AccuWeather sneakily got access to your location data, even when you turn off location access to its app. But after getting called out by a security researcher, the company is going to knock it off.
Security researcher Will Strafach discovered that Accuweather's iOS app partners with a service called Reveal Mobile, which uses an iPhone's Wi-Fi connection to track its precise location — even if the user has specifically opted out of sharing their location with Accuweather.
In testing AccuWeather's app, Strafach found that it was surreptitiously shipping location data off to Reveal Mobile, including:
- Your precise GPS coordinates, including current speed and altitude.
- The name and "BSSID" of the Wi-Fi router you are currently connected to, which can be used for geolocation through various online services.
- Whether your device has Bluetooth turned on or off.
Strafach found that his test device was sending location data to Reveal Mobile every few hours during a 36-hour test period.
Reveal Mobile's website says it uses this location information to drive marketing campaigns to app users as they commute, eat out or go shopping.
"I am uncomfortable with the idea of code embedded in an app being used to constantly monitor my location, and in their words, build a profile of where I live, work, and locations I frequent," Strafach told Gizmodo. "Some may be OK with this, but I think AccuWeather needs to clearly state where location information is being sent (as I would naturally assume it only goes to them for legit purposes). Giving people explicit warning of this and allowing them to choose whether they are OK with this tracking would be more reasonable."
"In the future, AccuWeather plans to use data through Reveal Mobile for audience segmentation and analysis, to build a greater audience understanding and create more contextually relevant and helpful experiences for users and for advertisers," David Mitchell, AccuWeather's executive vice president of emerging platforms, told ZDNet.
Collecting users' information without permission is really lame and disingenuous. A good privacy rule is: If the information you're collecting isn't obvious to your users or subverts user choice (and no, burying a quick disclosure in the 50th paragraph of your terms of service doesn't cut it), then you probably shouldn't be collecting that information.
In a lengthy joint statement from AccuWeather and Reveal Mobile, a spokesperson said the data collection was caused by a misconfiguration in Reveal Mobile's software development kit. Reveal Mobile is fixing the misconfiguration and will push out an update today to prevent users' location data from being collected when they opt out, the statement said.
Here's the full statement from AccuWeather and Reveal Mobile:
Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.
AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognise this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.
To avoid any further misinterpretation, Reveal is updating its SDK and pushing out new versions of the SDK in the next 24 hours, with the iOS update going live tonight. The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending that update.
Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent.
AccuWeather will work with Reveal to restore the SDK when it has been amended and will continue to update its ULAs to be transparent and current with evolving standards. AccuWeather and Reveal continue to enhance methods for handling data and strive to provide superior, seamless, and secure user experiences.
We are grateful to have a supportive community that highlights areas where we can optimise and be more transparent.