Facebook adds new background location privacy controls to its Android app

Facebook is updating its privacy settings on Android to make it easier for users to control what location data is sent to and stored by the company.

In its announcement, Facebook acknowledged that Android users have expressed concern over the app’s ability to continuously log location data in the background. Due to Android’s all-or-nothing system of location permissions relative to iOS, the Facebook app has historically had the green light for collecting location data whether a user is actively in the app or not.

While the company stopped short of admitting the practice, Facebook for Android users who previously had location services enabled can probably assume that Facebook was extensively tracking their location even when they weren’t actively using the app. Facebook describes the choice to toggle location history on as “[allowing] Facebook to build a history of precise locations received through Location Services on your devices.”

Android users who previously allowed Facebook access to their location data will retain those settings, though they’ll receive an alert about the new location controls. For users who kept the location settings for Facebook disabled, those permissions will remain toggled off. While these changes apply only to Android users, Facebook also noted that it would send out an alert to iOS users to remind them to reevaluate their location history settings.

If your location history isn’t something you’ve thought much about before, it’s worth spending a minute to consider how comfortable you are with that depth of personal data being transmitted continuously to a company with Facebook’s privacy track record. Remember: Once that information is out of your hands, you have little to no control over what happens with it.


Android – TechCrunch

Popular avatar app Boomoji exposed millions of users’ contact lists and location data

Popular animated avatar creator app Boomoji, with more than five million users across the world, exposed the personal data of its entire user base after it failed to put passwords on two of its internet-facing databases.

The China-based app developer left the ElasticSearch databases online without passwords — a U.S.-based database for its international customers and a Hong Kong-based database containing mostly Chinese users’ data in an effort to comply with China’s data security laws, which requires Chinese citizens’ data to be located on servers inside the country.

Anyone who knew where to look could access, edit or delete the database using their web browser. And, because the database was listed on Shodan, a search engine for exposed devices and databases, they were easily found with a few keywords.

After TechCrunch reached out, Boomoji pulled the two databases offline. “These two accounts were made by us for testing purposes,” said an unnamed Boomoji spokesperson in an email.

But that isn’t true.

The database contained records on all of the company’s iOS and Android users — some 5.3 million users as of this week. Each record contained their username, gender, country and phone type.

Each record also included a user’s unique Boomoji ID, which was linked to other tables in the database. Those other tables included if and which school they go to — a feature Boomoji touts as a way for users to get in touch with their fellow students. That unique ID also included the precise geolocation of more than 375,000 users that had allowed the app to know their location at any given time.

Worse, the database contained every phone book entry of every user who had allowed the app access to their contacts.

One table had more than 125 million contacts, including their names (as written in a user’s phone book) and their phone numbers. Each record was linked to a Boomoji’s unique ID, making it relatively easy to know whose contact list belonged to whom.

Even if you didn’t use the app, anyone who has your phone number stored on their device and used the app more than likely uploaded your number to Boomoji’s database. To our knowledge, there’s no way to opt out or have your information deleted.

Given Boomoji’s response, we verified the contents of the database by downloading the app on a dedicated iPhone using a throwaway phone number, containing a few dummy, but easy-to-search contact list entries. To find friends, the app matches your contacts with those registered with the app in its database. When we were prompted to allow the app access to our contacts list, the entire dummy contact list was uploaded instantly — and viewable in the database.

So long as the app was installed and had access to the contacts, new phone numbers would be automatically uploaded.

Yet, none of the data was encrypted. All of the data was stored in plaintext.

Although Boomoji is based in China, it claims to follow California state law, where data protection and privacy rules are some of the strongest in the U.S. We asked Boomoji if it has or plans to inform California’s attorney general of the exposure as required by state law, but the company did not answer.

Given the vast amount of European users’ information in the database, the company may also face penalties under the EU’s General Data Protection Regulation, which can impose fines of up to four percent of the company’s global annual revenue for serious breaches.

But given its China-based presence, it’s not clear, however, what actionable repercussions the company could face.

This is the latest in a series of exposures involving ElasticSearch instances, a popular open source search and database software. In recent weeks, several high-profile data exposures have been reported as a result of companies’ failure to practice basic data security measures — including Urban Massage exposing its own customer database, Mindbody-owned FitMetrix forgetting to put a password on its servers and Voxox, a communications company, which leaked phone numbers and two-factor codes on millions of unsuspecting users.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.


Android – TechCrunch

Google faces GDPR complaint over “deceptive” location tracking

A group of European consumer watchdogs has filed a privacy complaint against Google — arguing the company uses manipulative tactics in order to keep tracking web users’ location, for ad-targeting purposes.

The consumer organizations are making the complaint under the EU’s new data protection framework, GDPR, which regulators can use to levy major fines for compliance breaches — of up to 4% of a company’s global annual turnover.

Under GDPR a consent-based legal basis for processing personal data (e.g. person’s location) must be specific, informed and freely given.

In their complaint the groups, which include Norway’s Consumer Council, argue that Google does not have proper legal basis to track users through “Location History” and “Web & App Activity” — settings which are integrated into all Google accounts, and which, for users of Android -based smartphones, they assert are particularly difficult to avoid.

The Google mobile OS remains the dominant smartphone platform globally, as well as across Europe.

“Google is processing incredibly detailed and extensive personal data without proper legal grounds, and the data has been acquired through manipulation techniques,” said Gro Mette Moen, acting head of the Norwegian Consumer Council’s digital services unit in a statement.

“When we carry our phones, Google is recording where we go, down to which floor we are on and how we are moving. This can be combined with other information about us, such as what we search for, and what websites we visit. Such information can in turn be used for things such as targeted advertising meant to affect us when we are receptive or vulnerable.”

Responding to the complaint, a Google spokesperson sent TechCrunch the following statement:

Location History is turned off by default, and you can edit, delete, or pause it at any time. If it’s on, it helps improve services like predicted traffic on your commute. If you pause it, we make clear that — depending on your individual phone and app settings — we might still collect and use location data to improve your Google experience. We enable you to control location data in other ways too, including in a different Google setting called Web & App Activity, and on your device. We’re constantly working to improve our controls, and we’ll be reading this report closely to see if there are things we can take on board.

Earlier this year the Norwegian watchdog produced a damning report calling out dark pattern design tricks being deployed by Google and Facebook meant to manipulate users by nudging them towards “privacy intrusive options”. It also examined Microsoft’s consent flows but judged the company to be leaning less heavily on such unfair tactics.

Among the underhand techniques that the Google-targeted GDPR complaint, which draws on the earlier report, calls out are allegations of deceptive click-flow, with the groups noting that a “location history” setting can be enabled during Android set-up without a user being aware of it; key settings being both buried in menus (hidden) and enabled by default; users being presented at the decision point with insufficient and misleading information; repeat nudges to enable location tracking even after a user has previously turned it off; and the bundling of “invasive location tracking” with other unrelated Google services, such as photo sorting by location.

GDPR remains in the early implementation phrase — just six months since the regulation came into force across Europe. But a large chunk of the first wave of complaints have been focused on consent, according to Europe’s data protection supervisor, who also told us in October that more than 42,000 complaints had been lodged in total since the regulation came into force.

Where Google is concerned, the location complaint is by no means the only GDPR — or GDPR consent-related — complaint it’s facing.

Another complaint, filed back in May also by a consumer-focused organization, took aim at what it dubbed the use of “forced consent” by Google and Facebook — pointing out that the companies were offering users no choice but to have their personal data processed to make use of certain services, yet the GDPR requires consent to be freely given.


Android – TechCrunch

Google Maps’ location sharing will now share your phone’s battery status, too

Early in 2017, Google added a feature to Google Maps that lets you opt to share your location in (near) real time with your close friends and family. Now they’re fleshing out that info with another important little detail: your phone’s remaining battery charge.

It looks like this:

Wondering why anyone might care about the status of your battery?

If you try to ping someone’s location and their phone is dead, there’s not much an app can do. Most location-sharing apps will just sit there and spin while they wait for some sort of response, leaving you to worry about all the reasons their phone might not be responding with a current location. Did they lose signal? Did someone steal their phone?

By clueing you in on whether someone’s phone is just about to die, you’ve at least got a better idea as to what’s going on when the updates go silent.

The folks over at AndroidPolice spotted this in a Google Maps APK teardown back in February, so we knew it was on the way. A few people have mentioned seeing it pop up on their devices since (including variations that only showed when the battery was low), but today it seems to have gone live for a much larger audience.

While the feature is clever, Google isn’t the first to think of it. For example: Zenly, the social map app acquired by Snapchat last year, had a similar feature at launch back in 2016.


Android – TechCrunch

Jiobit launches its more secure, modular child location tracker starting at $100

To date, child location trackers have failed to live up to consumer expectations. They’ve arrived as oversized, bulky watches too large for little wrists, and some have even been designed so insecurely, that it would be safer to not use them at all. A new kid tracker from Jiobit, launching today, wants to address these problems by offering a fully encrypted location tracker with a more modular form factor that makes better sense for small children.

The Chicago-based startup was started by a father – Jiobit’s co-founder and CEO John Renaldi  – after he experienced firsthand the terror of losing track of his then six-year old son at a local park.

“I was a Vice President of Product at Motorola, and was out on a family trip to downtown Chicago with my son, daughter, my wife,” Renaldi explains. The family was at Maggie Daley park when it happened. “Before I knew it – I can’t tell you how I got distracted – but in a sea of other children, I lost track of my son for 30 minutes,” he says.

The child eventually found his parents – he hadn’t wandered off at all, but was having a grand ol’ time playing and didn’t even know he was “lost.”

But the incident led Renaldi to try every sort of tracking product on the market. And he came back disappointed.

“I looked into all these products and they were all storing their certificate keys in the clear. They all were hackable. And I’m just sitting here looking at this thinking, ‘oh my god.’ If someone just spent a little bit of time they could completely intercept all this communication,” Renaldi says.

So he decided the solution was to build a kid tracker himself.

The startup raised seed funding, and brought on co-founder and CTO Roger Ady, previously a director of engineering at Motorola. It went through TechStars in 2016, and raised a little over $ 3 million at the end of the program. To date, it’s raised $ 6 million since its founding in 2015.

The team played around with different designs, but decided against a wristwatch for a variety of reasons – including not only the bulk of the device, but because some schools banned them as classroom distractions.

The Jiobit tracker launching today is small (37mm x 50mm x 12mm) and lightweight (18g or less than 4 quarter coins), and can be worn in many different ways. It comes with a built-in loop attachment for attaching the device to shoelaces, drawstrings, or if it’s being placed in a pocket.

Another attachment, the secure loop, lets you attach it to belt loops, shirt tag loops, or buttonholes.

Although the secure loop is more challenging to attach and remove, from personal experience, I’d recommend this option as the child can’t remove it.

(My Jiobit disappeared one day at school, because it was not secured – and now that it’s offline, it’s just gone forever since the school can’t find it.)

However, in my brief time with the device and app, I thought it was better designed in terms of setup and usage than others I’d tried in the past.

Unfortunately, Jiobit doesn’t have an insurance program for lost or stolen devices – only an accidental damage warranty. So I’d suggest not making my mistake, given the cost.

The Jiobit starts at $ 99.99 for the device with a year contract, or is $ 149.99 for a non-contract device with the option of a commitment-free $ 7.99 per month plan.

It ships with its accessories, cable, and charging dock. More accessories, including colorful covers and other attachments, are in the works.

To locate the child, the Jiobit utilizes a combination of Bluetooth and GPS.

If the child is beyond BLE range – like around your backyard, perhaps, you can switch over to a Live Mode in the app to see their GPS location as a dot. The accuracy of this system is about as accurate as GPS is in a mapping or navigation app. 

Parents can also use the Jiobit app to set up a geofence around specific locations, like home or school, in order to receive check-in alerts when the child leaves or arrives. They can also add other family members, trusted friends, nannies, etc. to a “Care Team” in the app to give those people access to the child’s location.

The company has taken pains to secure the location data that’s stored, says Renaldi, which is a differentiating factor for this company’s solution.

“Everything stored at rest – both on the cloud and on device – is encrypted,” he explains. “Any local data, as well as the encryption keys that are used to transmit the data, are all in a tamper-proof piece of silicon on the device that’s akin to what’s in your iPhone that stores your payment keys for your credit cards. That secure element – that same architecture – is used for us,” Renaldi continues.

That means that no one can get to the keys, even they gained physical access to the device.

“That’s a first in the industry for location tracking products,” Renaldi notes. 

The data is also secured in transit over Wi-Fi, cellular and Bluetooth, as the Jiobit is assigned a unique key – an authentication token – that allows the company to protect the data moving between the device itself and Amazon’s IoT cloud. (More on this here.)

Despite all these protections, one thing that worried me was that there was a history of my child’s exact GPS coordinates being stored – indefinitely – in the cloud. The company says it will soon launch a feature that allows parents an option to save their device’s location history, so it doesn’t want to purge these records for now.

But if you don’t want to save the child’s location history beyond the past few days, you currently have to ask the company to delete your files. (There are only two people at Jiobit who can even look at the GPS history, when the customer requests it.)

Jiobit said its beta testers asked for historical data, which it why it made this decision.

But that seems crazy to me – most parents I know err on the side of being almost overly paranoid when it comes to protecting their kids’ data. I can’t imagine that most would want location data stored forever anywhere, no matter how securely. My guess is that some parents were using the “child tracker” as a “nanny tracker.”

At the end of the day, there’s a certain kind of parent who will buy a kid tracker. It’s someone who wants their kids to have the kind of freedom they remember having from their own childhood  – where parents didn’t hover quite as much as they do today. But they want a little added security.

Selling to this market is challenging however, because a lot of this consumer demand is often just talk. “Oh, I wish I had a kid tracker!” says the mom or dad trotting around behind their child all day. In practice, it’s actually hard to stop helicoptering the kid in a society where this has become the norm, and there’s social pressure to do the same.

There’s also a limited span of years where this device makes sense. Ever younger kids are getting smartphones these days. (You can convert Jiobit to a pet tracker at that point, I suppose.)

Fortunately, the company is planning a future beyond kid tracking. It’s partnering with airlines, businesses, and even government agencies who want to use its location technology in a variety of ways beyond tracking people. NDAs prevent Jiobit from discussing the particulars of these discussions and deals, but it sounds like there’s a Plan B in the works if the kid trackers don’t sell.

In the meantime, parents can buy the Jiobit here, starting today.

Gadgets – TechCrunch