Many iOS apps sell your location data to data brokers, despite Apple’s privacy policies and clampdowns, says a new report today.

It says that while both Apple and Google have cracked down on one sneaky approach used by companies that buy and sell user data, a simple workaround is in widespread use …

Background

It used to be commonplace for a data broker to create SDKs (software development kits) that would be useful to app developers as a quick and easy way to add commonly needed features. The catch was that these SDKs also collected user data – including location data – which brokers could then sell.

Apple last year cracked down on these SDKs, alongside requiring developers to include privacy labels requiring them to disclose what data their apps collect, and how it is used.

One crucial weakness in Apple’s protections was highlighted last month, when it was revealed that Apple relies on developers being honest about the labels – and many of them aren’t.

Apps sell your location data using workaround

A report in The Markup found that many apps continue to sell location data to brokers simply by doing so directly rather than via an SDK – and relying on an innocuous-sounding phrase in their privacy policies.

Now, data brokers are moving to a new method. If the app developer has an agreement with a location data broker, they can supply user data directly through “server-to-server” transfers.

This method appears to happen outside of the view of app stores and is becoming more common in the industry […]

Apple’s policy requires apps to disclose what data they are collecting from people and how it can be used and to get consent from users before sharing their data. However, it doesn’t require apps to disclose exactly who they are selling data to, and many apps simply state that they “share data with partners.”

There’s plenty of incentive for popular apps to do this.

In an email sent to an app developer and reviewed by The Markup, Veraset, a location data broker that is a subset of the company SafeGraph, pitched that the developer could “send data to Veraset server-to-server (no need to install or maintain an SDK).” The pitch also noted that apps can make from $12,000 to $1 million a year for sending their users’ location data to the company. 

The piece argues that Apple and Google have no realistic way to audit this practice, and that only privacy laws can prevent it from happening.

Photo: José Martín Ramírez Carrasco/Unsplash

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear