https://theintercept.com/2017/11/24/staggering-variety-of-cl
andestine-trackers-found-in-popular-android-apps/

Photo: Dave J Hogan/Getty Images
Staggering Variety of Clandestine Trackers Found In Popular
Android Apps
Yael Grauer

2017-11-24T11:00:28+00:00

Researchers at Yale Privacy Lab and French nonprofit Exodus
Privacy have documented the proliferation of tracking
software on smartphones, finding that weather, flashlight,
rideshare, and dating apps, among others, are infested with
dozens of different types of trackers collecting vast
amounts of information to better target advertising.

Exodus security researchers identified 44 trackers in more
than 300 apps for Google's Android smartphone operating
system. The apps, collectively, have been downloaded
billions of times. Yale Privacy Lab, within the university's
law school, is working to replicate the Exodus findings and
has already released reports on 25 of the trackers.

Yale Privacy Lab researchers have only been able to analyze
Android apps, but believe many of the trackers also exist on
iOS, since companies often distribute for both platforms. To
find trackers, the Exodus researchers built a custom
auditing platform for Android apps, which searched through
the apps for digital "signatures" distilled from known
trackers. A signature might be a tell-tale set of keywords
or string of bytes found in an app file, or a
mathematically-derived "hash" summary of the file itself.

The findings underscore the pervasiveness of tracking
despite a permissions system on Android that supposedly puts
users in control of their own data. They also highlight how
a large and varied set of firms are working to enable
tracking.

"I think people are used to the idea, whether they should be
or not, that Lyft might be tracking them," said Sean
O'Brien, a visiting fellow at Yale Privacy Lab. "And they're
used to the fact that if Lyft is on Android and coming from
Google Play, that Google might be tracking them. But I don't
think that they think that their data is being resold or at
least redistributed through these other trackers."

Among the Android apps identified by the researchers were,
with six or seven trackers each, dating apps Tinder and
OkCupid, the Weather Channel app, and Superbright LED
Flashlight; the app for digital music service Spotify, which
embedded four trackers, including two from Google;
ridesharing service Uber, with three trackers; and Skype,
Lyft, Accuweather, and Microsoft Outlook.

(A Spotify spokesperson wrote, "We take data security and
privacy very seriously. Our goal is to give both our users
and advertising partners a great experience while
maintaining consumer trust." An Uber spokesperson referred
The Intercept to its published details on its use of
cookies, which lists some of their third-party cookie
providers but is not intended to be comprehensive. Users who
visit the privacy policy section of Uber's website can
follow an opt-out link which appears to only apply to
interest-based advertising on web traffic. The preferences
do not work if a user disables third party cookies, and
users must opt out again after deleting their cookies.)

Some apps have their own analytics platforms but include
other trackers as well. For example, Tinder uses a total of
five trackers in addition to its own.

"The real question for the companies is, what is their
motivation for having multiple trackers?" asked O'Brien.

"Data is the oil in the machinery here, and I think
they're just trying to find different ways to extract it."

Tinder's heavy use of trackers means the company has been
able to make use of behavior analytics, and also to accept
payment from shaving supply company Gillette for highly
targeted research: Do college-aged male Tinder users with
neatly-groomed facial hair receive more right swipes than
those with untidy facial hair?

Capabilities of the trackers uncovered by Exodus include
targeting users based on third-party data, identifying
offline movement through machine learning, tracking behavior
across devices, uniquely identifying and correlating users,
and targeting users who abandon shopping carts. Most
trackers work by deriving an identification code from your
mobile device or web browser and sharing it with third
parties to more specifically profile you. App makers can
even tie data collected from trackers with their own
profiles of individuals, including names and account
details. Some tracking companies say they anonymize data,
and have strict rules against sharing publicly identifiable
information, but the sheer wealth of data collected can make
it possible to identify users even in the face of such
safeguards.

Although some or all of the apps identified by Exodus and
Yale researchers may technically disclose the use of
trackers in the fine print of their privacy policy, terms of
service, or app description, it is difficult, to say the
least, for smartphone users to get a clear handle on the
extent and nature of the monitoring directed at them. The
whole point of using a mobile app, after all, is often to
save time.

"How many people actually know that these trackers are even
there?" said Michael Kwet, another visiting fellow at Yale
Privacy Lab. "Exodus had to create this software to even
detect that they were in there."

A few of the trackers offer users the option to opt out via
email or through their privacy settings. But tracking can
resume even after this step is taken. For example, one app
requires that users who clear their cache set up the opt-out
again. Some opt-outs are temporary. Even if the opt-outs do
end up being permanent, few users would even know to
activate them in the first place.
FILE - In this May 28, 2015, file photo, David Singleton,
director at Android Wear, speaks during the Google I/O 2015
keynote presentation in San Francisco. With the upcoming M
version of Android, you give permission as apps need it. (AP
Photo/Jeff Chiu, File)

David Singleton speaks during the Google I/O 2015 keynote
presentation in San Francisco.

Photo: Jeff Chiu/AP
Meet the Trackers

Google has a vested interest in allowing liberal use of
trackers in apps distributed through Google Play: One of the
most ubiquitous in-app trackers is made by Google's
DoubleClick ad platform, which targets users by location and
across devices and channels, segments users based on online
behavior, connects to personally identifiable information,
and offers data sharing and integration with various
advertising systems. DoubleClick's tracker is found in many
popular apps, including Tinder and OkCupid, Lyft and Uber,
Spotify, the Weather Channel and Accuweather, and the
popular flashlight apps Superbright LED flashlight and LED
light.

A Google spokesperson confirmed that its ad platforms
DoubleClick for Publishers and AdMob serve ads on both
Android and iOS devices, and that it ties information
collected by the networks to a persistent identifier to
measure engagement. Although users can control information
Google uses to show them ads, they cannot specifically opt
out of DoubleClick.

DoubleClick prohibits vendors from sharing personally
identifiable information or other unique identifiers, and
states that it only stores general location data like city
and zip code rather than precise location information unless
users enable location history in their Google account. App
developers who use the DoubleClick Ad Exchange are required
to disclose in their privacy policies that the user's
identifier will be shared unless the user opts out of ad
tracking, and to explain how the user can reset their
identifier. Google shares attribution data with advertisers
and third party measurement partners using these
identifiers.

Perhaps the most invasive of the trackers is Fidzup, a
France-based mobile performance marketing platform for brick
and mortar retailers. The company has stated in its
advertising copy that it has developed communication between
a sonic emitter and a mobile phone (either iOS or Android)
by emitting an inaudible tone to locate a user within a
shopping mall or a store. User phones receive the signal and
decode it to give away their location. The company further
uses geofencing to track users to a so-called "catchment
area," such as a specific section within a store, where it
can serve them targeted ads, possibly for a competing
retailer.

Mathieu Vaas, a spokesperson for Fidzup, said that the
company has not used inaudible tones in two years, but is
instead using wifi-based technology to obtain data regarding
how customers behave within stores and to retarget them with
ads. But information on sonic technologies is posted on
Fidzup's website (as of November 21st) and detailed further
in an older version of the site accessed on October 15. Vaas
stated that these pages are outdated and inaccessible from
the main page, and will be scrubbed from a new website
that's currently being prepared.

Vaas also confirmed that, even just using wifi technology,
Fidzup can track highly specific in-store behavior such as
aisles visited, the time spent in them, the number of visits
to a store, and so forth. Fidzup can also leverage other
apps to obtain geolocation data, but the only third parties
receiving that data are retailers that have installed the
company's wifi technology within their store, he added, and
the data it is only related to behavior within the store.
Vaas later said that Fidzup does not share information with
third parties.

"In every store where we are present, we inform the public
of the presence of data-gathering technology in the store
and indicate to them that they can turn their wifi off, as
well as provide them with a link that allows them to
permanently opt-out of Fidzup. In that case, their data will
be recognized and scrapped automatically and they won't be
retargeted with ads from Fidzup ever," he said via email.

Though based in France, Fidzup has a presence in San
Francisco, and Vaas said that the company plans to start
effectively operating in the U.S. soon. Since Fidzup is a
French company, Vaas said they are subject to stricter
privacy laws and regulations than the U.S. has, and as they
"deeply respect consumers' rights to privacy and their civil
liberties," they plan to operate under those standards in
the U.S. as well.

O'Brien and Kwet seemed less impressed with the company's
privacy commitment, writing, "Fidzup's practices mirror that
of Teemo (formerly known as Databerries), the tracking
company that was embroiled in scandal earlier this year for
studying the geolocation of 10 million French citizens."
Teemo collected navigation data from mobile users and used
it to drive in-store sales by targeting users based on
locations they had visited. Its website states that it may
collect location data using GPS, cell towers, wifi access
points, wireless networks, and sensors such as gyroscopes,
accelerometers, compasses, and barometers. In addition to
collecting IP addresses and identifiers assigned to mobile
devices, it also may obtain information from third parties
to combine with what it has and share its information with
third parties (with some stipulations) as well. As with
Fidzup, it is not immediately clear to what extent Teemo is
operating in the U.S. Although Teemo is a French company
based in Paris, it has an office in New York. Teemo did not
respond to request for comment.
Surveillance Mission Creep

Not all trackers are equally invasive, though many grab more
information than they arguably should. For example,
Google-owned Crashlytics is presumably just a crash
reporter, but it does much more than simply performing
analytics on app logs. The app, used by Tinder, OkCupid,
Spotify, Uber, Superbright LED and LED Light, can also link
users across multiple cookies and devices. Microsoft's
HockeyApp, used by Microsoft Outlook, Skype, and the Weather
Channel, goes beyond simply collecting and analyzing crash
reports but can also track daily active users, monthly
active users, the net number of new users, and session
counts. AppsFlyer (used by Tinder, Superbright LED, and the
Weather Channel) does fraud prevention and protects from
malware, but also fingerprints devices by their IDs, tracks
users across datasets to circumvent the fragmentation caused
by users with different devices, and tracks which users
install which apps. A spokesperson for AppsFlyer directed
The Intercept to the company's privacy policy, and stated
that the tracker only works with businesses and advertisers,
and does not engage with end users. Its terms and conditions
also require clients to disclose the collection and use of
data in their own privacy policies.

In addition to DoubleClick, Teemo, and Fidzup, Braze
(formerly App-Boy) and Salesforce DMP (formerly Krux) appear
to collect large amounts of user data. Braze, used by
OkCupid and Lyft, can track users by location, target them
across devices and channels, and serve targeted advertising
based on consumer actions. Salesforce DMP, used by OkCupid,
not only captures user clicks, downloads, and other
interactions, but also uses hashed device management to
effectively circumvent Safari's third-party blocking. The
tracker allows marketers to use machine learning to discover
personas, uses cross-device ID, and even uses behavioral
analysis to guess when a user is sleeping, and a
probabilistic matching algorithm to match identities across
devices. There is an opt-out on the Salesforce website,
though it's unclear what percentage of OkCupid users are
aware that the dating site is wrapped around the Salesforce
DMP tracker and would even know to opt out. (OkCupid did not
respond to request for comment.)

Weather apps are ubiquitous, and one wouldn't guess that
they'd include surveillance. But both Accuweather and the
Weather Channel apps (along with Spotify) use the
ScoreCardResearch tracker, which can also track data on
usage, including information on web browsing and app usage
behavior over time and across digital properties, possible
relationships between browsers and devices--which can be
provided to third parties for advertising purposes. The
tracker can even use third-party service providers to obtain
more non-personally identifiable information to add to
unique profiles using cookies.

The tracker Millennial Media (formerly Nexage) is used by
Accuweather and Super Bright LED to "automate the buying and
selling of mobile advertising" targeting channel and
demographic segments, such as a shampoo company targeting
"women ages 25-55 with an emphasis on...pregnancy, stress,
and bleach/coloring."

Microsoft Outlook, the Weather Channel, Superbright LED, and
LED Light use Flurry, a mobile ad platform acquired from
Yahoo! by Verizon subsidiary Oath. Flurry tracks device and
app performance metrics and analyzes user interactions,
identifies user interests, stores data profiles as personas,
groups and correlates user data, and injects both native and
video ads. A spokesperson for Oath said that Flurry's terms
of service require app developers to post a privacy policy
notifying what data is collected, stored, and shared and
either linking to Flurry's privacy policy or describing
their opt-out service. In addition, the spokesperson said
only information that's not personally identifiable leaves
Flurry's system.

Another tracker, Tune, follows Rideshare users' online and
offline behavior across devices and also tracks in-app user
behavior, uniquely identifies users, and tracks their
location.

The AppNEXUS tracker, used by, among other apps, Superbright
LED, uses machine learning for targeted advertising. In a
phone call, AppNexus spokesperson Joshua Zeitz confirmed
that the tracker collects mobile advertising identifiers,
type of phone, IP addresses, and a unique app identifier.
The company does store mobile advertising identifiers as
well as cookies from web users, but Zeitz said data on what
ads have been served to what identifiers is only retained
for up to 33 days, and that the tracker does not collect
names, numbers, or account numbers, that it only keeps
device and browser identifiers and cookies, and that it
cannot de-anonymize users from its data set. AppNexus stated
that it does not share device and browser identifiers tied
with third parties.

O'Brien said app developers can choose the types of
advertising they embrace, but that it's unlikely users are
thinking about those decisions when installing apps. He also
doesn't see permissions as a solution. "If you're in a
situation where you're asking the victim of the tracking how
much tracking they want, you've already gone too far. It's
already a problem," he said.

Without an overhaul of the advertising-rich phone system,
O'Brien said the best solution may be to use the software
repository F-Droid, which distributes only free and open
source software that does not include unknown or masked
trackers or code.

We depend on the support of readers like you to help keep
our nonprofit newsroom strong and independent. Join Us
Related
Contact the author:

Yael Grauer
yael@​yaelwrites.com
@yaelwrites
32 Comments
Newsletter
D Weekly Digest
Breaking Stories and Exclusives

Email list managed by MailChimp

Posted on RetroBBS II