Location tracking is widespread: More than 40,000 apps collect location data
A recent data leak at Gravy Analytics provided the first clues, but now it's clear: more than 40,000 apps collect location data.
(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)
Netzpolitik.org, together with BR and other editorial teams, received a data set from a data broker and examined it: a snapshot with 380 million location data from 137 countries, which around 40,000 different apps delivered to the data broker. The data set was intended to serve as an advertisement for a monthly subscription with daily updated data.
Last week, the data leak at US data broker Gravy Analytics revealed that at least 15,000 apps were collecting location data, some of it precise, and sending it to the company's servers. As a result of the breach, which has now been acknowledged, this data can even be considered public.
Huge number of apps affected
The data pool of the research network includes apps for both Android and iOS. These apparently provide advertising IDs, location data and the connection to the respective apps. Until recently, the US data trader in question was known as the Datastream Group, but now operates under the name Datasys.
Videos by heise
The categories of data-providing apps are quite broad: from games, dating and shopping to news and education, explains Netzpolitik in its analysis. “These include some of the most popular apps in the world, some of which have been downloaded millions of times.”
The journalists were able to find “strikingly precise location data” for some of the apps. Wetter Online, for example, the most popular weather app in Germany, stands out. “On just one day in Germany, tens of thousands of Wetter Online users were probably located to within a meter. Precise location data is also available for users of other popular apps such as Focus Online, Kleinanzeigen and FlightRadar24,” explains the research association.
The database also included “Tinder, Grindr and Candy Crush Saga as well as Upday from the Axel Springer Group, web.de and gmx.de. Here, however, users were apparently only located by IP address, i.e. with a fuzziness in the kilometer range.” Netzpolitik goes on to write that “apps can expose vulnerable groups” – This also became clear with the data leak at Gravy Analytics, for example, because numerous pregnancy-related apps provide location data. In the USA, for example, with it's sometimes very restrictive laws against abortion, this can give rise to governmental demands.
While some apps have delivered very precise data to the data broker, enabling the creation of movement profiles, for example, the majority are not quite as accurate: “We estimate that most of the apps in our data set are not assigned precise location data. The affected users of these apps were therefore not located via GPS, but via their public IP address.”
Reactions to the data set
The location data is used by advertisers for more precise targeting. This allows them to display targeted advertising that is more likely to match the interests of the targeted user. According to Netzpolitik, intelligence services also use this data.
The journalists asked the Bavarian State Data Protection Commissioner Michael Will for an assessment. In an interview, he describes the findings as “sobering” and “frightening” and sees them as a “blatant breach of trust”. “This is contrary to everything that the average app user would expect – to be able to track where they have been for months afterward”. The data trader should not have had this data in the first place. “This is beyond the agreed rules of the game,” Will told Netzpolitik, whereby the rules of the game include the GDPR.
The Federal Ministry of Consumer Protection wrote to journalists that the very collection of data with which data traders trade must be prevented, telling Netzpolitik: “We need effective EU-wide protection against personalized advertising in order to prevent app providers from having incentives to collect more data than is necessary to offer an app.” Accordingly, the ministry remains committed to a consistent switch to alternative advertising models.
The research association concludes that the advertising market is beyond any control. It believes the EU has a duty to react: “The ball is in the EU's court”.
(dmk)
