Location data collection firm admits privacy breach

By Jane Wakefield
Technology reporter

  • Published
People in a crowd with data pointsImage source, Getty Images
Image caption,
Location data can be used in a number of ways, such as finding out footfall on a High Street at any given time

A British firm which sells people's location data has admitted that some of its information was gained without seeking permission from users.

Huq uses location data from apps on people's phones, and sells it on to clients, which include dozens of English and Scottish city councils.

It told the BBC that in two cases, its app partners had not asked for consent from users.

But it added that the issue had now been rectified.

In a statement, the firm said it was aware of two "technical breaches" of data privacy requirements.

But it added that it had asked both to "rectify their code and republish their apps", which they had done.

"Huq data is used anonymously. Nevertheless consent is a vital pillar of data collection and must be taken seriously. We strive to ensure consent is explicitly sought by all our app partners. If there is a breach, we always act swiftly," said Conrad Poulson, chief executive of Huq.

Kaibits Software, which developed one of the apps in question. admitted that there had been "problems with the permissions" but they were now resolved. The second app developer did not respond.

Huq did not rule out the possibility that other apps may have failed to ask for proper consent. "It is possible that we or our partners may uncover future technical issues, but what's important is how quickly we act and how seriously we take the issue," the firm told the BBC.

Privacy policies

The apps in question - one which measured wi-fi strength and another that scanned barcodes - had been highlighted in a story published by Vice. It questioned how clear it was to users that apps they had downloaded for one purpose were sharing information for a completely different one.

Huq advertises a range of services on its website, promoting how its "real-time footfall metrics" can be used "to discover where people go and why".

So, for instance, a council could use the data it provides to estimate how many people visited a High Street within a given timeframe.

AppCensus, a company that analyses the privacy of apps, looked at which apps Huq did business with. It found ones for flight-tracking, weather, and Muslim prayers were among those sending information to the company.

Co-founder Joel Reardon told the BBC: "Looking across a dozen or so apps that include Huq, I've noticed large variations in how users are given notice of how their GPS location tracker, along with information about their home wi-fi router, is being collected.

"If users are expected to read through countless privacy policies, then I feel that these should at least be an accurate description of what is actually happening," he said.

According to analysis from Danish TV2, Android apps are far more likely to pass on location data than those on iPhones.

Google told the BBC that it was investigating.

Reprimand

Firms that collect location data from apps and then sell it on are under increased scrutiny. The Danish data authority is currently looking into whether there is "a legal basis" for the way Huq has processed personal data.

Meanwhile, the UK's Information Commissioner's Office has issued a reprimand to another UK-based location data collection firm, Tamoco, for "failing to provide sufficient privacy information to UK citizens".

It told the BBC that it had asked the firm to "review the personal data they collected to ensure that UK citizens' data is no longer processed and that any remaining records should be deleted".

In 2019, Norwegian broadcaster NRK bought raw location data from Tamoco for £3,000. For this fee, it received 460 million rows of data from more than 140,000 phones and tablets. While this did not contain any names or mobile numbers, it did offer granular insights into people's movements which enabled the broadcaster to find out the real identities of people.

It allowed them to track people, in what journalist Martin Gundersen described as "frightening detail".

The data showed one man as he went to a hospital and a job interview. Another, a member of the military, had their movements tracked from an army base to other locations.

The BBC has asked Tamoco for comment.