An investigation of the Pandora mobile app by Veracode has revealed that the popular free music streaming app is sending reams of personal information to advertisers without the user’s knowledge or consent. The Wall Street Journal, which initially investigated several free mobile apps and discovered similar information-broadcasting mechanisms, is also reporting that a federal investigation has been launched into the makers of these apps and that Pandora has been subpoenaed.
Veracode has published their findings, indicating five different libraries of advertisers’ code in the Pandora app from AdMarvel, AdMob, comScore, Google.Ads, and Medialets. Veracode confirmed that the app was, indeed, sending information including gender, unique phone identifiers, IP address, connection status, bearing, altitude, and geographic location, among other information.
Interestingly, Veracode points out that the makers of the Pandora may not have known what exactly that the advertiser code they installed in the app was doing.
The application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user.
For Pandora and the other app creators, this could mean prosecution under the Computer Fraud and Abuse Act, a federal law targeted at malicious hackers. For consumers, this is a sobering reminder that not all free apps are truly free, and are often subsidized in ways not immediately apparent. In fact, the WSJ’s investigation makes it clear that this practice is fairly widespread, at least amongst the apps they profiled.
The Journal tested 101 apps and found that 56 transmitted the phone’s unique device identifier to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent a user’s age, gender and other personal details to outsiders. At the time they were tested, 45 apps didn’t provide privacy policies on their websites or inside the apps.
On their own, much of this information may seem innocuous, and some users may accept the trade off in order to get useful apps for free. However, we’ve noted in the past that when seemingly disperate information is brought together, it can create frighteningly in-depth profiles of individuals and their habits. Hopefully, advertisers and app developers will be mindful of Pandora’s example in the future, and give consumers control over their own data.
Have a tip we should know? email@example.com