Fidzup can also leverage other apps to obtain geolocation data, but the only third parties receiving that data are retailers that have installed the company’s wifi technology within their store, he added, and the data it is only related to behavior within the store. Vaas later said that Fidzup does not share information with third parties.
“In every store where we are present, we inform the public of the presence of data-gathering technology in the store and indicate to them that they can turn their wifi off, as well as provide them with a link that allows them to permanently opt-out of Fidzup. In that case, their data will be recognized and scrapped automatically and they won’t be retargeted with ads from Fidzup ever,” he said via email.
Though based in France, Fidzup has a presence in San Francisco, and Vaas said that the company plans to start effectively operating in the U.S. soon. Since Fidzup is a French company, Vaas said they are subject to stricter privacy laws and regulations than the U.S. has, and as they “deeply respect consumers’ rights to privacy and their civil liberties,” they plan to operate under those standards in the U.S. as well.
O’Brien and Kwet seemed less impressed with the company’s privacy commitment, writing,
“Fidzup’s practices mirror that of Teemo (formerly known as Databerries), the tracking company that was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens.”Teemo collected navigation data from mobile users and used it to drive in-store sales by targeting users based on locations they had visited. Its website states that it may collect location data using GPS, cell towers, wifi access points, wireless networks, and sensors such as gyroscopes, accelerometers, compasses, and barometers. In addition to collecting IP addresses and identifiers assigned to mobile devices, it also may obtain information from third parties to combine with what it has and share its information with third parties (with some stipulations) as well. As with Fidzup, it is not immediately clear to what extent Teemo is operating in the U.S. Although Teemo is a French company based in Paris, it has an office in New York. Teemo did not respond to request for comment.
In addition to DoubleClick, Teemo, and Fidzup, Braze (formerly App-Boy) and Salesforce DMP (formerly Krux) appear to collect large amounts of user data. Braze, used by OkCupid and Lyft, can track users by location, target them across devices and channels, and serve targeted advertising based on consumer actions. Salesforce DMP, used by OkCupid, not only captures user clicks, downloads, and other interactions, but also uses hashed device management to effectively circumvent Safari’s third-party blocking. The tracker allows marketers to use machine learning to discover personas, uses cross-device ID, and even uses behavioral analysis to guess when a user is sleeping, and a probabilistic matching algorithm to match identities across devices. There is an opt-out on the Salesforce website, though it’s unclear what percentage of OkCupid users are aware that the dating site is wrapped around the Salesforce DMP tracker and would even know to opt out. (OkCupid did not respond to request for comment.)
Weather apps are ubiquitous, and one wouldn’t guess that they’d include surveillance. But both Accuweather and the Weather Channel apps (along with Spotify) use the ScoreCardResearch tracker, which can also track data on usage, including information on web browsing and app usage behavior over time and across digital properties, possible relationships between browsers and devices—which can be provided to third parties for advertising purposes. The tracker can even use third-party service providers to obtain more non-personally identifiable information to add to unique profiles using cookies.
The tracker Millennial Media (formerly Nexage) is used by Accuweather and Super Bright LED to “automate the buying and selling of mobile advertising” targeting channel and demographic segments, such as a shampoo company targeting “women ages 25-55 with an emphasis on…pregnancy, stress, and bleach/coloring.”
The AppNEXUS tracker, used by, among other apps, Superbright LED, uses machine learning for targeted advertising. In a phone call, AppNexus spokesperson Joshua Zeitz confirmed that the tracker collects mobile advertising identifiers, type of phone, IP addresses, and a unique app identifier. The company does store mobile advertising identifiers as well as cookies from web users, but Zeitz said data on what ads have been served to what identifiers is only retained for up to 33 days, and that the tracker does not collect names, numbers, or account numbers, that it only keeps device and browser identifiers and cookies, and that it cannot de-anonymize users from its data set. AppNexus stated that it does not share device and browser identifiers tied with third parties.
O’Brien said app developers can choose the types of advertising they embrace, but that it’s unlikely users are thinking about those decisions when installing apps. He also doesn’t see permissions as a solution. “If you’re in a situation where you’re asking the victim of the tracking how much tracking they want, you’ve already gone too far. It’s already a problem,” he said.
Without an overhaul of the advertising-rich phone system, O’Brien said the best solution may be to use the software repository F-Droid, which distributes only free and open source software that does not include unknown or masked trackers or code.