Apps Secretly Shared User Location Without Consent

A company that sells location data has apologized after some details were collected without permission. Huq says the data remained anonymous despite the lack of consent.

The company's business model is to partner with app developers to collect location data, aggregate it, then sell the overall details to clients. These included businesses trying to figure out patterns in where potential customers will be, and local governments that want to know which areas are busy at what times, for example to prioritize repairs of street lighting. (Source: bbc.co.uk)

The problem appears to be that Huq relies on the app developers to be up front with customers and ask for permission to collect the location data and pass it on. That's despite its website claiming it can "guarantee control" over "the collection of end-user consent."

WiFi And QR Scanners At Fault

In this case, two developers failed to do so. What made it particularly problematic was that neither app would obviously need the user's location to provide its stated service.

One app was for measuring the strength of nearby WiFi signals. This app had separate settings for controlling whether it collected location data and whether it passed it on to third parties. However, the Motherboard site discovered the data was sent to Huq regardless of the latter setting. (Source: vice.com)

The other app, "QR and Barcode scanner" transferred location data despite not explicitly asking for consent to do so.

Lack Of Consent May Be Unlawful

Huq says the app developers are responsible for getting permission to collect and pass on data. It says it runs monthly tests to make sure this is happening.

The activity appears to conflict with several major privacy laws. For example, in Europe businesses usually need explicit consent to collect and share personal data (including location); an exemption for "legitimate interest" wouldn't cover cases where the data wasn't an obvious part of an app.

Meanwhile several state laws in the US don't require advance consent but do give consumers the right to opt out of their data being shared with third parties.

What's Your Opinion?

How serious a breach do you consider this? Does it matter that the data was aggregated so that Huq couldn't track individuals? Should operating systems such as Android include physical blocks that stop data being passed on unless a user has clicked the relevant permission button?