Researcher tim.sh discovered that mobile apps, even when location services are disabled, collect and transmit user location data. This happens through ad SDKs embedded in the apps. Collected data includes not just latitude and longitude, but also IP address, timestamps, and other information that allows tracking user movement.
This data is transmitted to third parties through real-time advertising auctions. The OpenRTB protocol is used to exchange vast amounts of data, including device information. The researcher traced the data flow from a simple game to an ad and found that data is passed through various companies.
Disabling the IDFA (Identifier for Advertisers) doesn’t stop data transmission. IP address, location, and other data are still shared with third parties. Furthermore, there are many other identifiers that can be used to track users even without IDFA.
Data marketplaces exist where large datasets of mobile location data are sold. Data brokers aggregate data from different sources and sell it for large sums.
Datasets are also sold that link mobile advertising IDs (MAIDs) to personally identifiable information (PII). This link allows for the re-identification of anonymized data.
Users are largely unaware of these practices. Most don’t know their data is being collected and sold, even by free apps.
Facebook also collects IP addresses and timestamps without user consent.
In conclusion, the research reveals that the mobile app advertising ecosystem allows for the collection and sale of vast amounts of personal data, raising serious privacy concerns.