Skip to content
July 6, 2016 / Jim Fenton

The FTC SilverPush Warning Letters

As I described in a recent blog post, I recently submitted a Freedom of Information Act (FOIA) request to the Federal Trade Commission (FTC) for more information on the recipients of the warning letters they sent to Android app developers found to be using the SilverPush toolkit, which tracks inaudible audio beacons embedded in TV broadcasts for cross-device behavioral analysis. Several others and I studied SilverPush last November in response to FTC’s cross-device tracking workshop, and in particular the position paper submitted by the Center for Democracy and Technology (CDT).

Following the announcement of the warning letters, I contacted Kristin Cohen of the FTC for more information, including the names of the warned parties, which she declined to provide, but acknowledged would probably be provided in response to a FOIA.

The FOIA response I received included copies of the letters themselves, which had the names of the apps and developers. SilverPush has told the FTC that no TV broadcasts aimed at US audiences contain their tracking beacons, but it is also of interest to know what sorts of apps are able to detect these beacons, in case that situation changes. Here’s a summary of the apps, along with a description of each and whether the app accesses the device’s microphone (which is needed to receive the beacon):

Developer App Microphone Access? Comments
Jayson Tamayo Civil Service Reviewer Free Training for Philippine civil service exam
Pinoy Henyo Word guessing game
3S Studio / Sanjay Chadha Fight TV India Wrestling videos, apparently aimed at Indian market
Daily Current Affairs 2015-10 ? Preparation for Indian civil service exam? (can’t find specific app, but similar app uses microphone)
Rajesh Rishi Fingerprint Applock Appears to be “Fingerprint Applock (Real)” by Raja Gopal based on YouTube video
Make Money Apps / Yogesh Aggarwal Cpifbi Free Recharge Swipe Yes Advertising/analytics app
Imran Khan History GK Education app focused on Indian exams
Mobext Philippines Krispy Kreme Philippines Yes Philippine e-commerce app
WebApps World Marathi Recipes Recipes in Marathi language (spoken in western India)
Nganghu985 mPaisa: Get Free Recharge Yes India-focusecd advertising/analytics app
Photo studio apps Photo Background Changer Yes Photo editor
AppLock, Inc. Secret Applock Yes* Hides and locks installed apps.
Applock Theme – Galaxy Yes* Hides and locks installed apps
Apps Da Fun 99 Photo Effects + Frames ? All Apps Da Fun apps are no longer in Google Play
Project D Bird Up Up! Yes Game for kids

Quite a few of the apps have been updated since the FTC warning letters were sent. It’s possible that the beacon capability has been removed from them, which might account for the number that do not access the microphone. Although not related to beacons, it was notable that the AppLock apps (marked Yes*) also had the capability to reroute outgoing calls, which doesn’t seem to be related to their function.

The website for Mobext, which developed the Krispy Kreme Philippines app as well as many other Android and iOS apps, advertises their cross-platform tracking capability, which was developed in partnership with SilverPush. We presume that Mobext has gotten the message that the use of this technology is problematic, at least in the US.

An Android app analysis service, Addons Detector, did an analysis last fall of apps using the SilverPush toolkit. Their analysis came up with some of the same apps, and some different ones. It’s not clear where the list the FTC used came from, since that was part of the FOIA that they claimed an exemption on.

Unfortunately, it isn’t possible to perform the same analysis on iOS apps, since they’re encrypted, except possibly through the use of a “jail-broken” iOS device. Few of the same apps exist for iOS, with the notable exception of Mobext’s Krispy Kreme Philippines app. It’s questionable whether the cross-device tracking toolkit would be acceptable under the Apple app review guidelines.

Hopefully these warning letters will cause these and other developers to be cautious about the use of audio beacons without informed user consent. But given that other companies are pursuing very similar technologies, in some cases with the support of startup incubators, continued vigilance is warranted to make sure that users’ personal information, such as their television viewing habits, aren’t further collected without their knowledge and consent.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s