Life360 Scandal Once Again Shows Nobody In The U.S. Actually Wants To Fix Our Rampant Privacy Problems
from the let's-do-absolutely-nothing-about-this-growing-problem dept
For several years now a steady parade of scandals have showcased how the collection and sale of consumer location data (to governments and data brokers alike) is a hugely unaccountable mess with few if any guardrails. And every week or so a new scandal emerges making that point abundantly clear. This week it's the unsurprising revelation that "security" and "family safety" app Life360, which lets parents track the location of their kids, has been selling access to this data to data brokers for years:
"Through interviews with two former employees of the company, along with two individuals who formerly worked at location data brokers Cuebiq and X-Mode, The Markup discovered that the app acts as a firehose of data for a controversial industry that has operated in the shadows with few safeguards to prevent the misuse of this sensitive information."
U.S. policymakers and regulators have routinely turned a blind eye to bad behavior in the location data collection area, in large part because the U.S. government often purchases this kind of data to help it avoid getting a warrant. And any effort to tighten up privacy regulations (or hey, even pass a basic federal privacy law for the internet era) wind up running into a buzz saw of cross-industry lobbying opposition with unlimited budgets.
When the U.S. government does act in this space, it's usually inconsistent and unproductive. It usually involves sporadically levying a piddly fine that winds up being a tiny, tiny fraction of the money made from getting a bit too greedy. Or demanding at least some transparency into what's being collected and sold. But as data brokers, apps, telecoms, and OS makers keep making clear, nobody is taking any of those threats seriously. Especially the tangled web of data brokers, who operate largely in secrecy. When pressed on what they're doing, their responses are murky at best:
"Hulls declined to disclose a full list of Life360’s data customers and declined to confirm that Safegraph is among them, citing confidentiality clauses, which he said are in the majority of its business contracts. Data partners are only publicly disclosed when partners request transparency or there’s “a particular reason to do so,” Hulls said. He did confirm that X-Mode buys data from Life360 and that it is one of “approximately one dozen data partners.” Hulls added that the company would be supportive of legislation that would require public disclosure of such partners."
Like clockwork, when you ask a data broker what they're doing, they'll immediately insist that collecting and selling access to the data of children is no big deal because that data has been "anonymized." As if there hasn't been a steady flood of studies showing that terms is absolutely meaningless, and it's trivial to identify any of these users with just a few additional data points. See this comment from Cuebiq, for example:
"The CDC only exports aggregate, privacy-safe analytics for research purposes, which completely anonymizes any individual user data,” Daddi said. “Cuebiq does not sell data to law enforcement agencies or provide raw data feeds to government partners (unlike others, such as X-Mode and SafeGraph)."
"We anonymize data" (which again is meaningless) and "at least we don't sell access to this data to government like everybody else" aren't the comforting justifications these companies tend to think they are. But at least it's a comment. Most of the other data brokers that have been caught up in this scandal wouldn't comment, and won't ever be required to. Because nobody actually cares about consumer privacy or the ramifications of rampant over-collection. There's just too much money to be made.
Life360 justifies collecting and selling access to this ocean of data (including the data of children) because it helps pay for a service that provides security value. And while that may be true, it's not like you couldn't do all of this in a way that's more transparent and responsible. And it's not like over-collecting and creating vast repositories of user data doesn't come with its own privacy and security risks. Companies just don't want to change because they'd make less money. So instead we get a lot of flimsy justifications and half truths like "we don't sell access to data" (no, you're just providing the data to partners for free as part of a broader "consultation and analysis" deal you are getting paid for).
State and federal U.S. privacy oversight is so flimsy, you just have to tinker with semantics to fall into compliance.
Meanwhile, everybody in the data gold rush claims to support some basic privacy legislation, but then immediately turns around and has their lobbyists and umbrella policy organizations fight tooth and nail against any and all meaningful solutions. Doing absolutely anything productive in privacy regulatory oversight would cost a lot of companies billions of dollars, and make it harder for the government to spy on its citizens. So instead we do nothing, and stand around with a dumb look on our face watching a parade of scandals drift by.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data, data brokers, location data, privacy
Companies: cuebiq, life360, x-mode
Reader Comments
Subscribe: RSS
View by: Time | Thread
Rants are fun.
Usually usually.
"Dumb face" (dumb means unable to speak)
"Half truths" (not a thing)
This entire rant could be better written as an article with facts, evidence, and a lack of whiny misuse of the word "dumb" and others.
Having read this, I'm two minutes older, and no wiser. Maybe someone "dumber" than I can make sense of this incompetent rant.
E
[ link to this | view in thread ]
We pay for them, perhaps if we forced there to be a law requiring Congress to have this data collected for our review whenever we wanted maybe they would understand why it is important that we arre allowed our alleged privacy.
[ link to this | view in thread ]
Re:
be cautious
gatekeepers here are quick to censor/flag any perceived slights
stealth rules are easier to enforce
[ link to this | view in thread ]
The googles, etc of the world pay too much in taxes for that. No wait, they pay hardly any tax. Right, I guess that leaves that they pay too much in campaign contributions for that to happen.
[ link to this | view in thread ]
is it though?
Is the truth always on the other side?
If the Republicans say the earth is round, the Democrats will say it's flat...the truth is always on the other side
If blacks say that racism is worse than ever, whites will say "no way, because we elected a black president"...the truth is always on the other side
If the vaccinated say that everyone must get vaccinated in order to stop Corona, the unvaccinated will say that it's just the flu...the truth is always on the other side
The truth is self supporting. I wish we could all agree on the truth more often.
[ link to this | view in thread ]
I suspect what it will take to bring some sort of common sense to all this datamining and spying on people will be some important personage to get in a bind over data released.
Maybe a congress critter caught by datamining at being where he claims he wasn't on some sort of crime or highly embarrassing situation. Maybe a famous public figure caught where the facts don't match up to the testimony.
That's what it usually takes. No one really cares about the public and what they deal with until it just happens to coincide with someone important caught with their pants down. Then it will be crowed they are doing something for the public's benefit as a misdirection.
In the meantime, the corruption that allows law makers to receive campaign contributions will also allow them to turn a blind eye to the issues at hand.
[ link to this | view in thread ]
What about the "end uders" of the entire data-brokering market?
[ link to this | view in thread ]
'You first'
Any time someone tries to pull the 'it's not concerning/a violation of privacy because we anonymized the data' argument they should have their data run through the same process and provided to the public, just to lead by example.
Somehow I suspect that when that flawed argument resulted in their personal information on the line their tune would change mighty quick.
[ link to this | view in thread ]
Re:
The magic code strikes again.
[ link to this | view in thread ]
Re: Maybe someone "dumber" than I can make sense of this
Sorry Ehud, I think that's unlikely. Maybe think about your post and try and structure it better so people can understand it?
[ link to this | view in thread ]