Huq GPS location data sharing

UK-based docation data merchant Huq received GPS coordinates even when mobile users have explicitly opted-out of the collection of this data on individual Android apps, according to app analysis company AppCensus and Vice's Motherboard.

Huq collects and processes over one billion 'mobility events' collected from apps on people's phones apps every day and sells it to clients, including dozens of English and Scottish city councils.

The apps in question measured Wi-Fi strength, scanned barcodes, amongst other things, but appeared to have shared user data for purposes other than those stated, according a Vice report.

The company appeared unaware of the vulnerability, but the findings raised questions about the nature and effectiveness of it's customer/partner compliance checks, which the company said it ran monthly.

Civil rights and privacy advocates suggested the problem reflected poor data sharing practices and governance by the advertising and marketing industry.

Huq, a British firm that sells people’s location data, admitted to a privacy breach where some of its data was obtained without user permission1. 

In two instances, Huq’s app partners did not seek consent from users1. The company stated that these were “technical breaches” of data privacy requirements and that the issues had been rectified1. Huq asked the app partners to correct their code and republish their apps1.

The apps in question, one measuring Wi-Fi strength and another scanning barcodes, were highlighted in a story published by Vice1. The story questioned the clarity for users that apps downloaded for one purpose were sharing information for a completely different one1.

Huq did not rule out the possibility that other apps may have failed to ask for proper consent1. The company emphasized the importance of consent as a vital pillar of data collection and stated that they always act swiftly in case of a breach1.

AppCensus, a company that analyses the privacy of apps, found variations in how users are notified about their GPS location tracker and home Wi-Fi router data being collected across apps that include Huq1. According to analysis from Danish TV2, Android apps are more likely to pass on location data than those on iPhones1.

Investigations, assessments, audits 🧐

• AppCensus (2021). What the Huq?

• VICE News (2021). Location Data Firm Got GPS Data From Apps Even When People Opted Out

News, commentary, analysis 🗞️

• https://www.bbc.co.uk/news/technology-59063766

• https://www.heise.de/news/Populaere-Apps-leaken-Bewegungsprofile-6228973.html

• https://informationsecuritybuzz.com/expert-comments/location-data-collection-firm-admits-privacy-breach/

• https://iapp.org/news/a/location-data-firms-technical-breach-from-lack-of-user-consent/

• https://yro.slashdot.org/story/21/10/28/1919238/location-data-firm-got-gps-data-from-apps-even-when-people-opted-out