You should take that leak with a huge grain of salt because the alleged list of apps stealing your location contains hundreds of apps that doesn't even contain location permissions.
This is a bit of an incorrect read on what this leak is. Gravy gathers location data about people from multiple sources but not directly from consumers. Gravy’s customers buy this data.
As far as I understand, this is a list of locations and apps used by a person, but without much context. A typical response to this has been something like this:
> Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.
Note how carefully written this is to imply they don’t share any data at all, but they stop short of saying “we don’t share any data with ad partners”, just geolocation data.
But for companies like Gravy, their whole business is about getting data.
So it’s not at all implausible (or even unlikely) that this represents an event where a user opened Grindr (conceivably sold to Gravy by one of Grindr’s ad partners following an impression), and the same individual’s location was determined by some other method (for example, IP address geolookup, or bought from a company which IS supplying data to Gravy directly and has location permissions).
Take the leak with a grain of salt, sure, but it’s looking reasonably genuine to me.
>So it’s not at all implausible (or even unlikely) that this represents an event where a user opened Grindr (conceivably sold to Gravy by one of Grindr’s ad partners following an impression), and the same individual’s location was determined by some other method (for example, IP address geolookup, or bought from a company which IS supplying data to Gravy directly and has location permissions).
There's a pretty big difference between "grindr sells your inferred information from IP" and "citymapper sold your location data". Even though the latter technically could be limited to the former, it's pretty obvious that most people think it's selling your precise location as determined by GPS or whatever. Just look at the other replies to my comments if you don't believe me. This is important, because not all "location data" is the same. People are far more likely to be creeped out by precise location data than ip location data, and you're basically constantly transmitting the latter every time you use any app/website.
> We (...) have not shared geolocation data with ad partners for many years
Mobile operating systems don't have good (if any) support for opening things in subprocesses with restricted permissions from the rest of the app. So if Grindr loads an ad, that ad runs with Grindr's permissions. Same for any analytics code that ad uses. So if Grindr gets geolocation, even temporarily, so does every ad partner they have, whether they like it or not.
And the thing is, ads are a bottomless pit of third-party JavaScript. Nobody trusts nobody in the ad space, so everyone wants their own trackers doing their own client-side data collection. So Grindr doesn't have to know anything about Gravy Analytics, they just have to have an ad partner decide to use them and bam, they're compromised.
>Mobile operating systems don't have good (if any) support for opening things in subprocesses with restricted permissions from the rest of the app. [...]
>And the thing is, ads are a bottomless pit of third-party JavaScript. [...]
If it's actually javascript, attempting to grab location would result in a weird location prompt[1] that shows even if you granted the app location permission. It's still conceivable for a random SDK to go rogue and exfiltrate location data, but it's unlikely that an ad in a webview would be able to.
That's the whole reason companies like Gravy exist—they call it 'location intelligence', they make inferences about location based on various things they do have access to, rather than necessarily directly collecting it from the user using GPS location tracking.
Yeah, that's what they all say. Tinder and Spotify were both named specifically and both denied it. I don't trust any of them so I'm assuming they're lying, you do what you want.
Why do you trust an unverified "leak" over statements made by multi-billion dollar multinationals? Sure, corporations can lie, but so can such leaks. Extraordinary claims require extraordinary evidence. If the leak is alleging something impossible (ie. stealing location data despite not having location permissions in manifest), then I'd need far more evidence than some csv list.
I trust a leak from someone with no financial gain from the leak.
I do not trust multi nationals worth several million, billion, trillion, to state truth. I expect them to lie until caught by a federal entity and fined.
Guess how many times multi nationals lied to the public last year alone.
Now you answer: “Why do you put any trust in what statements a corp releases?!”
>I trust a leak from someone with no financial gain from the leak.
>I do not trust multi nationals worth several million, billion, trillion, to state truth. I expect them to lie until caught by a federal entity and fined.
>Guess how many times multi nationals lied to the public last year alone.
And what about the leak itself? "You really think someone would do that, just go on the internet and tell lies?"
Here's an anonymous "leak" I found that says whatsapp is backdoored and sends your chats to the CCP: https://pastebin.com/uE4m694M . Are you going to believe it? If asked for comment, Meta is probably going to deny it, but obviously they're going to be lying for the reasons you mentioned.
>Now you answer: “Why do you put any trust in what statements a corp releases?!”
"Trust" isn't binary, it's a spectrum. I don't put much trust in corp releases, but I still trust them far more than an unverified source. Even if you put zero weight on "statements a corp releases", you can inspect the AOSP source code yourself and see that it shouldn't be possible for apps to steal your location data when it doesn't have location permissions, and therefore a list claiming that such apps are stealing your location data should be treated with extreme skepticism.
> Why do you trust an unverified "leak" over statements made by
multi-billion dollar multinationals?
Less incentives to lie.
Edit: I had a think, and what I picked up on was the idea that sheer
concentration of money might stand in as a signal for trust, and so
whether somone with more money would naturally be more honest or
dishonest than someone with less, is really more of an interesting
question.
Is not whenever they deny it or not, your device can attest to it. Both Google and Apple have no qualms screwing up with third parties in their apps. Also, apps have been datamined up the wazoo, if a company claims not to do something and does it, someone would have already howled about it.