Now, however, there's not much room left for debate. Security company Veracode recently examined the code for Pandora's Android app and concluded that it not only allows five mobile ad networks to access users' GPS location, but also appears to transmit users' birthdays, genders, and ZIP codes.
"In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a person's life," Veracode says in its report, "Mobile Apps Invading Your Privacy." "Consider for a moment that your current location is being tracked while you are at your home, office, or significant other's house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it's pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them."
This report comes shortly after news broke that Pandora is among the companies under investigation by the federal authorities. The government reportedly is trying to figure out whether Pandora (and others) violated the Computer Fraud and Abuse Act, an anti-hacking statute that makes it unlawful to access computers without authorization.
Without knowing more, it's hard to say whether transmitting this type of information meets the technical requirements of computer fraud. Regardless, if companies are going to collect this type of data and then send it to ad networks, there's no legitimate reason to do so without informing consumers ahead of time.