2025 is turning out to be very meta so far.
-
2025 is turning out to be very meta so far. Good scoop by 404 Media.
Gravy Analytics was the supplier of location data for the service that both Joe Cox and I wrote about recently at Babel Street that makes it simple to track the whereabouts of hundreds of millions of mobile devices just by looking at mobile ad data. They were recently sued by the FTC.
Hackers Claim Massive Breach of Location Data Giant, Threaten to Leak Data
Hackers Claim Massive Breach of Location Data Giant, Threaten to Leak Data
Gravy Analytics has been one of the most important companies in the location data industry for years, collating smartphone location data from around the world selling some to the U.S. government. Hackers say they stole a mountain of data.
404 Media (www.404media.co)
FTC Takes Action Against Gravy Analytics, Venntel for Unlawfully Selling Location Data Tracking Consumers to Sensitive Sites
The Federal Trade Commission is taking action against Gravy Analytics Inc. and its subsidiary Venntel Inc.
Federal Trade Commission (www.ftc.gov)
-
@briankrebs I'm confused how they end up getting so much location data. Are mobile carriers colluding with adtech industry to link up information (port and IP address used for ads -> subscriber id -> carrier location info), or is it just that Google and Apple have such bad permissions defaults/UX that junkware is able to access location unless you lock it down?
-
BrianKrebsreplied to Cassandrich last edited by [email protected]
@dalias It's basically the nature of the mobile ad ecosystem in general. When you visit a website with your mobile, in a microsecond the ability to place a certain ad in front of you is put out as an automated bid request to hundreds of ad networks that can all bid on the ability to show their ad. There is a robust market now of participants to this real-time bidding market that simply collect and resell all the live bidstream data, which can include the phone's unique ID, precise location coordinates, and enriched data from other marketing and advertising firms that provide more details about the user.
If you're really interested in learning more about how it all works, you could do a lot worse than to read my linked story, which explains it in more detail.
-
@briankrebs What I'm asking is the technical question of where the location data originates from.
Is the user's phone doxxing them due to defaults or poor ux tricking the user into letting the adtech libraries integrated into junkware apps access location api?
Or are they getting access to location from the carrier via some identifying info the carrier can resolve back to a subscriber id to dox them?
-
@dalias There are a lot of self-interested parties to blame for this current situation. Among them are Apple and Google, for giving each phone a unique identifier for advertisers (IDFA) that could be used to track/differentiate users over time.
-
@dalias Some of this is from mobile apps which sell user location data. A lot of it is from mobile websites that share location data with advertisers
-
P [email protected] shared this topic
-
@briankrebs But none of those should have access to location to begin with. Unless they've exploited bugs or tricked the user (or exploited bad OS defaults) to have location permission.
-
@dalias Yeah you're asking good questions, but afaict they are answered in the story I wrote and linked to. I realize it's long, but that's because it's also complicated.
-
@briankrebs I'm not asking this to be difficult or to blame users for installing junk apps and not locking down permissions right.
I'm trying to understand who the real culprits in leaking this data are, to know both who to target, and who is affected (like, are carriers doxxing us even if we have location properly locked down?).
-
@dalias @briankrebs You give location access to the app or site to get the weather, the embedded SDK passes the location to data brokers.
-
@BucciaBuccia @dalias from the 404 story: "The location data is staggering; in one file, I see over 10,000 distinct Android applications providing data such as GPS locations, IP addresses, user agents, and more from millions of phones"
-
@BucciaBuccia @dalias what Buccia said. basically, the capability to harvest this information is included in mobile SDKs that app developers get paid to include in their code.
-
@[email protected] @[email protected] @[email protected] honestly this is one of the cons of how android (and ios) are designed. I am not sure there is a fix for this, but people become so used to clicking "ALLOW" because when installing an app the first thing you get is a bunch of pop ups for allowing various permissions. I absolutely can see how someone would just be used to tapping allow without fully reading or understanding the implications. The typical "calculator" app requesting location data is always used as an example right but it's much more subtle than that. you'll get an app like a messaging service for instance, it asks for contacts, asks for access to your camera roll, and maybe at the end it asks for "find and connect to devices on your network"
I hate apple for this one because it's kinda misleading. your typical person isn't going to see a red flag in that, they'll just be like "huh weird, i guess that makes sense it needs internet connection" instead of understanding what that permission entails. now, i understand that IP address data is super easy (I mean you can collect that as long as you have access to an internet connection right http://icanhazip.com/) but it applies more to the GPS location data, contacts, etc. I feel like the mandatory access control systems in mobile phones are not informed consent in the slightest. Maybe they should follow what browsers have started to do, actually explaining the level of access and potential implications. -
@puppygirlhornypost2 @briankrebs @dalias @BucciaBuccia
I think about this a lot. So many dark patterns. I'm pretty technically savvy, and I don't always answer "don't track me for targeted ads" when an app asks me. Maybe I want to see more useful ads from this app? What if I change my mind?
The same for location data. Very rarely when running apps do people have time to leisurely consider the meaning of giving consent to the OS to send personal data to "free" apps.
-
According to the FTC, Gravy and Venntel process more than 17 billion signals from about a billion devices every day
-
Nonya Bidniss :CIAverified:replied to BrianKrebs last edited by
@briankrebs I'd like to opt out
-
