Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pandora App Sends Private Data To Advertisers

Posted by CmdrTaco on from the of-course-it-does dept.

Trailrunner7 writes "An analysis of the popular free mobile application from online music service Pandora.com that is the subject of a grand jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers. The analysis was conducted by application security firm Veracode and found that Pandora's free mobile application for Android phones tracked and submitted a range of data, including the user's gender, geographic location and the unique ID of their phone, according to an entry on Veracode's blog."

9 of 198 comments (clear)

  1. As I said last time by Anonymous Coward · · Score: 5, Informative

    As I said last time, "I stopped using their app when it wanted access to the system logs. This includes all notifications of pretty much everything going on on your phone. It might help them debug the app, it might help them with advertisers. Who knows. I just knew their app wasn't worth it."

    This is potentially a much more massive problem than we have been told.

    1. Re:As I said last time by Gutboy · · Score: 5, Insightful

      Google needs to allow you to authorize specific permissions for apps, not their current 'all or nothing' system. This way you could say "Yes, you can have my position because I believe a GPS mapping system needs that, but no you can't have my address book, since a GPS system doesn't need that". Sure it would screw advertisers over, but I don't care about them. Not everything in the world needs to have advertising on it.

  2. Wait a minute... by Nidi62 · · Score: 5, Insightful

    So, you mean all those ads at the bottom of the Pandora app that were specific to my home town wasn't just a random coincidence? How is it taking these things "silently" when it tells you exactly what you are giving it access too? Obviously, knowing where you live has no bearing on the type of music it's going to play. What else did people think this was going to be used for?

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  3. what do you expect for free? by alen · · Score: 4, Insightful

    seriously, what do you expect from a free app that streams licensed music that they had to pay for? a bunch of ads no one clicks on?

    this is how google makes money, metrics. everyone is doing it as well.

  4. Live in Application by ObsessiveMathsFreak · · Score: 4, Insightful

    The big problem here is that whenever you install any application, you're technically giving the designers virtually free reign to do whatever they like with your system/PC/phone/whatever.

    Once permitted in, most commercial applications barge into your PC, rewrite whatever files they please, alter configuration settings, gobble up memory, install themselves as startup applications and often install an entire suite of unwanted applications and advertisements you didn't even ask for. Then they plonk themselves down in your living room, feet on the sofa, and begin to shout at you, along with all the dozens of other loudmouth applications you've invited in.

    --
    May the Maths Be with you!
  5. SELinux type security for Android by Bocaj · · Score: 5, Informative

    Google needs to change the security model to allow finer grained access and more information to users about how much information that access allows. I should be able to install an application that wants access to my contacts but choose to deny that access with a warning that it may affect the functionality of the app. There should be more detail information on just what information an application can get hold of with that access. I think using the SELinux model of security in the kernel would be a good idea. If I don't grant an application process rights to certain files, it can't get access no matter what.

  6. Not just android by ender- · · Score: 5, Interesting

    The actual Vericode post says it's both the iPhone and Android versions. I'm not sure why the article linked in the summary [and thus the summary] only mentions the Android version.

    I wonder then, does the web browser interface do something similar, minus the GPS info of course? What about the Pandora One desktop app?

    --
    Nothing to see here
  7. Looking forward for Pandora IPO by ub3r+n3u7r4l1st · · Score: 4, Interesting

    Despite the suit, recent SEC filing suggest eveything pointing up:

            * Revenue skyrocketed from $55,189,000 in FY2010 to $137,764,000 in FY2011.
            * Advertising revenue rose from $50,147,000 in FY2010 to $119,333,000 in FY2011.
            * Subscription and "other" revenue increased from $5,042,000 in FY2010 to $18,431,000 in FY2011.
            * Despite rising content acquisition costs (up from $32,946,000 to $69,357,000 between FY2010 and 2011), Pandora's loss narrowed from $15,549,000 in FY2010 to $321,000 in FY2011.

    Despite strong competition such as Sirius XM radio and even Apple to that regard, I wouldn't worry much.

    --
    New Economic Perspectives
  8. Re:What about iOS version? by DanTheManMS · · Score: 4, Informative

    The iOS version of Pandora uses an ad framework called "Medialets" or at least it did as of an update in January 2010. Medialets is known to track exactly this kind of data (phone ID, physical location, etc). When I made a comment on their blog at the time, their response was essentially "Everyone else is doing it so it's okay."

    Personally I'm jailbroken and installed the PrivaCy addon, so I *think* I'm being at least somewhat less tracked. Who knows for sure, though?