The popular family safety app Life360 is selling precise location data on its tens of millions of users
The app is a major source of raw location data for a multibillion-dollar industry that buys, packages, and sells people’s movements
The Data Pipeline
Life360’s app allows the user to see the precise, real-time location of friends or family members, including the speed at which they are driving and the battery level on their devices.
Marketed as a safety app, Life360 is popular among parents who want to track and supervise their kids from afar. The app offers much of the functionality of Apple’s built-in location-sharing features, but it includes emergency safety features such as an SOS button and vehicle crash detection. The company says these features havesaved lives.
But Life360’s location-based features are also sources of data points for a growing, multibillion-dollar industry that trades in location data gathered from mobile phones. Advertisers, government agencies, and investors are willing to spend hundreds of thousands of dollars for location data and the insights that can be derived from them.
While children can use the app (with parental consent), Life360’s policy states that the company doesn’t sell data on any users under 13. TheChildren’s Online Privacy Protection Rule(better known as “COPPA”) creates restrictions on digital services used by children under 13, and Life360 has detection methods like requiring a scan of a parent’s ID for underage users. Life360 does “disclose” younger children’s information to third parties “as needed to analyze and detect driving behavior data, perform analytics or otherwise ,[sic] support the features and functionality of our Service,” according to its privacy policy, but not “for marketing or advertising purposes.”
Marketers use location data to target ads to people near businesses, while investors buy data to determine popularity based on foot traffic. Government agencies have bought location data to track movement patterns and in one case to support “Special Operations Forces mission requirements overseas.”
“It sounds like the company’s pointing to a couple of cases where, sure, they helped somebody, they were able to do something good,” Sherman said. “But then they will not talk about all of the other cases where the buying and selling of this data is potentially very harmful.”
In July, a high-ranking Catholic priest resigned after a Catholic news outletouted him by using location datafrom the gay dating app Grindr linked to his device. The data was obtained by an unknown vendor, and the report claimed to show that the priest frequented gay bars. There is no indication that Life360 was involved in this incident.
Grindr, like other apps that feed data into this industry, is required to ask for location permissions when a user first opens the app.
“We are not aware of any instance where our data has been traced back to individuals via our data partners,” Hulls said. “Furthermore, our contracts contain language specifically prohibiting any reidentification, and we would aggressively take action against any breach of this term.”
In Life360’s case, because of how the app works, it asks for the broadest location permissions possible for functional purposes. Many apps that use location data allow users to grant access only while it’s in use. Because Life360 is for tracking whereabouts in real time, the app asks for location data at all times—and does not function unless that permission is turned on.
A disclaimer appears in smaller print at the bottom of the permissions screen: “Your location data may be shared with Partners for the purposes of crash detection, research, analytics, attribution and tailored advertising.” Users can disable the sale of their location data in the privacy settings, though that setting is not disclosed in or part of the prompt.
Life360’s Hulls said that millions of its users have used this feature to opt out of their data being sold.
For those who have not opted out, their Life360 data may be shared with the company’s partners within 20 minutes of being recorded, a former Life360 employee said.
Hulls said this description was “directionally accurate,” saying it only applied to certain partners and use cases.
“For example, some use cases, like road traffic probing, which powers travel time estimates in automotive navigation systems and GPS apps, require very fresh data,” he said.
Privacy researchers and app store operators often look for data brokers’ code in apps for signs of an app sending data off to third parties. But Life360 collects its data directly from the app and provides it to data brokers through its own servers.
Apple’s and Google’s app stores have no way of detecting this transfer of location data to a third party. “It makes sense to send this data directly from the server side from the app vendor so it can never be traced or observed by anyone,” said Wolfie Christl, a researcher who investigates digital tracking.
Hulls said Life360’s method of providing data through its own servers wasn’t an intentional effort to evade detection from researchers and app stores.
“This is completely unrelated. We have our own proprietary sensor technology, which we started building in 2008 well before the emergence of the data industry, and we avoid using SDKs that could have a negative battery impact or other interplay with our own sensor technology,” he said.
Google didn’t comment on why Life360 was able to sell data this way despite itspolicy against selling location data. Apple spokesperson Adam Dema responded with a link to Life360’s privacy policy but didn’t comment about the company’s data sales to companies like SafeGraph and X-Mode.
Hulls said Life360 de-identifies the data it sells, which can include a device’s mobile advertising ID, IP address, and latitude and longitude coordinates collected by Life360’s app.
Hulls clarified that “de-identification” involves removing usernames, emails, phone numbers, and other types of identifiable user information before the data is shared with Life360’s customers. The data sold still includes a device’s mobile advertising ID and latitude and longitude coordinates.
Even without names or phone numbers, researchers haverepeatedlydemonstratedhow “anonymized” location data can easily be connected to the people from whom it came.
And privacy experts note that mobile advertising IDs are more valuable than identifiers like names.
“This code can be used to track and follow you across many life situations,” Christl said. “As such, it is a much better identifier than a name.”
Controversial Partners
The location data industry operates largely out of public view and with little oversight or regulation. Some of Life360’s partners have faced controversy in the past over how they handle data and privacy.
Started in 2013 asDrunk Mode,a novelty app that “prevents users from drunk dialing,” X-Mode was reportedly banned from the big app stores after Vice’s Motherboardreported thatthe company wasselling location data from Muslim prayer appslike Muslim Pro to U.S. government contractors associated with national security, raising concerns about unconstitutional government surveillance.
Public records showthat X-Mode received at least $423,000 from the U.S. Air Force and the Defense Intelligence Agency for location data between 2019 and 2020. The company also sold data on Americans in profiled sets, like people who were drivers or likely to shop at department stores,according to Motherboard.
In August, X-Mode was purchased by intellectual property intelligence firm Digital Envoy and rebranded as Outlogic.
In response to the backlash over X-Mode’s selling location data to defense contractors, its new owners said thecompany would stop selling U.S. location datato such companies.
“We cannot comment on the practices of another company or what that company does with data it receives from other sources,” Hulls said. “However, Life360 has worked closely with X-Mode to ensure that X-Mode and all of its data customers do not sell data originating from Life360 to law enforcement agencies or to any government agency to be used for a law enforcement purpose.”
SafeGraph is one of the biggest firms in the location data business,and its investors includeventure capitalist Peter Thiel; Prince Turki Al Faisal Al Saud, former head of Saudi intelligence; and Life360’s chief business officer, Itamar Novick.
The company specializes in data that associates places of interest with raw coordinates, adding a layer of meaning to the raw location data that the company ingests. SafeGraph was identified as not just a customer of Life360’s data but also a major partner in an email from a Life360 executive that was viewed by The Markup.
In April, asfirst reported by Motherboard, SafeGraph was awarded a$420,000 contractto sell data to the Centers for Disease Controldescribed as“Data Gathering and Reporting.” The Washington Postalso reportedthat SafeGraph shared billions of phone location records with the D.C. Department of Health through its spinoff company Veraset.
The company openlysells location data on Amazon’s data marketplace, including a $240,000 yearly subscription to data on people across the U.S. Veraset hasboasted of sellinglocation data for purposes including marketing, real estate, investing, and city planning.
Sen. Ron Wyden has flagged SafeGraph as a “data broker of concern” to Google, Wyden’s chief communications officer, Keith Chu, said in an email. The Democrat from Oregon has made multiple attempts to speak with SafeGraph to learn more about how the company obtains, sells, and shares Americans’ location data, but the company never responded, Chu said.
Cuebiq also worked with the Centers for Disease Control, with a $208,000 contract awarded in June for aggregated location data,according to public records.
The CDC didn’t respond to requests for comment.
During the beginning of the coronavirus pandemic, Cuebiq became a main source of location data for news outlets looking to report on people’s movements after cities and states issued stay-at-home orders. Outlets includingThe New York TimesandNBC Newsreceived location data from Cuebiq for their analyses.
It’s been suggested that location data brokers like Cuebiq areusing the pandemic to improve their public reputationby presenting themselves as tools for public health rather than as mechanisms for surveillance.
Cuebiq’s Daddi said the company’s data has helped in the aftermath of natural disasters and public health crises.
Safety vs. Privacy
Life360 has positioned itself as “the leading digital safety brand for families.” But experts say families who use it are not necessarily thinking about their digital security.
“An app that claims to be a family safety service selling exact location data to several other companies, this is a total disaster,” Christl said. “It would be a problem if it’s any other app, and it’s even more a problem when it’s an app that claims to be a family safety service.”
Life360 has facedconcerns over privacyin the past. In mid-2020, teens, displeased at the privacy invasion of an app that allowed their parents to minutely track their movements, took to TikTok to encourage their peers to bomb the app with negative reviews. Over the course of a month, the app received more than a million one-star reviews, driving the average rating down from 4.6 to 2.7 stars.
Hulls responded by adding a “bubbles” feature that shows parents a more vague location of their child (but still allows parents to see exact locations with an additional step). He alsorecruited and paid teensto hawk the app on TikTok, resulting in a “viral surge in downloads,” according to the company.
Those teens, however, were likely not aware that their parents were hardly the only ones privy to data on their movements.
Samira Madi, an 18-year-old student in Texas, started using Life360 when she was 15. She didn’t have a problem with the company sharing her location data for marketing and advertising purposes, which the company readily disclosed.
After learning about who Life360 was selling data to, and the scale it was sold at, Madi felt that the company crossed a line.
“I had no idea it would be passed around this way,” Madi said in an email. “This concerns me because I would not want my location data to possibly be sold to people with ill intentions.”
This article wasoriginally published on The Markupand was republished under theCreative Commons Attribution-NonCommercial-NoDerivativeslicense.
Story byThe Markup
Get the TNW newsletter
Get the most important tech news in your inbox each week.
