Pursued by GPS-Aided Advertisers? Check the Small Print

When we’re using a mobile location-based application such as getting driving directions from Google Maps, it’s not surprising to see advertisements from local businesses showing up in our browsers. Customized advertising, after all, is Google’s bread and butter.

But as owners of GNSS-enabled mobile devices move around through the world, they are often followed by similar unsolicited offers and advertising from apparently random sources.

What’s that all about?

When we’re using a mobile location-based application such as getting driving directions from Google Maps, it’s not surprising to see advertisements from local businesses showing up in our browsers. Customized advertising, after all, is Google’s bread and butter.

But as owners of GNSS-enabled mobile devices move around through the world, they are often followed by similar unsolicited offers and advertising from apparently random sources.

What’s that all about?

Well, usually it’s in the fine print of the ubiquitous privacy policies that go into effect when you launch an application — policies that most of us don’t take the time to read. In these often lengthy documents, GPS and related GNSS technologies are increasingly being called out as the source of real-time location data about users.

We would expect location-based service (LBS) applications such as Uber or SkyHook to have well-developed policies on use of customers’ locations. But Whole Foods, the NCAA, Weather.com? In fact, any app that users might launch on their mobile devices could be handing their location information over to third-parties — advertisers, service providers, and others — as a way to generate additional revenue unrelated to the products and services the company is offering.

Consider Whole Foods, for instance. The company’s privacy policy states, “We and our service providers automatically collect certain information about you when you access or use our Service. . . We may use GPS (global positioning systems) software and other location-based technologies to locate you so we may verify your location, and deliver relevant content to you based on your location. . . . We and our business partners and other third parties may send you product promotions that are aligned with your purchase trends and/or interests identified through automatically-collected information,” the policy continues. “In addition, we may share information about you as follows: With our business partners, affiliates and other third parties for purposes of sending their own marketing unless you are a California customer and you opt out of this type of sharing by emailing us at privacyandterms@wholefoods.com.”

NCAA.com tells users (if they read the privacy policy), “If you are accessing a Service from a mobile device or through a mobile application, you may be asked to share your precise (GPS level) geo-location information with us so we can customize your experience on our Services or on other Services, when we work with a Partner such as a third-party mobile ad platform.”

The policy caveat continues, “If you agree to such collection, in most cases, you will be able to turn off such data collection at any time by accessing the privacy settings of your mobile device and/or through the settings in the applicable mobile application.  “

And while you’re getting those weather reports, Weather.com says that it “may share demographic information, location data, advertising identifiers, truncated IP address and aggregate (not individual) usage statistics for the Services with advertisers and other third parties.”

Location data practices can sometimes land companies in trouble with regulatory and law enforcement agencies. Earlier this year, Uber, whose service provides an alternative to taxi operations, signed an agreement with the New York attorney general’s office to encrypt rider geo-location information, adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices.

Many of the location privacy policies indicate that users may opt in or out of such data-sharing changing settings in their mobile devices or in the apps themselves, but the transparency of such options varies from device to device and application to application. And many companies include disclaimers for any responsibility for the privacy policies of third parties with which they share the data.

On June 22, the Federal Trade Commission announced that Singapore-based mobile advertising company InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program to settle Federal Trade Commission charges that it deceptively tracked the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising.

The FTC alleged that InMobi mispresented that its advertising software would only track consumers’ locations when they opted in and in a manner consistent with their device’s privacy settings. According to the complaint, InMobi was actually tracking consumers’ locations whether or not the apps using InMobi’s software asked for consumers’ permission to do so, and even when consumers had denied permission to access their location information.

The FTC further alleged that InMobi, whose advertising network has reached more than one billion devices worldwide through thousands of popular apps, offers multiple forms of location-based advertising to its customers, including the ability to serve ads to consumers based on their current locations, locations they visit at certain times, and on their location over time.

“InMobi tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises.”

All in all, the proliferation of apps, devices, and accompanying privacy policies may eventually produce an indifference to the issue of location privacy or, conversely, a suspicion about mobile apps in general.

As Shashi Shekhar, a professor in the Department of Computer Science at the University of Minnesota, and colleagues at Columbia University and Purdue University wrote in a Communications of the ACM article earlier this year, “Many individuals thus hesitate to indulge in mobile commerce due to concern about privacy of their locations, trajectories, and other spatiotemporal personal information.”

The authors continue, “New legal principles must be devised to align with ‘fair information practices,’ especially those related to notice, transparency, consent, integrity, and accountability. However, such alignment also raises questions, including: What would be considered "adequate notice" for collecting spatial data? How should consent be requested? What information should be stored, and for how long? More broadly, when does localization (such as GPS tracking) lead to a privacy violation?"

Indeed, a couple of years ago, the Location Privacy Council issued a set of guidelines for how companies should use location information.

Ironically, the younger cohort of the U.S. population known as Millennials, are both the largest users of mobile applications and yet the most concerned about location privacy. According to a 2013 Boston Consulting Group survey, Millennials ranked “Exact Location” as the fourth most important private data in a list of 20 types of data, higher than other age groups

 Note: The photo of the eye is by Thomas Tolkien, courtesy of Wikipedia/Creative Commons.

IGM_e-news_subscribe