The FTC SilverPush Warning Letters
As I described in a recent blog post, I recently submitted a Freedom of Information Act (FOIA) request to the Federal Trade Commission (FTC) for more information on the recipients of the warning letters they sent to Android app developers found to be using the SilverPush toolkit, which tracks inaudible audio beacons embedded in TV broadcasts for cross-device behavioral analysis. Several others and I studied SilverPush last November in response to FTC’s cross-device tracking workshop, and in particular the position paper submitted by the Center for Democracy and Technology (CDT).
Following the announcement of the warning letters, I contacted Kristin Cohen of the FTC for more information, including the names of the warned parties, which she declined to provide, but acknowledged would probably be provided in response to a FOIA.
The FOIA response I received included copies of the letters themselves, which had the names of the apps and developers. SilverPush has told the FTC that no TV broadcasts aimed at US audiences contain their tracking beacons, but it is also of interest to know what sorts of apps are able to detect these beacons, in case that situation changes. Here’s a summary of the apps, along with a description of each and whether the app accesses the device’s microphone (which is needed to receive the beacon):
|Jayson Tamayo||Civil Service Reviewer Free||Training for Philippine civil service exam|
|Pinoy Henyo||Word guessing game|
|3S Studio / Sanjay Chadha||Fight TV India||Wrestling videos, apparently aimed at Indian market|
|Daily Current Affairs 2015-10||?||Preparation for Indian civil service exam? (can’t find specific app, but similar app uses microphone)|
|Rajesh Rishi||Fingerprint Applock||Appears to be “Fingerprint Applock (Real)” by Raja Gopal based on YouTube video|
|Make Money Apps / Yogesh Aggarwal Cpifbi||Free Recharge Swipe||Yes||Advertising/analytics app|
|Imran Khan||History GK||Education app focused on Indian exams|
|Mobext Philippines||Krispy Kreme Philippines||Yes||Philippine e-commerce app|
|WebApps World||Marathi Recipes||Recipes in Marathi language (spoken in western India)|
|Nganghu985||mPaisa: Get Free Recharge||Yes||India-focusecd advertising/analytics app|
|Photo studio apps||Photo Background Changer||Yes||Photo editor|
|AppLock, Inc.||Secret Applock||Yes*||Hides and locks installed apps.|
|Applock Theme – Galaxy||Yes*||Hides and locks installed apps|
|Apps Da Fun||99 Photo Effects + Frames||?||All Apps Da Fun apps are no longer in Google Play|
|Project D||Bird Up Up!||Yes||Game for kids|
Quite a few of the apps have been updated since the FTC warning letters were sent. It’s possible that the beacon capability has been removed from them, which might account for the number that do not access the microphone. Although not related to beacons, it was notable that the AppLock apps (marked Yes*) also had the capability to reroute outgoing calls, which doesn’t seem to be related to their function.
The website for Mobext, which developed the Krispy Kreme Philippines app as well as many other Android and iOS apps, advertises their cross-platform tracking capability, which was developed in partnership with SilverPush. We presume that Mobext has gotten the message that the use of this technology is problematic, at least in the US.
An Android app analysis service, Addons Detector, did an analysis last fall of apps using the SilverPush toolkit. Their analysis came up with some of the same apps, and some different ones. It’s not clear where the list the FTC used came from, since that was part of the FOIA that they claimed an exemption on.
Unfortunately, it isn’t possible to perform the same analysis on iOS apps, since they’re encrypted, except possibly through the use of a “jail-broken” iOS device. Few of the same apps exist for iOS, with the notable exception of Mobext’s Krispy Kreme Philippines app. It’s questionable whether the cross-device tracking toolkit would be acceptable under the Apple app review guidelines.
Hopefully these warning letters will cause these and other developers to be cautious about the use of audio beacons without informed user consent. But given that other companies are pursuing very similar technologies, in some cases with the support of startup incubators, continued vigilance is warranted to make sure that users’ personal information, such as their television viewing habits, aren’t further collected without their knowledge and consent.