Slashdot Mirror
Pandora App Sends Private Data To Advertisers
Trailrunner7 writes "An analysis of the popular free mobile application from online music service Pandora.com that is the subject of a grand jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers. The analysis was conducted by application security firm Veracode and found that Pandora's free mobile application for Android phones tracked and submitted a range of data, including the user's gender, geographic location and the unique ID of their phone, according to an entry on Veracode's blog."
As I said last time, "I stopped using their app when it wanted access to the system logs. This includes all notifications of pretty much everything going on on your phone. It might help them debug the app, it might help them with advertisers. Who knows. I just knew their app wasn't worth it."
This is potentially a much more massive problem than we have been told.
Pandora can have the SSNs of everyone I know if they'll just keep providing their free musical goodness.
So, you mean all those ads at the bottom of the Pandora app that were specific to my home town wasn't just a random coincidence? How is it taking these things "silently" when it tells you exactly what you are giving it access too? Obviously, knowing where you live has no bearing on the type of music it's going to play. What else did people think this was going to be used for?
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
seriously, what do you expect from a free app that streams licensed music that they had to pay for? a bunch of ads no one clicks on?
this is how google makes money, metrics. everyone is doing it as well.
Wondering if I should uninstall their app from my iPhone.
Now he's listening to Nirvana...now he's listenning to David Bowie...now he's listening to Twisted Sist- oh wait he skipped that one.
The big problem here is that whenever you install any application, you're technically giving the designers virtually free reign to do whatever they like with your system/PC/phone/whatever.
Once permitted in, most commercial applications barge into your PC, rewrite whatever files they please, alter configuration settings, gobble up memory, install themselves as startup applications and often install an entire suite of unwanted applications and advertisements you didn't even ask for. Then they plonk themselves down in your living room, feet on the sofa, and begin to shout at you, along with all the dozens of other loudmouth applications you've invited in.
May the Maths Be with you!
Google needs to change the security model to allow finer grained access and more information to users about how much information that access allows. I should be able to install an application that wants access to my contacts but choose to deny that access with a warning that it may affect the functionality of the app. There should be more detail information on just what information an application can get hold of with that access. I think using the SELinux model of security in the kernel would be a good idea. If I don't grant an application process rights to certain files, it can't get access no matter what.
The actual Vericode post says it's both the iPhone and Android versions. I'm not sure why the article linked in the summary [and thus the summary] only mentions the Android version.
I wonder then, does the web browser interface do something similar, minus the GPS info of course? What about the Pandora One desktop app?
Nothing to see here
Pandora got caught. Getting caught is the anomaly. And people will never learn that there is no privacy on a networked computer
For justice, we must go to Don Corleone
When you install that application on android (or any application for that matter), you have to grant it (and by that I mean, acknowledge) permissions asked by the application.
It's the lusers fault for giving "Tom Talking Cat" privileges to fully control their phone, GPS, read contacts, browse the internet freely.
No idea if that app actually asks for all that crap, but there are plenty that do when they're nothing more than a stupid text editor.
Because that's much more plausable than just following someone, or waiting in a secldued area for someone to wander by.
Despite the suit, recent SEC filing suggest eveything pointing up:
* Revenue skyrocketed from $55,189,000 in FY2010 to $137,764,000 in FY2011.
* Advertising revenue rose from $50,147,000 in FY2010 to $119,333,000 in FY2011.
* Subscription and "other" revenue increased from $5,042,000 in FY2010 to $18,431,000 in FY2011.
* Despite rising content acquisition costs (up from $32,946,000 to $69,357,000 between FY2010 and 2011), Pandora's loss narrowed from $15,549,000 in FY2010 to $321,000 in FY2011.
Despite strong competition such as Sirius XM radio and even Apple to that regard, I wouldn't worry much.
New Economic Perspectives
I imagine it determines your location when over wifi and assumes that's where you are until it detects a new wifi connection. I'm guessing this since while on the road in Ohio and Pennsylvania, it gave me ads relating to stuff in southeastern Michigan, the last area I'd connected to wifi in.
Does anyone know how they collect geographic information when the application requires neither coarse location nor fine location?
The lack of those Android permissions either makes this a bigger story than simply Pandora sending information, or it makes me skeptical of the researchers' claims.
Maybe (and this is only a guess) they turn on WiFi and look at nearby SSIDs, the same way Google does.
The app has permission to alter network state and look at WiFi settings: https://market.android.com/details?id=com.pandora.android
Gender, location, phone? It is clear what the people at Pandora are doing, trying to get dates.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Honestly, I wouldn't mind them doing this if they had been clear and upfront with their intentions. Something along the lines of...
"We will provide you a free service in exchange for client usage statistics. This information will be shared with 3rd party marketing firms"
It's not so much what they do with this information in so much that I no longer feel safe reading this first time on Slashdot. How can I trust them now? I can never trust a sneaky bastard. Because of their lack of disclosure, Pandora just got uninstalled from my Droid.
Life is not for the lazy.
I would imagine all the app needs to do is see what IP you're connected to the internet from, whether you're on WiFi or on the mobile network. Just about all subnets are traceable to a city.
Loading...
The actual Vericode post says it's both the iPhone and Android versions. I'm not sure why the article linked in the summary [and thus the summary] only mentions the Android version.
I wonder then, does the web browser interface do something similar, minus the GPS info of course? What about the Pandora One desktop app?
There are specs for getting geolocation information via JavaScript, so possibly. However, your browseri s supposed to ask your permission prior. This also doesn't preclude other Pandora components, such as Flash, which may have their own API.
That said, am I the only one who just doesn't care? This company is providing bandwidth and fronting music industry negotiations in order to deliver a useful and valuable service to me for free. As per the implicit (and explicit) contract with almost every modern free service, it's a willing exchange of information, and I'm perfectly willing to trade my phone ID and location for this service (for now).
It would be nice, though, if there was an Android requirement that each application disclosed exactly what data it was collecting, and for what purpose, in order to be included in the Marketplace.
Only the mobile phone carriers should be allowed to collect large, but unknown, piles of personal information silently and without oversight! It is an outrage that others would dare to step onto the rightful domain of these oh-so-helpful surveillance buddies.
On a more serious note: What I would really like to see in Android(and other mobile operating systems; but a 3rd party build of Android is pretty much the only one where this would ever see the light of day on any hardware that isn't a laptop-size dev board...) is a supplement to the existing system of granular access-request application permissions:
Spoofing.
At present, you can see what permissions an application demands(perhaps not at quite the level of granularity that would be ideal; but the concept is good, and refinements aren't fundamentally challenging); but you have no way of pushing back against an application that seems a bit uppity, other than refusing it. What would be ideal would be a way of setting up multiple instances of the various Android content providers. One set of instances would be the 'real' one, populated with actual system data(address book, location, etc, etc.) Other instances would be various flavors of 'fake', either generated by applying an overlay filter to the real ones(ie. I might want to give an application that uses location data access to 'location data, but truncated to ~city level accuracy', which would be a content provider generated by a simple mathematical operation against the genuine content provider for location data), or auto-generated to look plausible; but be completely unrelated to the truth(ie. an 'address book' consisting of a simple dump of 47 name/number pairs from a phone book). This would allow you to push back against applications that demand more than they need to know; by allowing you to fulfil their architectural 'requirements'; but choose for yourself which are actually necessary for what you want to do(if you want a navigation app to work, you do need to give it your real location. If you just want dining recommendations, you may only feel the need to give it city-level accuracy, and feel no need whatsoever to give over your real address book for 'social dining integration'...)
Such a system would have additional benefits: it would make tasks like separating work/personal(or personal/er... 'extracurricular' if that is your style) architecturally clean and much lighter-weight than virtualization. You could have multiple true address books, say, one accurately reporting your personal contacts, and one accurately reporting your work contacts, and you could point twitfrienddroidfeed at the first and seriouscorporatemail at the second.
the you, the user of that service, are the product.
Best Slashdot Co
Please excuse my ignorance. but how is this illegal? companies do this all the time over the web. tracking where you log in from, how long you are one each page, and what sites you visit every time most people use the Internet. I think this practice is defiantly immoral, but give how constrictive contracts are I don't see how this is against the law. if you could point me towards some case law or a brief it would be much appreciated.
The only ads I ever got on Pandora before paying were those "cheap vacations for students" ads over and over and over again. Nothing localized/individualized at all.
Slacker Radio
System Tools
Change Network connectivity, change Wi-Fi state, read system log files, prevent phone from sleeping.
Network communications
Full Internet Access
Phone calls
Read phone state and identity
Storage
Modify/delete SD card contents
Why does a radio app need to be able to turn on/off my wifi? Why does it need to read my system logs? Why does it need to be able to add or delete things from my SD card? (It's streaming music...)
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
All the better to target ads at you my dear!
Domestic spying is now "Benign Information Gathering"
I've seen more and more apps adding "Change Wi-Fi State" permissions, and i wondered why that was. I assume they do it because otherwise you can install the app, but then turn off GPS and/or coarse GPS system-wide and they get nothing. This way they can get it regardless.
I actually uninstalled Pandora when I saw that it had access to my contacts and calendar. I think that would have stuck out to me when I installed it, but I think it came pre-installed on my phone. A month later they updated it, and I saw that crazy list of permissions and uninstalled it
a/s/l????
which has this permissions screen ....
System Tools
Change network connectivity, change Wi-Fi state , read system log files, prevent phone from sleeping
Network Communication
Full Internet access
Phone Calls
Read phone state and identity
Storage
Modify/delete SD card contents
So, not a whole lot of difference. The arguments on which radio app to use needs to be on the merits of the app/song selection, not on the treatment of your privacy.
I've read the articles and seen what they are sending, and I don't care. With Pandora, I get all my music for free, and I'm willing to trade some info for that.
I remain curious as to how Android knows my gender, however. Sure, you could guess from my name, but I'm pretty sure there isn't a checkbox for "sex" anywhere in my phone config. Regardless, it wasn't a secret anyway. :)
Necron69
Haven't updated the app since it started asking for "Personal Information" permissions several months ago.
I'm rather curious as to how the app is supposed to be determining my gender/sex in the first place. Algorithmically based on the songs I listen to? If so, all those Glee songs I upvoted are probably throwing it off.
Slacker doesn't just stream, it stores data. You can sync your Slacker to save hours of steams to your device for later playing. This is also why it can change your wifi state. Granted, the Slacker Player itself is the best way to go
It doesn't necessarily. Your Pandora account does though since you filled that out when making it.
while(1) attack(People.Sandy);
I'm actually interested to see the hard facts on this concerning the iphone. When I pull up my location services on my phone it claims to list all of the applications that have requested my location in the past 24 hrs and pandora is not listed. I always thought the geographic data was pulled from my profile, mostly because all my ads are based on Chicago products, though I haven't lived there in 10 years. And yes, lets be honest, why would I my actual information in my profile? When signing in Pandora states that "Pandora may use your device model, ID and system version to personalize listening and advertising". Nope, nothing about geography...
Having read their actual analysis which was linked by someone in a comment further down, it would appear they're not actually reading the code correctly. They claim that calling unknown.checkCallingOrSelfPermission "requests permissions for both COARSE_LOCATION, and FINE_LOCATION". What it actually does is check whether the app has these permissions, presumably so that the library can skip any attempt to retrieve GPS information when used in an app that hasn't requested permission to do so.
I'm curious if paying subscribers are also having their privacy raped by Pandora. Most likely, but it would be nice if they didn't.
What about detailed ingredients in the food you buy? Warning for genetically altered food? Is that for stupid people also?
You sound like such a tough guy, though... You must be really awesome.
"Science can amuse and fascinate us all, but it is engineering that changes the world. " - Asimov.
Instead of being sneaky,breaking privacy laws, why the hell don't they just ask what products you would like advertised? And just because they can spy doesn't make it right or wanted. It should be an opt-in choice and always upfront
Jack of all trades,master of none
Is an app that sits between your personal and phone info and all your other apps and controls what data gets presented to each app
You mean, something that keeps each app in something akin to its own "play area". Kind of like a kid's sandbox...
Now only if there was a mobile OS that did that for you. And even better, one that automatically asked you for permission when certain "privacy-related" features, like location services, are accessed by an app for the first time, and gave you an easy-to use way to see if an app had tried to do that in the past 24 hours, and even better, let you change your mind about permissions after you had already installed the app, on a global, or app-by-app basis.
Oh, wait...
"Any app that uses internet could find out where you are by your ip address"
Do you think your ip address changes from tower to tower or something?
On the level of this topic- the locations being sought are on mobile phones, that in a given day could be anywhere in a 300 mile radius of start point at the extreme, 50-70 miles in a given commute easily.
The advertisers that want your location, want to know what restaurant you might be near for example.
and you think this can be determined simply from a cell phone IP address?
every day http://en.wikipedia.org/wiki/Special:Random
OK, time to sue. We need to not just spank these guys with a nice hefty fine which will go towards keeping our incompetent government officials being paid for doing what they don't do, we need to sue these guys and actually put them out of biz. If I was to sneak into your house and copy information from papers on your desk, I'd be in jail. You know whats going to happen here? Nothing. Just like every other fkng internet crime by a company or corporation. They just offset the cost of the fine and roll it out of dividends and the stock goes down for awhile. Please... give me a break.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
Weren't these the same plucky underdogs who begged right-thinking, savvy freedom lovers to come to their defense against the evil MAFIAA trying to shut them down though usurious fees? And this is their reward? Thanks for nothing (and all the ads).
Sends junk data instead of true data for any app.
Okay, I'll accept the SD storage requirement (wish I had the ability to say, "Here is where you will store your data and this is the only folder you will see" though)... but system logs? The WiFi state change I do not understand. If I wanted it to connect to a WiFi node, I'll turn it on. It should use whatever connection it's told.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
I wanted to know how it worked with paid subscribers, so I pulled up the privacy inspector app (which I've never used before so can't vouch for its worth) and scanned pandora. The only permissions it uses are the device ID (for auto login), network type and network status. Seems reasonable to me.
Or in this particular case, maybe they want to do that so that they can send you music over wireless when available, at higher fidelity with lower battery drain?
You're special forces then? That's great! I just love your olympics!
If you've ever developed for iOS or Android and wanted to release an ad-supported app, then you're probably aware of the plethora of mobile advertising networks available. The APIs they distribute determine what data is used to serve an ad. Some ad networks only require internet access, but others want location, tasks, phone identity, and/or phone state. Often, the networks that seek more data generally provide developers with more ad revenue. Do men want to see ads for vagisil and maxi-pads? Maybe, but chances are they wont click on those so why waste the time and bandwidth serving irrelevant ads? The more permissions an ad network requires, the more targeted an ad will be... or at least, that's the theory. These data are generally harmless and if they're not collecting your phone number, address, or email address, then it's not like you'll start receiving spam and junk mail. Honestly, Facebook gathers way more identifying information than these apps. Sadly, the number of ad networks that only require internet seems to be dwindling. I don't know whether using these data to seed ads has any impact on click-through-rates, but if they do, fighting for fewer permissions is going to be an uphill battle. If you're really worried about such permissions, check to see if there's an ad-free alternative and pay for it.
Pandora is now gone from my Android phone. It is only unfortunate that the uninstaller I used didn't allow me to send them a profane nastygram in the process. It should be labeled MALWARE in the apps store.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Actually all those Glee songs may be outing your orientation. :^)
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Uninstalled the app, gave a negative review referring to this grand jury investigation, and upvoted all the other negative ratings for this privacy issue. I'm sure the damage has already been done, but this at least makes me feel better and hopefully hurts Pandora's reputation a bit.