Pandora App Sends Private Data To Advertisers

Trailrunner7 writes "An analysis of the popular free mobile application from online music service Pandora.com that is the subject of a grand jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers. The analysis was conducted by application security firm Veracode and found that Pandora's free mobile application for Android phones tracked and submitted a range of data, including the user's gender, geographic location and the unique ID of their phone, according to an entry on Veracode's blog."

As I said last time

As I said last time, "I stopped using their app when it wanted access to the system logs. This includes all notifications of pretty much everything going on on your phone. It might help them debug the app, it might help them with advertisers. Who knows. I just knew their app wasn't worth it."

This is potentially a much more massive problem than we have been told.

Re:As I said last time

[Creepy]

I stopped at the user agreement, which had something like "address book access"... - why the @*%& does a music app need access to my address book? And the conclusion I came to was "so it can steal all of the email addys in there and sell them to spammers." This is hardly the first app I've nixed for wanting way more access than I was willing to give it.

Re:As I said last time

[Gutboy]

Google needs to allow you to authorize specific permissions for apps, not their current 'all or nothing' system. This way you could say "Yes, you can have my position because I believe a GPS mapping system needs that, but no you can't have my address book, since a GPS system doesn't need that". Sure it would screw advertisers over, but I don't care about them. Not everything in the world needs to have advertising on it.

Re:As I said last time

[Belial6]

Every time this comes up, the Android folks say that they uninstalled Pandora when they tried to get assess to our personal data. No one talks about the data stealing on iPhones. Is that because we know they are not doing it on iPhone, or because the iPhone doesn't warn the user that the app is stealing their data.

Re:As I said last time

[Skuld-Chan]

Here's why that is flawed about this: a GPS system would need an address book - what if you want directions to someone in your address book? People also ask why GPS program would need access to the dialer? Remember that funny iPhone ad where they use google maps to find Sushi in SanFrancisco and then *call* the place up?

All that setting would do for the app maker is generate an angry call/comment from some idiot end user who didn't click on that permission... I agree it would be a cool tool for power users though.

I think a better solution for most end users would be for Google to highlight in bold red permissions that are typically not not needed in apps - like dialing numbers, sending text messages (anything that goes under the category "stuff that costs you money"), recording calls, reading system logs etc.

Re:As I said last time

[IICV]

You know, I was about to post "there's no way that could work, it would make developing for the Android too difficult if the user can arbitrarily lock you out of the phone's features".

But then I realized that there's a very simple solution: if the user denies access, just give the app dummy data. Deny access to my GPS co-ords? Well then, whenever the app asks for location data it's told we're at the North Pole. Deny access to contacts? The app is told you only have one contact, whose name is "access denied".

Then, if the app is badly written and doesn't check, it'll just get useless data; if it's smarter, it can check the data it gets, test to see if it's the well-known dummy values, and if so prompt the user for access or something. It would be better than this all-or-nothing approach, at least.

Re:As I said last time

[MozeeToby]

No. Currently an app has a list of permissions it requires. If that list includes something you don't want that app to have access to, the only course of action is to not give the app access to anything (via not installing it). OP would like the ability to look at the list of permissions and, for example, remove Pandora's permission to view notifications and system logs without removing the rest of the permissions for the app.

I suspect that at least part of the reason this isn't easily done is for a few reasons. Obviously, the app makers aren't going to like it, since it will make advertising less effective and has the potential to generate lots of complaints when the apps don't work as advertised. Less obvious is the way apps are encrypted. I believe their permissions form part of the encryption key such that the app cannot run with more (or fewer) permissions than it was originally built for. This forms one of the central and most powerful anti-malware features of Android phones and I suspect they don't want to risk messing about with it more than they have to.

Re:As I said last time

[MrHanky]

According to WSJ, who had the an article the other day,

In Pandora's case, both the Android and iPhone versions of its app transmitted information about a user's age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.

So I can't really see how Apple's system is all that much better. (And no, you don't need to use GPS to send location data, and neither is it used by advertisers.)

Re:As I said last time

[Coren22]

http://blog.pandora.com/faq/contents/1643.html

I guess they lie in their FAQ, but they do explain why they need that access.

Wait a minute...

[Nidi62]

So, you mean all those ads at the bottom of the Pandora app that were specific to my home town wasn't just a random coincidence? How is it taking these things "silently" when it tells you exactly what you are giving it access too? Obviously, knowing where you live has no bearing on the type of music it's going to play. What else did people think this was going to be used for?

what do you expect for free?

[alen]

seriously, what do you expect from a free app that streams licensed music that they had to pay for? a bunch of ads no one clicks on?

this is how google makes money, metrics. everyone is doing it as well.

Re:what do you expect for free?

[BradleyUffner]

seriously, what do you expect from a free app that streams licensed music that they had to pay for? a bunch of ads no one clicks on?

this is how google makes money, metrics. everyone is doing it as well.

I expect it to act the same as the Free PC version on the Web. Advertising is fine. you DO NOT need access to my system logs, contact list, GPS position. Your website got along just fine without that data, so can your android app. I also expect that since I paid for a Pandora subscription on the PC that I should have access to an android version without advertising.

Live in Application

[ObsessiveMathsFreak]

The big problem here is that whenever you install any application, you're technically giving the designers virtually free reign to do whatever they like with your system/PC/phone/whatever.

Once permitted in, most commercial applications barge into your PC, rewrite whatever files they please, alter configuration settings, gobble up memory, install themselves as startup applications and often install an entire suite of unwanted applications and advertisements you didn't even ask for. Then they plonk themselves down in your living room, feet on the sofa, and begin to shout at you, along with all the dozens of other loudmouth applications you've invited in.

Re:Live in Application

[Haedrian]

Android has a list of 'permissions' which you must give an application access to before it can use them. Unfortuantly its an 'all or nothing', sort of thing, so you either accept them all and install it, or deny them all and don't install it.

It does not give the designers 'free reign' to whatever they want. So if you accepted that an app gets access to logs, to your location, to your phone ID, then its your fault and you only have yourself to blame. Granted, its a legit app, if it was a virus that's different.

Re:Live in Application

[houstonbofh]

And people ask why I still have a dumb phone...

SELinux type security for Android

[Bocaj]

Google needs to change the security model to allow finer grained access and more information to users about how much information that access allows. I should be able to install an application that wants access to my contacts but choose to deny that access with a warning that it may affect the functionality of the app. There should be more detail information on just what information an application can get hold of with that access. I think using the SELinux model of security in the kernel would be a good idea. If I don't grant an application process rights to certain files, it can't get access no matter what.

Not just android

[ender-]

The actual Vericode post says it's both the iPhone and Android versions. I'm not sure why the article linked in the summary [and thus the summary] only mentions the Android version.

I wonder then, does the web browser interface do something similar, minus the GPS info of course? What about the Pandora One desktop app?

Re:Not just android

[LoganDzwon]

I was about to reply that I found it "very suspicious that the article omits ios... " then I reliezed your article doesn't either. It just includes a quote from another article; http://online.wsj.com/article/SB10001424052748703806304576242923804770968.html which explains why there were looking, not what they looked at. The iOS version simply was not examined for this test. Most likly because an iOS app is not privileged to the pivata data in question. That whole walled garden thing.

Re:Not just android

[rocketPack]

Was someone under the impression that any of this was a secret?

One need only look at the privacy policy to figure this out: http://www.pandora.com/privacy/

Information about your computer or device: We may also collect information about the computer, mobile or other devices you use to access and listen to the Service. For example, our servers receive and record information about your computer and browser, including potentially your IP address, browser type, and other software or hardware information. If you access the Service from a mobile or other device, we may collect a unique device identifier assigned to that device or other transactional information for that device.

With such headings as "Automatic Data Collection", "How we use the information we collect:", and "How the information we collect is shared:" it's kind of hard for me to see how there was any ambiguity?

On the other hand, I know most people never bothered to read the privacy statement but that is by no means Pandora's fault. They provided the information - if users failed to actually read it, that's on them.

Everybody's doing it

[countertrolling]

Pandora got caught. Getting caught is the anomaly. And people will never learn that there is no privacy on a networked computer

Re:Everybody's doing it

[sandytaru]

Just because everyone is doing it doesn't make it right - or legal.

Re:What about iOS version?

You should also uninstall the internet, because almost all ads use targeting. This story is pointless.

Looking forward for Pandora IPO

[ub3r+n3u7r4l1st]

Despite the suit, recent SEC filing suggest eveything pointing up:

        * Revenue skyrocketed from $55,189,000 in FY2010 to $137,764,000 in FY2011.
        * Advertising revenue rose from $50,147,000 in FY2010 to $119,333,000 in FY2011.
        * Subscription and "other" revenue increased from $5,042,000 in FY2010 to $18,431,000 in FY2011.
        * Despite rising content acquisition costs (up from $32,946,000 to $69,357,000 between FY2010 and 2011), Pandora's loss narrowed from $15,549,000 in FY2010 to $321,000 in FY2011.

Despite strong competition such as Sirius XM radio and even Apple to that regard, I wouldn't worry much.

Re:Without Android Permission?

[WhirlwindMonk]

I imagine it determines your location when over wifi and assumes that's where you are until it detects a new wifi connection. I'm guessing this since while on the road in Ohio and Pennsylvania, it gave me ads relating to stuff in southeastern Michigan, the last area I'd connected to wifi in.

Re:Without Android Permission?

[xaxa]

Does anyone know how they collect geographic information when the application requires neither coarse location nor fine location?

The lack of those Android permissions either makes this a bigger story than simply Pandora sending information, or it makes me skeptical of the researchers' claims.

Maybe (and this is only a guess) they turn on WiFi and look at nearby SSIDs, the same way Google does.

The app has permission to alter network state and look at WiFi settings: https://market.android.com/details?id=com.pandora.android

Obvious what they are doing

[Hoi+Polloi]

Gender, location, phone? It is clear what the people at Pandora are doing, trying to get dates.

Re:Obvious what they are doing

[berashith]

yup , the stalkers employed by pandora can send Barry White tunes to any stranger that they need to get in the mood.

Foul playback

[DigiShaman]

Honestly, I wouldn't mind them doing this if they had been clear and upfront with their intentions. Something along the lines of...

"We will provide you a free service in exchange for client usage statistics. This information will be shared with 3rd party marketing firms"

It's not so much what they do with this information in so much that I no longer feel safe reading this first time on Slashdot. How can I trust them now? I can never trust a sneaky bastard. Because of their lack of disclosure, Pandora just got uninstalled from my Droid.

Re:Foul playback

[O('_')O_Bush]

If it bothers you that much, fork out the 36$/year for Pandora One and avoid advertising altogether. I mean, 36$/year is pretty cheap for unlimited music streaming to our phone in comparison to buying the songs individually.

It's not like Pandora forced you into taking their free, ad-based service, since they offer a paid, ad-free version. Targeted ads are the new definition of ad-based nowadays anyways. Just look at Facebook.

Re:Foul playback

[DigiShaman]

And I should trust them now? How do I know they're not double dipping into my wallet AND selling my usage stats to a 3rd party?

Trust. A concept that's very hard to earn, and easy to lose. They've lost mine.

Re:Foul playback

[L4t3r4lu5]

If they still do that if you pay for the service, and don't get the ads.

Re:Without Android Permission?

[Stenchwarrior]

I would imagine all the app needs to do is see what IP you're connected to the internet from, whether you're on WiFi or on the mobile network. Just about all subnets are traceable to a city.

Geolocation APIs (and opinion)

[Jahava]

The actual Vericode post says it's both the iPhone and Android versions. I'm not sure why the article linked in the summary [and thus the summary] only mentions the Android version.

I wonder then, does the web browser interface do something similar, minus the GPS info of course? What about the Pandora One desktop app?

There are specs for getting geolocation information via JavaScript, so possibly. However, your browseri s supposed to ask your permission prior. This also doesn't preclude other Pandora components, such as Flash, which may have their own API.

That said, am I the only one who just doesn't care? This company is providing bandwidth and fronting music industry negotiations in order to deliver a useful and valuable service to me for free. As per the implicit (and explicit) contract with almost every modern free service, it's a willing exchange of information, and I'm perfectly willing to trade my phone ID and location for this service (for now).

It would be nice, though, if there was an Android requirement that each application disclosed exactly what data it was collecting, and for what purpose, in order to be included in the Marketplace.

This is unacceptable!

[fuzzyfuzzyfungus]

Only the mobile phone carriers should be allowed to collect large, but unknown, piles of personal information silently and without oversight! It is an outrage that others would dare to step onto the rightful domain of these oh-so-helpful surveillance buddies.

On a more serious note: What I would really like to see in Android(and other mobile operating systems; but a 3rd party build of Android is pretty much the only one where this would ever see the light of day on any hardware that isn't a laptop-size dev board...) is a supplement to the existing system of granular access-request application permissions:

Spoofing.

At present, you can see what permissions an application demands(perhaps not at quite the level of granularity that would be ideal; but the concept is good, and refinements aren't fundamentally challenging); but you have no way of pushing back against an application that seems a bit uppity, other than refusing it. What would be ideal would be a way of setting up multiple instances of the various Android content providers. One set of instances would be the 'real' one, populated with actual system data(address book, location, etc, etc.) Other instances would be various flavors of 'fake', either generated by applying an overlay filter to the real ones(ie. I might want to give an application that uses location data access to 'location data, but truncated to ~city level accuracy', which would be a content provider generated by a simple mathematical operation against the genuine content provider for location data), or auto-generated to look plausible; but be completely unrelated to the truth(ie. an 'address book' consisting of a simple dump of 47 name/number pairs from a phone book). This would allow you to push back against applications that demand more than they need to know; by allowing you to fulfil their architectural 'requirements'; but choose for yourself which are actually necessary for what you want to do(if you want a navigation app to work, you do need to give it your real location. If you just want dining recommendations, you may only feel the need to give it city-level accuracy, and feel no need whatsoever to give over your real address book for 'social dining integration'...)

Such a system would have additional benefits: it would make tasks like separating work/personal(or personal/er... 'extracurricular' if that is your style) architecturally clean and much lighter-weight than virtualization. You could have multiple true address books, say, one accurately reporting your personal contacts, and one accurately reporting your work contacts, and you could point twitfrienddroidfeed at the first and seriouscorporatemail at the second.

Re:What about iOS version?

[DanTheManMS]

The iOS version of Pandora uses an ad framework called "Medialets" or at least it did as of an update in January 2010. Medialets is known to track exactly this kind of data (phone ID, physical location, etc). When I made a comment on their blog at the time, their response was essentially "Everyone else is doing it so it's okay."

Personally I'm jailbroken and installed the PrivaCy addon, so I *think* I'm being at least somewhat less tracked. Who knows for sure, though?

Re:That's Odd

[tophermeyer]

Anyhow, if you didn't have a GPS or if your GPS was turned off it may have defaulted back to generic ads.

Yes.

When I have GPS off I get generic ads. When I have it on I get location specific ads. This is really amusing for me because the only time I let GPS run is when I'm driving and need Navigation, so while the ads might be localized they are most definitely not relevant.

Re:What's needed

[macs4all]

Is an app that sits between your personal and phone info and all your other apps and controls what data gets presented to each app

You mean, something that keeps each app in something akin to its own "play area". Kind of like a kid's sandbox...

Now only if there was a mobile OS that did that for you. And even better, one that automatically asked you for permission when certain "privacy-related" features, like location services, are accessed by an app for the first time, and gave you an easy-to use way to see if an app had tried to do that in the past 24 hours, and even better, let you change your mind about permissions after you had already installed the app, on a global, or app-by-app basis.

Oh, wait...