FTC cracks down on companies that glean location data without users' consent
ARI SHAPIRO, HOST:
The FTC has reached its first settlement with a location data broker. These are the companies that collect and sell information about people's whereabouts. Our colleagues at The Indicator, Darian Woods and Wailin Wong, have more on the settlement and on how your data is tracked and put up for sale.
WAILIN WONG, BYLINE: Lena Ghamrawi is a privacy lawyer. A couple of years ago, she helped launch a watchdog group that investigated mobile apps.
LENA GHAMRAWI: Apps are collecting information about you. The apps then turn around and sell that information to data brokers, third parties, who then package that data, repurpose it and then sell it to anyone that wants to buy the data.
DARIAN WOODS, BYLINE: Lena says location data can be helpful - like, say, an epidemiologist wants to track the spread of infectious diseases in a population.
WONG: And then there are apps that simply wouldn't work without knowing their users' locations - think of navigation and mapping apps or ridesharing apps like Lyft and Uber.
WOODS: Lena says that, often, the app developers have no idea that this data is being collected in the first place, and that's because of something called software development kits, or SDKs.
GHAMRAWI: Basically, they're pieces of code that app developers use when creating an app instead of writing the code from scratch.
WONG: But unbeknownst to app developers, some SDK creators insert location-tracking capabilities into their software and sell that data to brokers.
WOODS: Some developers choose to avoid SDKs altogether for this very reason - developers like Brian Mueller.
BRIAN MUELLER: I'm the founder of Carrot Weather, this snarky little weather app.
AUTOMATED VOICE: I hope you get a horrible sunburn.
WOODS: One thing that Carrot does not do, despite being a weather app, is collect and store precise location data.
WONG: A few years ago, when Brian started reading about how invisible code could be lurking inside SDKs, he decided to remove them from his app.
MUELLER: There are so many cases out there where location data can be used to really hurt people, and that's the kind of stuff that I don't want to contribute to.
WOODS: Now, government regulators are stepping in. Brian Shull is a senior attorney at the FTC's Division of Privacy and Identity Protection. He worked on the FTC's case, and it involved a data broker called X-Mode.
BRIAN SHULL: What we're trying to do with this X-Mode case is really nail down those locations where it's very clear that consumers are injured when this data is revealed to others.
WONG: Those locations include medical and reproductive health clinics, houses of worship and domestic abuse shelters. The FTC alleges that X-Mode sold data that could potentially reveal people's visits to those sensitive places.
WOODS: According to the FTC, X-Mode got this location data mostly through SDKs. The agency says X-Mode didn't always tell app developers or consumers how this information was being used, and that meant consumers couldn't consent to sharing it.
WONG: The terms of the FTC settlement still need final approval. If it goes through, X-Mode will be required to keep a list of sensitive locations and delete those locations from any data that it sells.
WOODS: X-Mode was acquired a few years ago, and it's now known as Outlogic. We contacted Outlogic for comment on the FTC settlement, and the company said it disagrees with the FTC. It also said that following the FTC's new policy won't significantly change the way it does business.
WONG: Meanwhile, the FTC is undeterred. The agency took similar action against a second company and banned it from selling location data.
WOODS: Darian Woods.
WONG: Wailin Wong, NPR News.
(SOUNDBITE OF LOLA YOUNG SONG, "CONCEITED") Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.