Users Explicitly Say “NO” But AccuWeather Still Shares Their Location Data
AccuWeather has been caught sending location data to a third-party data firm, even when the user has switched off location sharing. Will Strafach, a security researcher, tweeted over the weekend that he has discovered AccuWeather – one of the most popular weather apps in App Store, boasting millions of downloads – sending location information to an advertising firm named Reveal Mobile. The data monetization firm markets its ability to “convert mobile location signals into high value audiences” and “generate more mobile revenue, with or without ads.”
— Will Strafach (@chronic) August 18, 2017
Over the weekend, Strafach carried out more tests to further verify his initial discovery and has shared that the following data was routinely sent to Reveal Mobile:
- Your precise GPS coordinates, including current speed and altitude.
- The name and “BSSID” of the Wi-Fi router you are currently connected to, which can be used for geolocation through various online services.
- Whether your device has bluetooth turned on or off.
“During a testing period of 36 hours, specifically while the AccuWeather application was not in the foreground, my test iPhone (located on a desk in an office building) sent the above information to RevealMobile a total of 16 times, occuring roughly once every few hours,” he wrote today.
When the user has enabled location sharing, the app sends precise GPS coordinates as shared in the above excerpt. However, even without location sharing enabled, AccuWeather will still send your Wi-Fi router name and BSSID, “providing RevealMobile access to less precise location information regarding your device’s whereabouts.”
AccuWeather doesn’t think it’s just plain wrong to share location data without user consent
Reveal Mobile in response to these revelations has said that the company does collect WiFi and other related data but “does not use it” for location data as “everything is anonymized,” and that it follows all App Store guidelines.
“We follow all app store guidelines, honoring all device level and app level opt-outs and permissions. If someone chooses to disable location permissions to an app using our technology, we collect no location information from that device. We do not attempt to reverse engineer a device’s location based upon other data signals like Bluetooth when location services are disabled. […]
The data we collect is always anonymized and grouped into audience segments, like coffee drinkers or frequent shoppers. We offer no product or service that permits anyone to see an individual device’s location data.”
“In the future, AccuWeather plans to use data through Reveal Mobile for audience segmentation and analysis, to build a greater audience understanding and create more contextually relevant and helpful experiences for users and for advertisers,” David Mitchell, AccuWeather’s executive vice president of emerging platforms, said. The company further suggests that Reveal Mobile’s technology “has not been in our application long enough to be usable yet.”
either way, it is interesting to see how they view this as a non-issue, yet the many folks deleting AccuWeather en-masse feel differently.
— Will Strafach (@chronic) August 22, 2017
While the two companies are turning this into a non-issue diverting from the actual consent concerns, it’s clearly annoying a lot of app users. Without explicit user consent, the AccuWeather app is affecting user privacy and will potentially come under the FTC’s radar (and probably Apple’s too). The trouble is that even with location sharing enabled, users will assume that a weather app will be using their location data for accurate weather information, not for selling it to another firm.