Last October a report by a researcher at Bucknell University
revealed that the majority of the
most popular iPhone apps transmitted the devices' unique serial numbers to outside servers owned by either the developer or an advertiser. At the time, it seemed likely that application developers
could use that data to figure out fairly detailed information about users, but there was room for debate about the topic.
Now, however, there's not much room left for debate. Security
company Veracode recently examined the code for Pandora's Android app and concluded that it not only allows five mobile ad networks to access users' GPS location, but also appears to transmit
users' birthdays, genders, and ZIP codes.
"In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight
into a person's life," Veracode says in its report, "Mobile Apps Invading Your Privacy."
"Consider for a moment that your current location is being tracked while you are at your home, office, or significant other's house. Couple that with your gender and age and then with your
geolocated IP address. When all that is placed into a single basket, it's pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other
traits about them."
This report comes shortly after news broke that Pandora is among the companies under investigation by the federal authorities. The government reportedly is trying
to figure out whether Pandora (and others) violated the Computer Fraud and Abuse Act, an anti-hacking statute that makes it unlawful to access computers without authorization.
Without
knowing more, it's hard to say whether transmitting this type of information meets the technical requirements of computer fraud. Regardless, if companies are going to collect this type of data and
then send it to ad networks, there's no legitimate reason to do so without informing consumers ahead of time.