By: Jon Keegan and Alfred Ng
Life360, a preferred household safety app utilized by 33 million individuals worldwide, has been marketed as a good way for fogeys to trace their kids’s actions utilizing their cellphones. The Markup has realized, nonetheless, that the app is selling data on children’ and households’ whereabouts to roughly a dozen data brokers who’ve offered data to nearly anybody who desires to purchase it.
Through interviews with two former workers of the corporate, together with two people who previously labored at location data brokers Cuebiq and X-Mode, The Markup found that the app acts as a firehose of data for a controversial trade that has operated within the shadows with few safeguards to stop the misuse of this delicate info. The former workers spoke with The Markup on the situation that we not use their names, as they’re all nonetheless employed within the data trade. They mentioned they agreed to speak as a result of of issues with the location data trade’s safety and privateness and a need to shed extra mild on the opaque location data financial system. All of them described Life360 as one of the biggest sources of data for the trade.
“We have no means to confirm or deny the accuracy” of whether or not Life360 is among the many largest sources of data for the trade, Life360 founder and CEO Chris Hulls mentioned in an emailed response to questions from The Markup. “We see data as an important part of our business model that allows us to keep the core Life360 services free for the majority of our users, including features that have improved driver safety and saved numerous lives.”
A former X-Mode engineer mentioned the uncooked location data the corporate acquired from Life360 was amongst X-Mode’s most dear choices because of the sheer quantity and precision of the data. A former Cuebiq worker joked that the corporate wouldn’t have the ability to run its advertising and marketing campaigns with out Life360’s fixed movement of location data.
The Markup was in a position to verify with a former Life360 worker and a former worker of X-Mode that X-Mode—along with Cuebiq and Allstate’s Arity, which the corporate discloses in its privateness coverage—is among the many firms that Life360 sells data to. The former Life360 worker additionally advised us Safegraph was among the many consumers, which was confirmed by an e-mail from a Life360 govt that was considered by The Markup. There are doubtlessly extra firms that profit from Life360’s data primarily based on these companions’ clients.
Hulls declined to reveal a full listing of Life360’s data clients and declined to verify that Safegraph is amongst them, citing confidentiality clauses, which he mentioned are within the majority of its enterprise contracts. Data companions are solely publicly disclosed when companions request transparency or there’s “a particular reason to do so,” Hulls mentioned. He did verify that X-Mode buys data from Life360 and that it is one of “approximately one dozen data partners.” Hulls added that the corporate could be supportive of laws that will require public disclosure of such companions.
X-Mode, SafeGraph, and Cuebiq are recognized location data firms that offer data and insights gleaned from that data to different trade gamers, in addition to clients like hedge funds or corporations that deal in focused promoting.
Cuebiq spokesperson Bill Daddi mentioned in an e-mail that the corporate doesn’t promote uncooked location data however gives entry to an aggregated set of data by its “Workbench” software to clients together with the Centers for Disease Control and Prevention. Cuebiq, which receives uncooked location data from Life360, has publicly disclosed its partnership with the CDC to trace “mobility trends” associated to the COVID-19 pandemic.
“The CDC only exports aggregate, privacy-safe analytics for research purposes, which completely anonymizes any individual user data,” Daddi mentioned. “Cuebiq does not sell data to law enforcement agencies or provide raw data feeds to government partners (unlike others, such as X-Mode and SafeGraph).”
X-Mode has offered location data to the U.S. Department of Defense, and SafeGraph has offered location data to the CDC, in line with public information.
X-Mode and SafeGraph didn’t reply to requests for remark.
The Life360 CEO mentioned that the corporate carried out a coverage to ban the selling or advertising and marketing of Life360’s data to any authorities companies for use for a regulation enforcement function in 2020, although the corporate has been selling data since at the least 2016.
“From a philosophical standpoint, we do not believe it is appropriate for government agencies to attempt to obtain data in the commercial market as a way to bypass an individual’s right to due process,” Hulls mentioned.
The coverage additionally applies to any firms that Life360’s clients share data with, he mentioned. Hulls mentioned the corporate maintains “an open and ongoing dialogue” with its clients to make sure they adjust to the coverage, although he acknowledged that it was a problem to watch companions’ actions.
Life360 discloses within the tremendous print of its privateness coverage that it sells the data it gleans from app users, however Justin Sherman, a cyber coverage fellow on the Duke Tech Policy Lab, mentioned individuals are most likely not conscious of how far their data can journey.
The firm’s privateness coverage notes Life360 “may also share your information with third parties in a form that does not reasonably identify you directly. These third parties may use the de-identified information for any purpose.”
“Families probably would not like the slogan, ‘You can watch where your kids are, and so can anyone who buys this information,’ ” Sherman mentioned.
Two former Life360 workers additionally advised The Markup that the corporate, whereas it states it anonymizes the data it sells, fails to take essential precautions to make sure that location histories can’t be traced again to people. They mentioned that whereas the corporate eliminated the obvious figuring out person info, it didn’t make efforts to “fuzz,” “hash,” mixture, or cut back the precision of the location data to protect privateness.
Hulls mentioned that each one of Life360’s contracts prohibit its clients from re-identifying particular person users, together with different privateness and safety protecting practices. He mentioned that Life360 follows “industry best practices” for privateness and that solely sure clients like Cuebiq obtain uncooked location data. The former X-Mode engineer mentioned that the corporate additionally acquired uncooked data from Life360. The firm depends on its clients to obfuscate that data primarily based on their particular functions, Hulls added.
“Some of our data partners receive hashed data and some do not based on how the data will be used,” the Life360 founder mentioned.
Meanwhile, selling location data has develop into increasingly more central to the corporate’s well being because it’s struggled to attain profitability. In 2016, the corporate made $693,000 from selling data it collected. In 2020, the corporate made $16 million—practically 20 p.c of its income that 12 months—from selling location data, plus an extra $6 million from its partnership with Arity.
While nonetheless reporting a loss of $16.3 million final 12 months, the corporate is increasing its enterprise to incorporate different “digital safety” merchandise, rolling out data breach alerts, credit score monitoring, and identity-theft-protection options. Publicly traded on the Australian Securities Exchange with plans to go public within the U.S., Life360 has additionally acquired firms that develop its monitoring—and doubtlessly its data-gathering capability. In 2019, the corporate bought ZenScreen, a household screen-time monitoring app. And in April, it bought the wearable location system firm Jiobit, geared toward monitoring youthful kids, pets, and seniors, for $37 million. Hulls mentioned Life360 has no plans to promote data from Jiobit units or its digital safety providers.
On Nov. 22, Life360 additionally introduced plans to purchase Tile, a monitoring system firm that helps discover misplaced gadgets. Hulls mentioned the corporate doesn’t have plans to promote data from Tile units.
“I’m sure there are lots of families who do find very real comfort in an application like this, and that’s valid,” Sherman mentioned. “That doesn’t mean that there aren’t ways that other people are harmed with this data. It also doesn’t mean that the family couldn’t be harmed with the data in ways that they’re not aware of, such as that location data being used to target ads [or] used by insurance companies to figure out where they’re traveling and increase their rates.”
Hulls mentioned that Life360 doesn’t share users’ personal info with insurers in ways in which may have an effect on insurance coverage charges.
The Data Pipeline
Life360’s app permits the person to see the exact, real-time location of associates or members of the family, together with the velocity at which they’re driving and the battery stage on their units.
Marketed as a safety app, Life360 is common amongst mother and father who wish to observe and supervise their children from afar. The app affords a lot of the performance of Apple’s built-in location-sharing options, however it contains emergency safety options reminiscent of an SOS button and car crash detection. The firm says these options have saved lives.
But Life360’s location-based options are additionally sources of data factors for a rising, multibillion-dollar trade that trades in location data gathered from cell phones. Advertisers, authorities companies, and buyers are keen to spend a whole bunch of hundreds of {dollars} for location data and the insights that may be derived from them.
While kids can use the app (with parental consent), Life360’s coverage states that the corporate doesn’t promote data on any users below 13. The Children’s Online Privacy Protection Rule (higher often known as “COPPA”) creates restrictions on digital providers utilized by kids below 13, and Life360 has detection strategies like requiring a scan of a mother or father’s ID for underage users. Life360 does “disclose” youthful kids’s info to 3rd events “as needed to analyze and detect driving behavior data, perform analytics or otherwise ,[sic] support the features and functionality of our Service,” in line with its privateness coverage, however not “for marketing or advertising purposes.”
Marketers use location data to focus on advertisements to individuals close to companies, whereas buyers purchase data to find out recognition primarily based on foot visitors. Government companies have purchased location data to trace motion patterns and in a single case to assist “Special Operations Forces mission requirements overseas.”
“It sounds like the company’s pointing to a couple of cases where, sure, they helped somebody, they were able to do something good,” Sherman mentioned. “But then they will not talk about all of the other cases where the buying and selling of this data is potentially very harmful.”
In July, a high-ranking Catholic priest resigned after a Catholic information outlet outed him through the use of location data from the homosexual relationship app Grindr linked to his system. The data was obtained by an unknown vendor, and the report claimed to indicate that the priest frequented homosexual bars. There is no indication that Life360 was concerned on this incident.
Grindr, like different apps that feed data into this trade, is required to ask for location permissions when a person first opens the app.
“We are not aware of any instance where our data has been traced back to individuals via our data partners,” Hulls mentioned. “Furthermore, our contracts contain language specifically prohibiting any reidentification, and we would aggressively take action against any breach of this term.”
In Life360’s case, as a result of of how the app works, it asks for the broadest location permissions attainable for useful functions. Many apps that use location data enable users to grant entry solely whereas it’s in use. Because Life360 is for monitoring whereabouts in actual time, the app asks for location data always—and doesn’t operate except that permission is turned on.
A disclaimer seems in smaller print on the backside of the permissions display screen: “Your location data may be shared with Partners for the purposes of crash detection, research, analytics, attribution and tailored advertising.” Users can disable the sale of their location data within the privateness settings, although that setting is not disclosed in or half of the immediate.
Life360’s Hulls mentioned that millions of its users have used this characteristic to choose out of their data being offered.
For those that haven’t opted out, their Life360 data could also be shared with the corporate’s companions inside 20 minutes of being recorded, a former Life360 worker mentioned.
Hulls mentioned this description was “directionally accurate,” saying it solely utilized to sure companions and use instances.
“For example, some use cases, like road traffic probing, which powers travel time estimates in automotive navigation systems and GPS apps, require very fresh data,” he mentioned.
Privacy researchers and app retailer operators usually search for data brokers’ code in apps for indicators of an app sending data off to 3rd events. But Life360 collects its data straight from the app and gives it to data brokers by its personal servers.
Apple’s and Google’s app shops haven’t any method of detecting this switch of location data to a 3rd celebration. “It makes sense to send this data directly from the server side from the app vendor so it can never be traced or observed by anyone,” mentioned Wolfie Christl, a researcher who investigates digital monitoring.
Hulls mentioned Life360’s methodology of offering data by its personal servers wasn’t an intentional effort to evade detection from researchers and app shops.
“This is completely unrelated. We have our own proprietary sensor technology, which we started building in 2008 well before the emergence of the data industry, and we avoid using SDKs that could have a negative battery impact or other interplay with our own sensor technology,” he mentioned.
Google didn’t remark on why Life360 was in a position to promote data this manner regardless of its coverage towards selling location data. Apple spokesperson Adam Dema responded with a hyperlink to Life360’s privateness coverage however didn’t remark concerning the firm’s data gross sales to firms like SafeGraph and X-Mode.
Hulls mentioned Life360 de-identifies the data it sells, which might embrace a tool’s cellular promoting ID, IP deal with, and latitude and longitude coordinates collected by Life360’s app.
Hulls clarified that “de-identification” includes eradicating usernames, emails, cellphone numbers, and different varieties of identifiable person info earlier than the data is shared with Life360’s clients. The data offered nonetheless features a system’s cellular promoting ID and latitude and longitude coordinates.
Even with out names or cellphone numbers, researchers have repeatedlydemonstrated how “anonymized” location data can simply be related to the individuals from whom it got here.
And privateness specialists observe that cellular promoting IDs are extra beneficial than identifiers like names.
“This code can be used to track and follow you across many life situations,” Christl mentioned. “As such, it is a much better identifier than a name.”
Controversial Partners
The location data trade operates largely out of public view and with little oversight or regulation. Some of Life360’s companions have confronted controversy prior to now over how they deal with data and privateness.
Started in 2013 as Drunk Mode, a novelty app that “prevents users from drunk dialing,” X-Mode was reportedly banned from the massive app shops after Vice’s Motherboard reported that the corporate was selling location data from Muslim prayer apps like Muslim Pro to U.S. authorities contractors related to nationwide safety, elevating issues about unconstitutional authorities surveillance.
Public information present that X-Mode acquired at the least $423,000 from the U.S. Air Force and the Defense Intelligence Agency for location data between 2019 and 2020. The firm additionally offered data on Americans in profiled units, like individuals who have been drivers or more likely to store at malls, in line with Motherboard.
In August, X-Mode was bought by mental property intelligence agency Digital Envoy and rebranded as Outlogic.
In response to the backlash over X-Mode’s selling location data to protection contractors, its new homeowners mentioned the corporate would cease selling U.S. location data to such firms.
“We cannot comment on the practices of another company or what that company does with data it receives from other sources,” Hulls mentioned. “However, Life360 has worked closely with X-Mode to ensure that X-Mode and all of its data customers do not sell data originating from Life360 to law enforcement agencies or to any government agency to be used for a law enforcement purpose.”
SafeGraph is one of the most important corporations within the location data enterprise, and its buyers embrace enterprise capitalist Peter Thiel; Prince Turki Al Faisal Al Saud, former head of Saudi intelligence; and Life360’s chief enterprise officer, Itamar Novick.
The firm focuses on data that associates locations of curiosity with uncooked coordinates, including a layer of which means to the uncooked location data that the corporate ingests. SafeGraph was recognized as not only a buyer of Life360’s data but additionally a serious associate in an e-mail from a Life360 govt that was considered by The Markup.
In April, as first reported by Motherboard, SafeGraph was awarded a $420,000 contract to promote data to the Centers for Disease Control described as “Data Gathering and Reporting.” The Washington Post additionally reported that SafeGraph shared billions of cellphone location information with the D.C. Department of Health by its spinoff firm Veraset.
The firm overtly sells location data on Amazon’s data market, together with a $240,000 yearly subscription to data on individuals throughout the U.S. Veraset has boasted of selling location data for functions together with advertising and marketing, actual property, investing, and metropolis planning.
Sen. Ron Wyden has flagged SafeGraph as a “data broker of concern” to Google, Wyden’s chief communications officer, Keith Chu, mentioned in an e-mail. The Democrat from Oregon has made a number of makes an attempt to talk with SafeGraph to study extra about how the corporate obtains, sells, and shares Americans’ location data, however the firm by no means responded, Chu mentioned.
Cuebiq additionally labored with the Centers for Disease Control, with a $208,000 contract awarded in June for aggregated location data, in line with public information.
The CDC didn’t reply to requests for remark.
During the start of the coronavirus pandemic, Cuebiq grew to become a important supply of location data for information retailers trying to report on individuals’s actions after cities and states issued stay-at-home orders. Outlets together with The New York Times and NBC News acquired location data from Cuebiq for his or her analyses.
It’s been instructed that location data brokers like Cuebiq are utilizing the pandemic to enhance their public status by presenting themselves as instruments for public well being slightly than as mechanisms for surveillance.
Cuebiq’s Daddi mentioned the corporate’s data has helped within the aftermath of pure disasters and public well being crises.
Safety vs. Privacy
Life360 has positioned itself as “the leading digital safety brand for families.” But specialists say households who use it aren’t essentially serious about their digital safety.
“An app that claims to be a family safety service selling exact location data to several other companies, this is a total disaster,” Christl mentioned. “It would be a problem if it’s any other app, and it’s even more a problem when it’s an app that claims to be a family safety service.”
Life360 has confronted issues over privateness prior to now. In mid-2020, teenagers, displeased on the privateness invasion of an app that allowed their mother and father to minutely observe their actions, took to TikTok to encourage their friends to bomb the app with damaging evaluations. Over the course of a month, the app acquired greater than 1,000,000 one-star evaluations, driving the common score down from 4.6 to 2.7 stars.
Hulls responded by including a “bubbles” characteristic that reveals mother and father a extra obscure location of their youngster (however nonetheless permits mother and father to see actual areas with an extra step). He additionally recruited and paid teenagers to hawk the app on TikTok, leading to a “viral surge in downloads,” in line with the corporate.
Those teenagers, nonetheless, have been probably not conscious that their mother and father have been hardly the one ones aware of data on their actions.
Samira Madi, an 18-year-old pupil in Texas, began utilizing Life360 when she was 15. She didn’t have an issue with the corporate sharing her location data for advertising and marketing and promoting functions, which the corporate readily disclosed.
After studying about who Life360 was selling data to, and the dimensions it was offered at, Madi felt that the corporate crossed a line.
“I had no idea it would be passed around this way,” Madi mentioned in an e-mail. “This concerns me because I would not want my location data to possibly be sold to people with ill intentions.”
This article was initially printed on The Markup and was republished below the Creative Commons Attribution-NonCommercial-NoDerivatives license.