Federal prosecutors in New Jersey are looking into whether mobile application developers are illegally sharing personal data of their users with advertising firms, and now a security researcher may have just reinforced the the case against at least one of those involved.
Veracode senior researcher Tyler Shields shared details of their study on music service Pandora, and found that “personal information is being transmitted to advertising agencies in mass quantities.” Shields did not explicitly say whether or not the information transmitted may be illegal.
Pandora disclosed that it was being investigated in a Securities and Exchange Commission filing on April 4. “In early 2011, we were served with a subpoena to produce documents in connection with a federal grand jury, which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms,” the filing reads in part.
The company said that it was informed that it was not a direct target of the investigation, and it believed other companies were involved, which a Wall Street Journal report from Tuesday seemed to confirm. Pandora would not comment on the investigation.
Shields claims that the Pandora application communicates with at least five different advertising libraries, AdMarvel, AdMob, comScore, Google.Ads, and Medialets. In the case of AdMarvel and AdMob, information including the phone’s GPS location, the user’s birthday, gender, and postal code were all shared with these advertisers.
Other libraries such as Medialets were found to access even more information, including the bearing of the device, its altitude, network information, device type, and even the user’s current IP address.
“The application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries,” Shields wrote in blog post. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user.”
He also noted that while separate the data may not give much insight into a user’s personal life, together it is disclosing quite a bit of information. “I don’t know about you, but that feels a little Orwellian to me,” he concluded.
Does this mean that these application developers are at fault, or in cahoots with these advertisers to steal your personal information? Probably not. This is due to the fact that most times the code is supplied by the advertiser itself, and the developer adds it without much thought to what that code could actually be doing.