In Pandora’s case, both the Android and iPhone versions of its app transmitted information about a user’s age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.This accusation was supported by preliminary investigation carried out by Veracode. Notice that this applies to both Android and iPhone (although I believe it was not possible for Veracode to confirm the latter given Apple's closed code). More specifically, and in addition to age and gender, Pandora also sends "android_id, connection status, network information, device brand, model, release revision, and current IP address" to advertisers. Initial reporting that GPS data ("GPS location, bearing, altitude") was included has proven to be false (because although the app tries to send this data, it does not have access to it), but what is sent would seem to more than cover the famous 33 bits needed to identify a single human amongst 7 billion.
It is not certain that Pandora was actively complicit in this theft, since the code in question comes from "advertisement libraries compiled into the application: AdMarvel, AdMob, comScore (SecureStudies), Google.Ads, and Medialets". Of those listed, Medialets seems to be the greediest, but all apart from Google are taking more than they should be. So either Pandora knew and was complicit, or did not know and was negligent.
Now for the extrapolation. Simply, if the app of a well trusted brand like Pandora has done this, then a great many other apps are likely to be doing the same. This conclusion makes various baseless assumptions about how the sample was chosen by the DoJ, but any situation where the best-case scenario involves a trusted service provider ripping off millions of people, it perhaps pays to be pessimistic.
No comments:
Post a Comment