A new report today suggests that despite Apple’s designated privacy policies and crackdown measures against some rogue apps, many iOS apps can still sell your location data to data traffickers.
While both Apple and Google are said to have worked hard to crack down on companies that buy and sell user data, there is now a very simple workaround that is widely used.
Prior to this, data transactions were generally done with the help of common channels such as SDK (software development kit), which is a very useful tool for application developers after all. The problem, though, is that these SDKs also collect user data, including location data, which can then be sold by those interested.
Apple cracked down on those SDKs last year while requiring developers to put on a privacy label that requires them to disclose what data their apps collect and how they use it.
A key weakness in Apple’s protections was dug up last month when it was discovered that Apple’s system has no enforcement and relies only on the honesty of developers, many of whom don’t actually comply. Regulation.
A new report from The Markup found that many apps continue to sell user location data to third parties, and that is a direct transaction, rather than sneaking through the SDK and relying on its privacy policy as before.
Now, data traffickers are turning to a new approach. If app developers reach an agreement with location data traders, they can directly trade user data through a “server-to-server” transfer protocol, which is simpler and more straightforward than the SDK.
This approach appears to be taking place outside the regulation of the major channels and the App Store and is increasingly common in the industry.
Apple’s policy only requires apps to disclose the data they collect from people and how they will use it, and to obtain user consent before sharing their data. While it doesn’t require telling users who they’re selling the data to (to whom), many apps just mention ambiguously “sharing data with partners”.
Veraset is a location data brokerage company owned by SafeGraph. As mentioned in an email to app developers: Developers can send data to Veraset servers (no SDK installation or maintenance required). Additionally, apps can earn between $12,000 and $1 million a year if they send their users’ location data to the company.
The authors of the report argue that Apple and Google have no real-world approach to effective regulation and auditing to avoid this practice and that only government privacy laws can prevent it from happening.