By on .

Trusting apps to track your location, with your permission, can be an extremely powerful and useful tool. It enables some of the coolest features on our phones: everything from turn-by-turn directions, to collecting Pokémon in the park, to receiving down-to-the-minute rain notifications.

But with great power comes great responsibility. On July 27th, I made a quick off-hand tweet venting some pent-up frustration:

Lo and behold, not even a month later, a popular app misusing location data is in the news. And it happens to be a weather app.

The app in question has been found sending their users’ location information to a data monetization firm, unbeknownst to most users. More troubling, this is happening even when the user has explicitly opted out of location tracking. According to their own statement, they weren’t aware of this, and I’m willing to give them the benefit of the doubt.

This situation has, however, sparked outrage and surprise. While the outrage may be warranted, the surprise shouldn’t be. This isn’t just a case of a single company monetizing their customer’s location data in a shady manner; it’s a much larger — and more widespread — phenomenon. How do I know? Because there are entire companies devoted to buying this very data from the countless apps that currently make use of location data, and they contact us all the freakin’ time.

Here’s just a couple of the emails we’ve received:

Screenshot of an unsolicited email for location data
Screenshot of an unsolicited LinkedIn message for location data

I’ve also received no less than nine emails from Reveal Mobile, the culprit in the latest scandal:

Screenshot of a list of unsolicited emails for location data

These companies all claim that the location data they collect is “anonymous”, and that it can’t be used to identify or track individual people. This is false.

You could be forgiven in assuming that, since most apps don’t require you to give your name or other personally identifying information, it would be difficult to associate a particular location with a particular human being. But, in fact, it’s trivially easy for one of these data monetization firms to put real names to the latitude/longitude pairs they receive: If I told you that User #759 went home to a particular address every night, and went to work at another address during the day, how quickly could you find out who that was? It would take a few minutes of Googling, and it could be easily automated.

And even companies that are trustworthy can have breaches in data security. Massive data theft has happened before, and it’ll certainly happen again. Imagine all the places people go that they’d rather nefarious strangers not know about? What school they attend and when, their place of worship, strip clubs, gay bars. There are undoubtedly employees at the White House, at the Pentagon, and in Congress, who are using location-aware apps.

So how do we minimize the risk?

First and foremost, it’s the responsibility of app developers to use and store location data responsibly: not letting it leave the device when possible, not storing historical records of previous locations, not sharing it with 3rd parties, and making it clear to users how their location data is being utilized.

With that in mind, I think it’s important to outline the several different ways in which Dark Sky uses location tracking:

  1. Weather forecasts
    • If you enable Location Services, we’ll grab your location and send it to our server to get a forecast.
    • We do not permanently store a record of the request (although, like all server requests, it lives briefly in a temporary log file for the purpose of monitoring system health), and there’s no way to know whether the location is your current location, or that of a location you may have searched for.
  2. Weather notifications
    • If you opt-in to receive weather alerts, we’re forced to save your location in a database record so that we can periodically check the forecast and send you a notification if rain is on the way.
    • We do not, however, store a history of your locations. It’s not necessary to provide the service, so we just don’t do it.
  3. Pressure sensor readings
    • If your phone has a pressure sensor, and you opt-in to send us periodic readings (in order to aid our forecast models), we store those reports in a database.
    • We only store latitude, longitude, and pressure reading. We do not even store an anonymous user ID (since, as mentioned above, it would make it too easy to reconstruct personal identity).
    • Not storing an ID of any sort makes it much more difficult to do things like correct for sensor biases and clean up the pressure data, but we feel it is a necessary step for preserving user privacy.

For forecasts and notifications we never store a history of your locations. This makes it impossible to track where you’ve been even if we wanted to (not even if we were required to via a court order), it makes it much harder to reconstruct your identity, and it means your privacy is safer in the unlikely event of a data breach or theft.

We don’t now — and never will — share your location data with 3rd party advertisers or data monetization companies.

It helps tremendously that Dark Sky is a for-pay app. The old trope of “when you don’t pay for the product, you are the product” gets trotted out often, usually with regards to in-app advertising. But it takes on much more ominous overtones in the context of location privacy. And as long as it’s possible to secretly share location data, some app makers will do so.

Because of this, we also believe that Apple and Google should do more to prevent this sort of behavior. They should set — and aggressively enforce — clear App Store rules forbidding the sharing of location data for any purposes not directly relevant to the app’s core functionality. If an app is caught breaking this rule, it should be removed from the store. This won’t stop all abuse, but it would, at the very least, put many of these data monetization companies out of the business of tracking where you go.