Mobile App Monetisation - Covert trackers in your pocket

Some apps on your phone have code from third parties that covertly tracks and collects data about you. With little to no transparency, your data is put up for sale. It can be used to target you with personalised ads, or even for policing if law enforcement happens to be the buyer.

Key findings
  • Some mobile phone apps are monetising the data they get from your day to day phone usage.
  • This data can be linked to other online activities to form a complete profile of you
  • This type of data collection is not new but remains an essential part of the opaque mobile app economy in which your data often ends up in the hands of companies you have never heard of.
  • This can have unexpected consequences on your life: the police and military forces have been buying data, such as location data, to make decisions.
Case Study

Your phone is the ideal profit tool for data brokers and advertisers: it's always in your pocket and can be used both as a means of collecting information and serving you ads based on that information. But how does this data collection happen through your apps?

Most, if not all, apps on our phones use Software Development Kits (SDKs). SDKs themselves are not trackers, but they are the means through which most tracking through mobile apps occurs. These kits are provided by third parties and offer a range of functionality for example to make app building easier or to include specific features. For example, Apple and Android offer operating system SDKs so that developers can build apps for devices running each respective operating system. Other third parties offer SDKs that allow developers to quickly add certain features to their apps with minimal effort. For instance, if a developer wants to allow users to sign into an app with their Facebook accounts, they can use Facebook’s Login SDK. If their app needs maps or map data, they can use Google’s Map SDK, etc. To put it simply: SDKs are code blocks that you can integrated in an app instead of having to code it all from scratch.

If you take into consideration the fact that the average Android app will use around 15.6 third-party SDKs (even more if your app is a game), you’ll quickly see that no software developer has the time to code every single tool from scratch. An SDK can also be a good way for a company to introduce developers to their product and encourage them to create apps using their platform or OS. For this reason, most SDKs are free to use, meaning a developer can just download it and start programming immediately.

While some companies provide SDKs in order to expand on their product, other companies have different agendas: to provide these kits for free in exchange for the information they can collect from the apps where they're used, or a cut of the ads they can sell through them. This practice is widespread and it makes it extremely difficult to know where your data is ending up. When you give your favourite weather app access to your location for a localised forecast, you may also potentially be authorising that app to sell your data and share it with others.

The data required to serve you any single ad might pass through many companies’ systems in milliseconds—from data broker to ad marketplace to an agency’s custom system. This is part of how online advertising works, where massive marketplaces hold continuing high-speed auctions for ad space 24/7.

The lack of transparency in these data exchange processes leads to personal data resurfacing in unexpected contexts, being used for outcomes that we would strongly argue as not contributing to public good. Let's look at some concrete examples in which people's data was collected, sold and used in ways that us, the people generating that data, wouldn't dream of.

Your location data (ab)used for immigration and border enforcement

In 2020, the Wall Street Journal released a story on how the Trump administration bought access to a commercial database of location data, and subsequently used it for immigration and border enforcement. This data, which maps the movement of millions of cellphones in America, was collected from ordinary cellphone apps, to which users gave access to their location.

The Department of Homeland Security has used the information, which experts say "amounts to one of the largest known troves of bulk data being deployed by law enforcement in the U.S.", to detect undocumented immigrants and others who may be entering the U.S. unlawfully.

Contracting records show the federal government is buying the location data from Venntel, a small company that shares several executives and patents with Gravy Analytics, a major player in the mobile-advertising world. Venntel, in turn, purchased the information from private marketing companies that sell the location data of millions of cellphones to advertisers. Venntel is currently under investigation by the US Congress.

Your location data (ab)used for mass surveillance under the argument of counter-terrorism

Also this year, Vice released a story about how the U.S. military is buying granular movement data from people all over the world, collected from harmless-looking apps. These apps include a Muslim prayer and Quran app which has been downloaded more than 98 million times, a popular Craigslist app, an app for following storms, and a "level" app that can be used to help, for example, put up shelves in a bedroom.

In their investigation, Vice disclosed two separate, parallel data streams that the U.S military uses:

  • One relies on a product called Locate X, developed by Babel Street. Special Operations Command (USSOCOM), a branch of the military tasked with counter-terrorism, counterinsurgency, and special reconnaissance, bought access to Locate X to assist on overseas special forces operations. A former employee of Babel Street confirmed that users of the product can draw a shape on a map, see all devices Babel Street has data on in that location, and then follow a specific device around to see where else it has been.
  • The other stream comes from a company called X-Mode which obtains location data directly from apps, then sells that data to contractors, and who may then sell to the military. X-Mode uses its own SDK, optimised for providing very accurate location without draining much battery.

These examples illustrate how SDKs, small blocks in the mobile app ecosystem which encompasses our lives, can have such an important impact given the level of access to data that they have. Different companies hold different bits of data from us, without our knowledge - Our Secret identities. These identities can be pieced together from many sources to form profiles of us, and will often come from unexpected places.

Cases like this are among many others that highlight the opaqueness of data markets, from collection to sale, and the fact that institutions like law enforcement and military are getting their hands on extremely sensitive personal data in bulk, exempt from scrutiny.

They also raise questions about authorities buying their way to location data that may ordinarily require a warrant to access. The USSOCOM contract is some of the first evidence that bulk location data purchases have extended from law enforcement to military agencies. More recently, the New York Times gained access to an unclassified memo from the Defense Intelligence Agency (D.I.A.) exposes how a military arm of the intelligence community has bought commercially available databases containing location data from smartphone apps and searched it for Americans’ past movements without a warrant. This disclosure sheds light on an unnatended loophole in privacy law. In a landmark ruling known as the Carpenter decision in 2018, the Supreme Court ruled that the Constitution requires the government to obtain warrants in order to ask phone companies to turn over location data. In spite of this ruling, the memo reads:

"D.I.A. does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes,”.

 

The receiver of the memo, Senator Ron Wyden, Democrat of Oregon, has critiqued this practice "in which the government, instead of getting an order, just goes out and purchases the private records of Americans from these sleazy and unregulated commercial data brokers who are simply above the law".

Our personnal data must not be up for grabs in such unscrutinised way. In such an enormous and never-resting data ecosystem, even app developers have come out claiming they were not aware of who their users location data ends up with. It is time this data (ab)use stops. We must take a stand and demand control over our personal data. If you feel urged to act on this, we suggest you a look at PI's guides on how to protect yourself from online tracking.