As Apple and Google add better privacy protections to their mobile platforms, advertising firms have had to get more and more creative with how they display ads to users and track them as they move around the physical world as well as the Internet.
One of the companies that has been at the center of this is InMobi, a major mobile ad company, that offers products to clients that allow them to geo-target users and show them targeted ads. The FTC in June reached a settlement with InMobi over the company’s practices, charging that the company tracked consumers, specifically children, without their consent. InMobi said that it obtains consent from users before geotracking them, but the FTC found that wasn’t true, and the commission has now detailed exactly how the tracking worked.
According to the FTC’s investigation, InMobi was able to circumvent privacy protections on both iOS and Android that prevent apps from using APIs to track users without their permission. The company did this by constructing its own geocoder database, the FTC said.
The APIs that InMobi used to accomplish this tracking on Android and iOS have legitimate uses.
“InMobi collected information through consumers’ devices that allowed it to map out the real-world latitude and longitude coordinates of WiFi networks. InMobi then monitored the WiFi networks that a consumer’s device connected to (on both Android and iOS), and in many instances, the WiFi networks that a consumer’s device was in-range of (on Android),” Nithan Sannappa and Lorrie Cranor of the FTC said in an analysis of the settlement Tuesday.
InMobi was able to do this by collecting identifiers from the WiFi networks to which users connected, or even ones that they were close to. All of this was done without the users’ knowledge or permission.
“By collecting the BSSID (i.e., a unique identifier) of the WiFi networks that a consumer’s device connected to or was in-range of, and feeding this information into its geocoder database, InMobi could then infer the consumer’s location. Until December 2015, InMobi used this method to track the consumer’s location even if the application that had integrated the InMobi SDK had never asked the consumer for permission to access location, and even if the consumer had turned off all location services on the device,” Sannappa and Cranor said.
The APIs that InMobi used to accomplish this tracking on Android and iOS have legitimate uses and the engineers at Google and Apple who are responsible for them have to balance that functionality against the privacy and security implications of their use.
“Given these complexities, all actors in the mobile ecosystem have a role to play in protecting consumer privacy. While operating systems architects continue working on technical solutions to these thorny issues, both application developers and third party service providers (e.g., ad networks and analytics firms) should ensure that their use of APIs are consistent with their privacy promises. In addition, developers should consider contractual terms or other steps to help ensure that their third party service providers do not circumvent consumers’ privacy choices,” Sannappa and Cranor said.