Recent findings reveal that some popular apps are being exploited by certain advertisers to collect sensitive location data on a large scale. This data often ends up with a company called Gravy Analytics, which has sold global location data to US law enforcement.
Thousands of apps, including games like Candy Crush and dating apps like Tinder, are involved. This data collection happens through the advertising system, not the app’s own code, so users and developers might not know it’s happening.
A senior threat analyst at cybersecurity firm Silent Push explains that this is the first public proof of a major data broker acquiring data from online advertising bids rather than app code. This provides a glimpse into real-time bidding (RTB), where companies bid to place ads in apps and data brokers harvest mobile phone location data during this process.
The hacked data includes tens of millions of mobile phone coordinates from devices in the US, Russia, and Europe. The list of affected apps is long, including Tinder, Grindr, Candy Crush, Temple Run, MyFitnessPal, and more. Some apps, like Muslim prayer and Christian Bible apps, are particularly concerning due to their sensitive nature.
Gravy Analytics collects mobile phone location data from various sources and sells it to commercial companies and US government agencies through its subsidiary Venntel.
This situation highlights the privacy nightmare posed by RTB. Users’ data is being collected without their knowledge, and app developers may not even know how to stop it. Surveillance firms can obtain RTB data by acquiring ad tech companies and pretending to be advertisers.
The Federal Trade Commission has taken action against similar practices, banning companies like Mobilewalla from collecting consumer data from online advertising auctions for other purposes. However, the scale and complexity of the issue remain significant challenges for privacy and security.
The unauthorized collection of location data affects both Canadians and Canadian businesses in several crucial ways:
1. Privacy Violations: Like the case with Tim Hortons, the unauthorized collection and misuse of location data can lead to significant privacy violations. This can occur even when users believe their privacy is protected, which undermines trust in digital and mobile platforms.
2. Regulatory Scrutiny: Canadian businesses can face heavy scrutiny from privacy regulators. Companies found in violation of Canada’s privacy laws, like the Personal Information Protection and Electronic Documents Act (PIPEDA), may have to navigate legal challenges and public backlash.
3. Data Security Risks: Unauthorized data collection poses severe risks to data security. If hackers access this data, as seen with Gravy Analytics, it can lead to extensive data breaches that affect millions of users. This exposure can lead to identity theft, financial fraud, and other criminal activities.
4. Economic Impact: Companies involved in such scandals might face fines, loss of business, and reputational damage. This could result in decreased customer loyalty and reduced revenue.
5. Sensitive Information Misuse: Sensitive information, such as the location data harvested by certain apps, can reveal personal details about users’ lives, such as their residence, workplace, and habits, posing greater risks if mishandled.
Mitigating these risks involves strict data governance, transparent user consent mechanisms, and robust security measures to protect sensitive information. This ensures that businesses maintain user trust and comply with regulatory standards.
Original article courtesy of Wired.com
Enhance Your Business Security with Expert Cybersecurity Solutions. Click here to learn more and download shawcsIT’s free services overview catalogue.