Security researchers revealed this week that dozens of apps in the Google Play Store secretly gathered data on tens of millions of users and sent it to a company linked to a U.S. defense contractor.
Developers of Muslim prayer apps, QR code scanners and international weather apps were paid by a company called Measurement Systems to insert code that gave Measurement access to user data without the developers fully knowing.
Google said it has since banned these apps.
Byron Tau covered these events for The Wall Street Journal. The following is an edited transcript of our conversation.
Byron Tau: There’s a billion-dollar industry for the collection of the movement of phones. But what this [code] was doing was linking it to things like a phone number or an email address. That can really shed light on a person’s real world identity and generally violates at least the best practices, if not actual data privacy laws around the world.
Meghan McCarty Carino: Why would the developers of these apps agree to add this code?
Tau: The way this generally works is that third-party companies that want to collect user data offer developers around the world a little bit of money, and sometimes a lot of money, to include their software code in these apps. In exchange, the developer gets a nice, steady stream of income that helps pay for the development costs of the app, and whoever’s paying them gets user data.
McCarty Carino: And you traced the kind of complicated ownership trail of the company behind this, Measurement Systems. And we should note that it denied this story. But how confident are you that this company is connected to an American defense contractor?
Tau: There are certainly ties, and it’s tied two ways: one through the website registration records and another way through addresses and people associated with corporate owners. Through both of those means, this Panamanian company was connected back to a Virginia-based defense contractor that does cyberintelligence and network defense.
McCarty Carino: We don’t know if this data got shared or sold. But why would the Defense Department want data like this, specifically on Muslim users?
Tau: Governments around the world have been quietly buying large amounts of this data because it can help show relationships between people, the way populations move around and in some cases, can even zoom down to the level of individuals of interest. So this kind of data can be very powerful to a wide variety of government clients.
McCarty Carino: These apps were available on the Google store. Google has a review process before it lets apps go live in that store. Was this a failure in its approval process?
Tau: Well, Google and its rival, Apple, have a serious challenge here, which is just the sheer number of apps that are put into the app store every year. And so, while both of these companies say they vet what’s in apps and make sure they’re behaving in safe ways, in reality, it’s incredibly difficult and often takes forensic analysis to really understand what’s going on.
McCarty Carino: So when these app stores say that they vet the privacy of the apps, should consumers trust that?
Tau: The honest answer is no. It’s again, very, very difficult to really understand what your phone is doing. And even with the best efforts of Apple and Google and other platforms, it’s not always possible to understand what your phone is doing. And so, apps pose a real privacy danger. They can be collecting all manner of data that you didn’t necessarily anticipate or authorize. Every person should be careful about what they put on their phone and generally limit the kinds of permissions or programs that they’re putting on their devices.
Related links: More insight from Meghan McCarty Carino
Google didn’t directly answer questions about whether its initial review process missed problems with these apps. The company did provide a statement:
“All apps on Google Play must comply with our policies, regardless of the developer. When we determine an app violates these policies, we take appropriate action.”
We’ve got links to the full Wall Street Journal story and the report it was based on from researchers Serge Egelman and Joel Reardon. They shared their findings with Google in March as well as with the Federal Trade Commission.
A spokesperson for the FTC told The Journal they couldn’t comment about whether the agency was pursuing an investigation into the matter.
The idea of governments buying location data, and specifically data from apps that target Muslims, isn’t new. Vice reported a couple of years ago on how the U.S. military had bought into data streams from popular Muslim prayer apps and a dating app that caters to Muslims. Now, unlike the data collected by the company Byron Tau wrote about, this data was anonymized. But experts told Vice it could easily be de-anonymized once you put enough data points together.
That’s also the concern about more than 50,000 apps running code from a company referred to as the Russian Google, which The Financial Times investigated last month. These apps appear in the Google Play Store and the Apple App Store. And some of them are actually marketed to a Ukrainian audience.
They include games, messaging apps and virtual private networks, which are intended to help people move around online without being tracked. But they include code from the biggest Russian tech company, Yandex, which allows user data to be sent to Russian servers. The concern is it could be accessed by the Kremlin.
Google told The Financial Times it would conduct its own investigation and that it has work to do in providing better transparency to users about the code embedded in the apps they download.