Many iOS apps sell user location data to data brokers despite the fact that this is prohibited by Apple’s policies.
According to a new report by the American non-profit organization The Markup, although Apple and Google have blocked one loophole used by companies selling and buying user data, there is another very simple way that they are using now.
The past loophole was as follows: data brokers created SDKs, usually allowing developers to quickly and easily add the necessary functions. These SDKs also collected user data, including location, which brokers could then sell.
Last year, Apple blocked these SDKs and obliged developers to specify what data their applications collect and how they use it.
However, last month a gap was discovered in the protection mechanisms implemented by Apple. As it turned out, by obliging developers to report the collected data, the company simply relied on their honesty.
According to The Markup report, many applications continue to sell location data to brokers, and they do it not through the SDK, as before, but directly by adding one innocent phrase to their privacy policies.
To be more precise, data brokers have now begun to use the following method: if the application developer has entered into an agreement with a geolocation data broker, he can supply user information directly from server to server. All of this, of course, happens out of sight of the app store.
Apple’s policies require apps to disclose what data they collect and how they use it, as well as to inform users that their data may be shared with third parties. However, it is not necessary to tell who this data is being sold to, so the privacy policies of many applications simply indicate that they “transfer data to partners.”
The Markup specialists managed to get acquainted with an email sent by the data broker Veraset (a subsidiary of SafeGraph) to one of the developers. It states that a developer can “send Veraset data from server to server (without having to install or maintain the SDK).” In addition, it is reported that the developer can receive from $ 12 thousand to $ 1 million per year for transmitting user location data to the company.
Apple and Google have no realistic way to somehow control this practice, and only anti-piracy legislation will help to end it, experts at The Markup believe.