An ongoing grand-jury investigation has revealed that many mobile applications could be sending various user information to advertising networks without the users’ knowledge and permission.
The investigation was kickstarted by a report published by the Wall Street Journal in December last year, which presented the worrying result of an analysis of 101 applications for the iPhone and Android-powered mobile phones:
- 56 transmitted the devices’ unique identifiers
- 47 relayed the phone’s location in one way or another
- 5 sent out the users’ age, gender and other personal details
According to the WSJ, Pandora Media – the owner of the popular online music service – has admitted to having been served a subpoena related to the investigation.
During the Journal’s own testing, it was discovered that both the iPhone and Android versions of Pandora’s app send out all of the information mentioned in the list above: age, gender, location and the device’s unique identifier.
The company claims that they have been told that the subpoena has been issued “on an industry-wide basis to the publishers of numerous other smartphone applications” and that Pandora wasn’t “a specific target of the investigation.”
The Journal contacted a few of the other creators and/or owners of popular apps and asked them if they had received the same subpoena. Some confirmed, others denied, others still declined to comment.
Threatpost reports that the research by security firm Veracode confirmed that Pandora’s app was guilty of sending said information, and the researchers have found libraries for five different ad networks embedded in the application.
“The data included both the owner’s GPS location and tidbits the owners gender, birthday and postal code information,” says Threatpost. “There was evidence that the app attempted to provide continuous location monitoring – which would tell advertisers not just where the user accessed the application from, but also allow them to track that user’s movement over time.”
Veracode analyst Tyler Shields says that it is not clear if Pandora knew about the data being transmitted. But even if it did, it is likely that it won’t end up being slapped with charges under the Computer Fraud and Abuse Act.
According to the Journal, companies usually reach non-prosecution or deferred-prosecution agreements with the federal government, and often end up agreeing to paying large fines and promising that they will not repeat the offense.