August 23, 2017

PRIVACY: AccuWeather caught sending user location data, even when location sharing is off.

We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router’s MAC address and public data.

When the location is enabled, it sends the down-to-the-meter precise coordinates of the user, including speed and altitude, back to the data firm.

That’s where Reveal Mobile comes in. The data firm isn’t an advertiser per se but helps provide data for advertisers. Reveal says it “turns the location data coming out of those apps into meaningful audience data,” and “we listen for [latitude and longitude] data and when a device “bumps” into a Bluetooth beacon,” according to a brochure on its website.

For its part, Reveal Mobile executives said on a call last week with ZDNet that though company does collect Wi-Fi data and MAC address information, it “does not use it” for location data.

Tech blogger John Gruber adds:

In other words, if you deny AccuWeather permission to use the Location Services APIs on you iPhone, they’ll go around your back and send your Wi-Fi router name and the router’s MAC address to these shitbirds at Reveal Mobile, and they maintain a database that maps Wi-Fi routers to locations.

To me this is a one strike and you’re out situation. Apple should remove this version of the AccuWeather app from the App Store, and any of you reading this who have it installed should delete it from your devices and never re-install it. How can you trust them?

You can’t.