Life360 Scandal Once Again Shows Nobody In The U.S. Actually Wants To Fix Our Rampant Privacy Problems
from the let's-do-absolutely-nothing-about-this-growing-problem dept
For several years now a steady parade of scandals have showcased how the collection and sale of consumer location data (to governments and data brokers alike) is a hugely unaccountable mess with few if any guardrails. And every week or so a new scandal emerges making that point abundantly clear. This week it’s the unsurprising revelation that “security” and “family safety” app Life360, which lets parents track the location of their kids, has been selling access to this data to data brokers for years:
“Through interviews with two former employees of the company, along with two individuals who formerly worked at location data brokers Cuebiq and X-Mode, The Markup discovered that the app acts as a firehose of data for a controversial industry that has operated in the shadows with few safeguards to prevent the misuse of this sensitive information.”
U.S. policymakers and regulators have routinely turned a blind eye to bad behavior in the location data collection area, in large part because the U.S. government often purchases this kind of data to help it avoid getting a warrant. And any effort to tighten up privacy regulations (or hey, even pass a basic federal privacy law for the internet era) wind up running into a buzz saw of cross-industry lobbying opposition with unlimited budgets.
When the U.S. government does act in this space, it’s usually inconsistent and unproductive. It usually involves sporadically levying a piddly fine that winds up being a tiny, tiny fraction of the money made from getting a bit too greedy. Or demanding at least some transparency into what’s being collected and sold. But as data brokers, apps, telecoms, and OS makers keep making clear, nobody is taking any of those threats seriously. Especially the tangled web of data brokers, who operate largely in secrecy. When pressed on what they’re doing, their responses are murky at best:
“Hulls declined to disclose a full list of Life360?s data customers and declined to confirm that Safegraph is among them, citing confidentiality clauses, which he said are in the majority of its business contracts. Data partners are only publicly disclosed when partners request transparency or there?s ?a particular reason to do so,? Hulls said. He did confirm that X-Mode buys data from Life360 and that it is one of ?approximately one dozen data partners.? Hulls added that the company would be supportive of legislation that would require public disclosure of such partners.”
Like clockwork, when you ask a data broker what they’re doing, they’ll immediately insist that collecting and selling access to the data of children is no big deal because that data has been “anonymized.” As if there hasn’t been a steady flood of studies showing that terms is absolutely meaningless, and it’s trivial to identify any of these users with just a few additional data points. See this comment from Cuebiq, for example:
“The CDC only exports aggregate, privacy-safe analytics for research purposes, which completely anonymizes any individual user data,? Daddi said. ?Cuebiq does not sell data to law enforcement agencies or provide raw data feeds to government partners (unlike others, such as X-Mode and SafeGraph).”
“We anonymize data” (which again is meaningless) and “at least we don’t sell access to this data to government like everybody else” aren’t the comforting justifications these companies tend to think they are. But at least it’s a comment. Most of the other data brokers that have been caught up in this scandal wouldn’t comment, and won’t ever be required to. Because nobody actually cares about consumer privacy or the ramifications of rampant over-collection. There’s just too much money to be made.
Life360 justifies collecting and selling access to this ocean of data (including the data of children) because it helps pay for a service that provides security value. And while that may be true, it’s not like you couldn’t do all of this in a way that’s more transparent and responsible. And it’s not like over-collecting and creating vast repositories of user data doesn’t come with its own privacy and security risks. Companies just don’t want to change because they’d make less money. So instead we get a lot of flimsy justifications and half truths like “we don’t sell access to data” (no, you’re just providing the data to partners for free as part of a broader “consultation and analysis” deal you are getting paid for).
State and federal U.S. privacy oversight is so flimsy, you just have to tinker with semantics to fall into compliance.
Meanwhile, everybody in the data gold rush claims to support some basic privacy legislation, but then immediately turns around and has their lobbyists and umbrella policy organizations fight tooth and nail against any and all meaningful solutions. Doing absolutely anything productive in privacy regulatory oversight would cost a lot of companies billions of dollars, and make it harder for the government to spy on its citizens. So instead we do nothing, and stand around with a dumb look on our face watching a parade of scandals drift by.