Update #2: AccuWeather has released a joint statement with Reveal Mobile. From the statement:
Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.
Update: Reveal Mobile has issued the following statement to 9to5Mac in response to Strafach’s audit:
We don’t attempt to reverse engineer a device’s location if someone opts out of location services, regardless of the data signal it comes from. In looking at our current SDK’s behavior, we see how that can be misconstrued. In response to that, we’re releasing a new version of our SDK today which will no longer send any data points which could be used to infer location when someone opts out of location sharing.
AccuWeather on iOS may be violating Apple’s developer agreement as well as user trust, a new security audit reveals. Will Strafach, a security researcher, discovered that the iOS weather app is potentially sending out the identifiable user and device information to a third-party company even when location data sharing is denied.
Over the years, user data collection has become somewhat of an expected experience with free mobile applications. By collecting user data, and selling it, companies are able to keep themselves funded and offer free applications. The issue then comes down to when those applications don’t properly disclose how and what data is being collected.
In Strafach’s research, he discovered that AccuWeather is collecting data through a third-party company’s SDK. This SDK, provided by Reveal Mobile, is marketed as a way to “help app publishers and media companies extract the maximum value from their location data.” If a user were to download and allow AccuWeather to use their location data they would unknowingly also share the following to Reveal Mobile:
- Their device’s precise GPS coordinates
- The name of the Wi-Fi network they are connected to
- Whether or not their Bluetooth is enabled
Of course, much of this data collection is covered by AccuWeather’s Privacy Statement.
You may be asked to provide personally identifiable information such as your name, address, and/or email address (collectively ‘Personally Identifiable Information’ or ‘PII’)…
You may be asked for information which is not considered PII, such as a zip/postal code and/or country of origin.
The policy technically covers a situation in which a user downloads the application, and accepts sharing location data. The user should then have an expectation that they may or may not be sharing personally identifiable information.
The dichotomy in the situation that Strafach discovered is that if a user were to deny the iOS location sharing request, Reveal Mobile will still receive potentially identifiable information. Specifically, they would know the user’s Wi-Fi network SSID and could then track geolocation using Bluetooth beacons.
If a user denies sharing their location data with iOS’ location sharing request prompt, then the expectation is that no location data is being shared at all. As of AccuWeather’s latest 10.5.2 version, a user could deny sharing their location and yet still be sharing unknowingly.
By denying geolocation data, users should be made explicitly aware that their location data may still be tracked as covered under AccuWeather’s Privacy Statement.
Using this data collection, Reveal Mobile is able to map out user interactions to create what they call “high-value audiences.” The issue here is to what extent this user data is anonymous. As Strafach notes, “This practice by a different company appears to have previously caught the attention of the FTC.”