UK-based Huq acknowledges at least two of its partner apps collected users’ location data even when users had explicitly opted out
Huq, a British company that sells location data collected by smartphone apps to third parties, has acknowledged that at least two of its partners obtained data without users’ consent.
The company said the two apps in question have now fixed the issue.
The two apps, one that measures Wi-Fi signal strength and another that scans QR codes, were found to be transmitting location data to Huq even if users selected a preference within the app to opt out of data collection, according to a report by Vice.
The report cited findings by AppCensus, a company that analyses the privacy of smartphone apps.
Huq chief executive Conrad Poulson said in a statement that although Huq data is used anonymously, user consent is “vital… and must be taken seriously”.
“We strive to ensure consent is explicitly sought by all our app partners. If there is a breach, we always act swiftly,” he said.
The company said it had asked the two apps in question to “rectify their code and republish their apps” and said they had done so.
Kaibits Software, which develops “Network Signal Info”, one of the apps in question, told the BBC there had been “problems with the permissions”, but these had been solved.
AppSourceHub, the developer of QR & Barcode Scanner, did not immediately respond to a request for comment.
Huq obtains one billion mobility events from apps in 161 countries, selling the information to customers in the financial investment, retail and real-estate sectors, as well as to local governments, including dozens of English and Scottish city councils, according to the company’s website.
The firm said it was “possible” other partner apps might also fail to obtain proper consent. “What’s important is how quickly we act and how seriously we take the issue,” the company stated.
Google said it was “aware” of the reported privacy failures of the two apps and was investigating.
Aside from the preferences within the app, apps’ access to location data can be also blocked by OS-level controls on Android and iOS devices.
The privacy of mobile devices has become an increasingly sensitive issue, with Apple controversially introducing additional privacy controls for its devices earlier this year.
Google said last week it was updating its policies to prohibit linking persistent device identifiers to personal and sensitive user data, or resettable device identifiers, such as an Android advertising ID, except for pre-approved use cases. The change was to take effect on 28 October, Google said.
The Danish data authority is currently investigating whether there is a “legal basis” for the way Huq processes personal data.
Separately, the UK Information Commissioner’s Office (ICO) has reprimanded UK-based data collection firm Tamoco for “failing to provide sufficient privacy information to UK citizens” and has asked the firm to “review the personal data they collected to ensure that UK citizens’ data is no longer processed and that any remaining records should be deleted”.
In 2019 Norwegian broadcaster NRK purchased raw data from Tamoco that had been anonymised, but journalists were easily able to determine the real identities of people and track them.
NRK’s investigation followed similar research in 2017 by a German team that found it was “easy” to identify individuals based on anonymised data collected by several popular browser extensions.