Accuweather is making headlines, but not because thousands of people used it to find out the optimal viewing conditions for the Great American Eclipse recently. Accuweather is in the news because a security test by researcher Will Strafach has exposed a serious privacy breach by the popular weather forecast app: Accuweather has been sharing its users’ geo data with a third-party company even when location sharing is switched off.
During a 36-hour test carried out on an iPhone, Accuweather sent the following information to data monetization firm RevealMobile a total of 16 times:
- Exact GPS coordinates, including the speed and altitude of the device
- The name and ‘BSSID’ of the Wi-Fi router being used
- Bluetooth status – whether it is turned on or off
And even if a user turned the location services off, Accuweather would still have access to the BSSID or the Wi-Fi router name, which in itself is enough for RevealMobile to find out the approximate location of a mobile device.
The US Federal Trade Commission (FTC) has been known to sanction companies that indulge in such deceptive practices to undermine users’ privacy preferences. But Accuweather is trying to make light of this blatant breach of trust by claiming that it was not even aware that Wi-Fi network information was being stored on RevealMobile’s SDK. “AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose,” the company said in a statement.
On the other hand, RevealMobile has explained in a case study how it sources its data: “Our technology sits inside hundreds of apps across the United States. It turns the location data coming out of those apps into meaningful audience data. We listen for lat/long data and when a device ‘bumps’ into a Bluetooth beacon.”
However, when Accuweather’s controversial practices came to the fore, the company specializing in location-based targeted advertising said in a statement, “We do not attempt to reverse engineer a device’s location based upon other data signals like Bluetooth when location services are disabled.”
AccuWeather is promising to remove the RevealMobile SDK from its iOS app until it is fully compliant with appropriate requirements, but that gesture does not seem enough to pacify irate users who have deleted the app following the security advisory.
Deleted! You lost my trust with your underhand data sharing.
— Phil (@PhilWillChil) August 23, 2017
Not at all good enough. WiFi information is *not* user information? Seriously? Are you that dumb or just counting on users being that dumb?
— Michael (@mfthygesen) August 23, 2017
Totally unexeptable behaviour, and no matter what @AccuWeather’s excuse will be, the’ve proven they cannot be trusted. Boycot them.
— Marc Smulders (@sredlums) August 23, 2017
— Ian R. Gordon (@irgordon) August 23, 2017
What will I get in return?
Location privacy has always been a contentious topic for the discerning smartphone users. We share our location details with certain apps because we get substantial value from that tradeoff, like hailing a cab to our exact location or navigating to work armed with real-time traffic information. We have learned to make peace with the ‘always-on’ GPS mode because there are apps that promise to deliver a completely customized experience (like Starbucks) or dole out the information we need without us having to rummage for it.
Nevertheless, it’s one thing when an app like Foursquare requests a user’s location (because that’s what it was built to do), and completely another when a company like Niantic tries to get rich off the geospatial data it has collected from Pokémon GO users. But do we even have a way out when our wireless carriers are also selling our location information to third-party data analytics companies?
No wonder that location-targeted mobile ad spending is expected to cross $29 billion by 2020 riding on millennials’ media consumption habits. Snapchat, in fact, acquired a location analytics firm recently just so it could show its advertisers how online advertising leads to offline store visits.
But would you do it if you knew everybody was watching?
A study by Carnegie Mellon University deduced that if people actually knew how frequently their location information was being shared, they would be more careful about their privacy. For example, one test subject found out that in a span of 2 weeks, their location was shared with Facebook, Groupon, GO Launcher EX and seven other apps a whopping 5,398 times!
Most people have no way of accessing this kind of data about what their apps are doing, but a blatant invasion of privacy is simply not acceptable to them. When Uber updated its app last year to track the location of its riders even after they had completed the trip, users took to social media to show their outrage. The same has now happened with Accuweather.
Location tracking apps are coming under the scanner of more and more regulators also. Runkeeper got into hot water last year when the Norwegian Consumer Council discovered that the running app was tracking the location of its users even when it was not in use, and sending the data to a US-based third-party advertiser.
Understandably, mobile operating systems are also working to address these concerns. The upcoming iOS 11 will give greater location privacy controls to users who feel they are being arm-twisted by apps like Uber, while Android Oreo is going to limit background refresh, including location updates, by apps that are not in use. After all, we cannot just switch off location services and give up on the technology that is giving us some of the coolest, most personalized experiences. All we can do is be a li’l more careful about who we allow to watch our every move.