Adam Grossman of the Dark Sky weather app:
It helps tremendously that Dark Sky is a for-pay app. The old trope of “when you don’t pay for the product, you are the product” gets trotted out often, usually with regards to in-app advertising. But it takes on much more ominous overtones in the context of location privacy. And as long as it’s possible to secretly share location data, some app makers will do so.
Because of this, we also believe that Apple and Google should do more to prevent this sort of behavior. They should set — and aggressively enforce — clear App Store rules forbidding the sharing of location data for any purposes not directly relevant to the app’s core functionality. If an app is caught breaking this rule, it should be removed from the store. This won’t stop all abuse, but it would, at the very least, put many of these data monetization companies out of the business of tracking where you go.
Here’s the thing, though: Grossman’s suggested response has been in place for years. Apple’s App Store Review Guidelines:
Use Location services in your app only when it is directly relevant to the features and services provided by the app.
And, from the Apple Developer Program Information (PDF):
You agree not to use any network data or information from end-users to bypass or override any end-user settings, e.g., You may not track an end-user’s WiFi network usage to determine their location if they have disabled location services for Your Application […]
All Apple had to do in this case was enforce their own rules.1 I understand that something will occasionally slip through the cracks and it will sometimes be with a high-profile app, but this is really the sort of thing that should have been caught. I think it’s great that App Review times are much faster now than they used to be, but I hope a flub like this isn’t repeated.
I didn’t find anything explicitly similar in Google’s developer policies. For what it’s worth, I don’t think it’s malicious, but I do think that it’s indicative of Google’s more lax stance when it comes to user privacy. That is, if they truly cared about user privacy, they would be more likely to catch its omission from drafts of these policies. ↩︎