This week: we dive into the complex shadow world of trading location data from innocuous apps.
Sandra Peter (Sydney Business Insights) and Kai Riemer (Digital Disruption Research Group) meet once a week to put their own spin on news that is impacting the future of business in The Future, This Week.
The stories this week
Other stories we bring up
Follow the show on Apple Podcasts, Spotify, Overcast, Google Podcasts, Pocket Casts or wherever you get your podcasts. You can follow Sydney Business Insights on Flipboard, LinkedIn, Twitter and WeChat to keep updated with our latest insights.
Our theme music was composed and played by Linsey Pollak.
Send us your news ideas to email@example.com.
Disclaimer We'd like to advise that the following program may contain real news, occasional philosophy and ideas that may offend some listeners.
Sandra So what do you think we should talk about today?
Kai Well, there's an update on the epic Epic/Apple battle. Epic is actually suing Apple in Australia now for its App Store ban. As a reminder, Epic introduced its own payment system into the Fortnite game, it was then predictably bumped off the Apple App Store for violating the App Store rules, and Epic's CEO Tim Sweeney has come out publicly to deride Apple's policies for not allowing payments that do not fall under the 30% rule. And after being bumped off the App Store, has sued Apple in the US, and now they're doing the same in Australia. And interestingly, this is done because Australia has introduced what is called Section 46 of the Competition and Consumer Act, which Epic sees as working in its favour. Australia has also been among the first countries to bring out regulation of platforms, famously of Google and Facebook, around how we treat news that is run on these platforms. And the ACCC has also now announced a review of the market power of the Apple and Google App Store. So it's really interesting timing that Epic would come out and sue Apple here in Australia.
Sandra I do believe however, we have done an entire episode unpacking this, which we'll put in the shownotes. So I don't think it's time to go back to this, but we'll keep an eye on it.
Kai Yeah, we'll keep an eye on how this unfolds.
Sandra It was a very exciting week in taxes, and we had all these stories about taxes, including the story out of Germany, where Deutsche Bank was suggesting that there should be a tax on working from home, on those still reaping the benefits of remote work after the pandemic has ended, and not contributing to the economic ecosystem by going to work and buying coffees and buying clothes and going to the dry cleaners and using the trains and so on. But as it happens, we've done a whole episode on Corona Business Insights, unpacking this and other such initiatives like Greece wanting to incentivize people to move there by waiving six months of income tax for seven years if you choose to move to Greece and work from there.
Kai But as you said, we have done an episode which we will put in the shownotes. There's been more platform news, this one from Google. An article in Medium that details how Google has changed the policy for Google Photos. Google Photos famously came with 15 gigabytes of free storage, offered to every Google account. That is now gone, Google will make users pay for storing these photos. And the article goes into a whole argument for why this shows the worst in platforms. And the argument is not that these platforms entice us with free products, and then make us pay later, which is a legitimate business model, but it makes the point that along the way, in the past few years, there have been a number of innovative online photo storage, photo sharing apps that have gone belly up because they could not compete with a product where Google cross-subsidises free storage to the tune of 15 gigabytes. So another story about platforms stifling innovation.
And we have covered platform competition quite a few times over the years, and we'll make sure to include some of those links in the shownotes. But speaking of platforms, there was also news out of Netflix, Netflix seems to be reinventing television. This is a bit like that news we had a few weeks ago where Facebook just invented Facebook, smaller networks of students in universities. Netflix is testing a linear channel in France, which is basically just linear programming.
Kai Well, you'll turn on Netflix, and some show is just running that runs at that time, that seems like an interesting concept where someone decides what time certain shows would run at, and if you miss them, you have missed them.
Sandra Sounds a bit like just plain broadcast TV. But Netflix is saying that this will help with decision fatigue. This has come out in France to about 9 million subscribers, and it follows other experiments from Netflix such as the shuffle button, which they introduced in August, where you could randomly go through recommended options and so on and so forth.
Kai And they are countering the behaviour where you turn on Netflix and then you get stuck because you cannot make a choice as to what to watch. So for all those stuck at that moment. Just watch television, which is now also on Netflix.
Sandra You had something on cars, didn't you?
Kai Yes, there's an article in The Sydney Morning Herald, which makes the point that Australia is fast becoming the dumping ground for discarded petrol car stock in global supply chains. Because Australia has such unfavourable conditions to electric vehicles. Where other countries offer generous tax subsidies or price subsidies for electric vehicles, Australia is not only putting a luxury vehicle tax on most Tesla models because of the price range in which they sell, they're also contemplating introducing a specific tax on electric vehicles because governments are missing out on the petrol excise, because you're not paying up your tax at the petrol pump. So electric vehicle sales in Australia are really behind only 0.6% of total car sales are electric vehicles.
Sandra And this is in stark contrast to what's been happening elsewhere around the world. And we mentioned China on our last episode, but this week it's been the UK which will ban new petrol and new diesel car sales after 2030, under the government's new green plan. And the plan contains ten climate pledges for a green industrial revolution that's meant to create two and a half million jobs but also end the sale of new petrol and diesel cars by 2030.
Kai Yeah, and so these cars that cannot be sold in Europe anymore can then come to Australia, at least the ones from the UK, which have the steering wheel on the right side.
Sandra But the one story that sent both of us down rabbit holes this week, has been the one around the US military buying location data from ordinary apps, such as a Muslim prayer app with 98 million downloads. Which really got us looking into the world of what happens to data from apps and where does it end up? It seems it's not all for ads anymore, it's over many different things, military uses, COVID tracking, political advertising.
Kai And it is a shadow world unto itself, the way in which data is collected, data is traded, data is sold, data is used. Sightly scary, it's a bit after Halloween, but this is one that we really should be doing.
Sandra So let's have a look at the hidden side of everything data.
Kai That's a different podcast though.
Sandra Oh yeah, that is a different podcast, that's taken.
Kai Well, the hidden side of what happens to your data, yes.
Sandra Let's do it.
Intro From The University of Sydney Business School, this is Sydney Business Insights, an initiative that explores the future of business. And this is The Future This Week where Sandra Peter and Kai Riemer sit down every week to rethink and unlearn trends in technology in business. They discuss the news of the week, question the obvious, explore the weird and the wonderful, and things that change the world.
Sandra So our story today is from Vice, and it's titled "How the US Military Buys Location Data From Ordinary Apps". And the article goes into a fair bit of detail into how the US military is buying location data, movement data of people from around the world, through what would seem as innocuous apps. So things like Craigslist, or an app that helps you find parking, or weather apps, or indeed a Muslim prayer app that incidentally has 98 million users.
Kai And so what the US military is really after is granular movement data, as the article puts it, location data pretty much, that can be used to track people to track their whereabouts and combine that with other data that they have about them. And there's two main things that are interesting about this article. So the most interesting aspect for us was where does this data come from? How is this data compiled? Who has this data? And what can you do with this data? And that is the one that we want to focus on.
Sandra The other aspect is, of course, that through the use of such data, the US military can get around legal hurdles that would see them have to get a warrant to obtain phone records or location data of people's phones. But that's not what we want to focus on today.
Kai It is however really interesting to note that the kind of data that can now be obtained from these consumer apps and from companies that sell this data, in many ways far outstrips what is possible or economical, to be collected by traditional intelligence means.
Sandra So this article really provided us with a window, not only into what happens to our data that we leak through so many apps, but how a whole myriad of companies collect this data, how they use it, and how it's then repurposed in everything from the US military, to efforts to contain COVID-19, to political advertising and the like.
Kai So our entrance to this rabbit hole, and we hope you'll indulge us to unpack a little bit of what is going on in this shadow world of data collection and data trading, really.
Sandra What the article helps expose really well is the two main ways by which the app data generated can be accessed by outside organisations such as the US military.
Kai And the first one is through services created by companies that allow clients such as the US military to run analysis on location data. And the article mentions a company called Babel Street, which provides a product called Locate X.
Sandra What Locate X does is give you access to a service by which you can find out, for instance, at a given time and in a particular location where these phones have been previously or after that event. So say you want to find out who's been in Martin Place on the 19th of November, you would ask Locate X to tell you all the phones that were in the vicinity at a certain time, and then track those phones back, even a few months, or keep following them forward in time and tell you the whereabouts and the activities of the individuals who own them.
Kai So this service is called geofencing. And, of course, we can envision uses for this by governments in the aftermath of a crime that happened, or a terrorist attack, but also for more controversial uses around tracking people who have been in demonstrations, for example, to see where do these people live? Who are these people? Where have these people been previously, have these people travelled outside the country? And so on.
Sandra The second stream of data that the article showcases and that is used by the US military comes from companies that sell this data outright. So the article gives the example of a company called X-Mode, which sells location data that they collect directly from apps and sells it to military contractors or the military directly for direct use.
Kai And there's other articles also this week, one about the Trump campaign, which have utilised a similar service provided by a data broker of the name of Phunware, ph. Which allows again, a political campaign like the Trump campaign to track users at a fairly granular level, follow their movements retrospectively, or indeed, in real time. And it was mentioned, for example, that one could track a certain demographic, and see whether they've actually left their location on election day, and if they haven't, send them urgent text messages, to urge them to turn up to the voting booth, and can then turn out the vote in certain regions where the data covers users.
Sandra X-Mode also demonstrated, for instance, that the data can be used to follow people who have been in a COVID-19 hotspot and where they travelled afterwards, potentially exposing other people. So say, if you had a restaurant, which you knew was a COVID hotspot, and you knew what phones had been in the restaurant at a certain time, you could then follow them on public transport or to the neighbourhoods where they lived and notify other people who have been in the vicinity, without the need to use a tracing and tracking app.
Kai Which is essentially what, in our research and in the episode that we did on contact tracing, we called 'surveillance tracking', a practice that is not widely used in western countries, because of the privacy implications we use proximity contact tracing. But it turns out that with data such as that provided by X-Mode, which is available on the data market, this would actually be possible, at least in those areas where they are tracking phones.
Sandra And this is possible because a company like X-Mode, and X-Mode is one of many hundreds actually of companies that do this, but a company like X-Mode gets access to data from seemingly innocuous apps. Apps like the Muslim prayer app, the app that reminds users when to pray and what direction Mecca is in relation to where people are, send back location data and other information to X-Mode, which then packages up that information with information it gets from other apps and from other sources, and sells it to contractors, the military, political parties and so on.
Kai So let's look at the bigger picture here. We're all used to the services that we use to collect data about us, we're provided with free social networking services, free search services, a lot of free apps, and we understand that in return for that we give up some of our data to be shown advertisements.
Sandra So that used to be the trade-off, free products and services/our data, for basically a ecosystem that works based on ads.
Kai And while that certainly exists, and while that ecosystem has certainly paved the way for collecting, trading and using data, what this article points to is just how widespread the collection of data is, and all the kind of things that can now be done with data, especially with location data that originates from the mobile phones that each of us carry around, and that pretty much function as tracking devices.
Sandra Let's have a look at a few things that help make sense of this. First is what kind of apps? Whenever we think about data collection, most of us think of Facebook, or think of Google and those sorts of companies, but it's actually a whole host of other little apps that collect at least as detailed information as the big tech giants.
Kai And we'll take a look at what data is actually gleaned from these apps, how it is collected and traded, and what we do with it.
Sandra So first it's what kind of apps actually collect this data. And it might come as a surprise to many of us that it's not only the apps where you know that location data is being collected, things like Google Maps, or like your Uber Eats app or Deliveroo, which actually need to know where you are to provide the services. It's weather apps, where you can choose to let it find out where you are every time you turn it on. It's Craigslist or eBay that need to know where you are to estimate postage costs.
Kai It's that coffee place finder app, it's parking apps, it's a lot of apps that have legitimate uses to know your location, but it's also apps that don't, that ask for location anyway. And Apple users have recently gotten a glimpse into this because the newer versions of iOS actually ask every time when an app wants to have access to location. And it turns out that there's apps that have absolutely no business knowing locations, which want the location because they might be in the business of selling that data to aggregators, such as X-Mode.
Sandra And it's a really interesting exercise that our listeners might want to do, which is to turn on their phone and have a look at some of the apps that they have that might be sharing that kind of location data. For us, for instance, those apps that tell us where there is good coffee when we travel, or even the weather app, even though I've set the location, it doesn't need to know it every time, it finds that out, or mindfulness or workout apps that actually want to know where you are.
Kai And it's of course not just location data, although location data is particularly useful because it allows to glean context, whether someone is in a residential area potentially at home, in a hotel, in a shop, at work. It's also a range of other data that these services capture, often from your mobile phone, and then aggregate and provide.
Sandra So for instance, the Wi-Fi networks that you have connected to and their names, the make and model of your phone, or very accurate timestamps, often transmitting this information two seconds apart, to know where a person has been.
Kai And so in combination, this data enables quite sophisticated tracking. And it actually reminded us of an article that we saw a couple of years ago in the New York Times where the journalists had access to a data set, just like the one that X-Mode provides.
Sandra This was back in 2018, and the New York Times was allowed to review a database of mobile phone location data that was anonymized, which means that each phone, each device in the database, had a nameless ID number. And the New York Times was able to track a number of people and identify exactly who they are, and how they went about their day. And it's fascinating to read up on Lisa Magrin's day, a 46 year old math teacher who, as most of us do, has her phone with her all day long. And an app on her device had generated her location information, which then was sold to this aggregator database that the New York Times had access to, but it had recorded her whereabouts every two seconds. She had gone to a Weight Watchers meeting in the morning, she had done gone to her dermatologist where she clearly had a minor procedure based on the time she spent at the office. Then she went on a hike with her dog as she usually does, and then ended up staying at her ex-boyfriends home overnight. And all of this information, which obviously Lisa found quite disturbing, was able to be pieced together by journalists at the New York Times, simply with access to this anonymized database.
Kai And that's a really important point here, because companies that trade in this kind of data will always stress that all the data is anonymized, it's just at the mobile phone level, there is no names attached. But the article really shows, and for a number of people that they actually contacted then, how easy it is to de-anonymize the data, if you only have enough data points, and you track people to a residential address and to an office address, it is very easy to then resolve who that person is. And in the industry, there is actually a name for this, it's called 'identity resolution'. This is the specialised services that will provide the connection of different datasets to basically associate tracking movement data, or sales data with actual people, that can then be used by marketers. So the mere declaration that a dataset is anonymized does not mean that people cannot be identified.
Sandra And it's important to understand that in a world where many of these apps beam data 14,000 times a day, and where such companies track, in the case of the New York Times examples it was about 200 million devices in the US, in the case of X-Mode it's 65 million devices, that none of us can have any real expectation of anonymity, or indeed privacy.
Kai Which brings us to the question of how exactly is this data actually collected? And there really are three different ways. The first one, in many ways the most straightforward, but also least interesting one, is where an app by way of its business model collects location data, and then turns this into a product and sells it to clients.
Sandra And an example would be a company like Strava, which we've discussed previously on the podcast. Strava is, of course, the fitness tracker app that records how people exercise, how they run and how they cycle, and shares that information with other people on the platform. So the company is able to aggregate these heat maps of where people like to run, where people like to cycle, what times they do so. And of course, the by-product is that it can then use this data and sell it or disclose it to anyone from city planners trying to improve the outdoor areas in their city, to companies wanting to advertise exercising equipment, or inadvertently find out where hidden US military bases are.
Kai Which is what led us to discuss Strava in a previous episode, which we will put in the shownotes. So this is really the most straightforward way in which data is collected and sold. But there's another widespread practice that is little-known, whereby companies such as X-Mode provide app developers with what's called an SDK, a software development kit, bits of code that allow these app developers to implement features such as location tracking, so that they don't have to implement these features themselves, which come with the added benefits that this location tracking can then be monetized, whereby X-Mode would pay the app developers a fee based on how many users for example each app is using, and then how much data can be collected from that app.
Sandra And these fees can be quite a nice income for app developers. So an app that has 50,000 daily active users in the US, for instance, would earn the person who developed that app about $1500 a month in income.
Kai And this makes this a really attractive proposition. Not only does the developer receive the service, it comes with an extra monetization of the user base. And in turn for X-Mode, it allows to collect data across a number of apps. So X-Mode has about 400 apps that have their code implemented, which enables them to track more than 65 million devices worldwide.
Sandra So these companies get their data either from app selling them that data, from building SDKs straight into the app and getting the data straight out of the app. But there's a third way they're collecting data, and that is the rabbit hole that we hope you'll join us in, and that is through bidstreams.
Kai So this really taps into the wild world of digital advertising. And that is really the industry that has championed the collection, aggregation and utilisation of user data. And these so-called 'bidstreams' are really open to anyone who wants to advertise on apps or websites, or indeed social media platforms such as Facebook or Twitter.
Sandra So say I am a company, say I'm Nike, and I want to get access to early-20s-bicycle-using-high-income individuals from the Sydney area, I would go to an ad agency which would contact one of the demand-side platforms that would facilitate access to that group of users.
Kai This really brings us to the sprawling industry of what is called AdTech or MarTech companies, an industry that has grown rapidly in the last 10 years from a few hundred to over 8000 specialist companies that connect, on the one hand, apps and websites that offer ad space to your ad agency who wants to access those customers for Nike. And the way this is done is really by way of fine-grained targeting using the kind of data that we were talking about. So your ad agency would know bid on exactly those characteristics, and the ad would then land on an app or a website that is used by those kinds of people.
Sandra And interestingly, that is a way to actually generate more data, because what the ad agency and Nike would now glean is all the data and the context surrounding the way in which that ad was received. So where these people were when they received the ad, what other ads were accompanying them, what they were doing when they received the ad, and what they did after interacting with the ad or clicking on the ad.
Kai And that's the really surprising bit, there's really two roles for data. One is that apps have every incentive to collect as much data about their users as possible in an as fine-grained way as possible, so that they can actually win the bid to host your ad. Because the more fine-grained, the more detailed your user data is as an app or as a website, the better you will win out having ads channelled your way by this industry. But then the ad placement itself is also an opportunity for collecting more data because a lot of these platforms and apps, and this is freely available information, Facebook and Twitter, for example, open their API of how this is done, they allow you to then glean a lot of the data about the users that engage with that advertisement. So the ad itself becomes another data collection opportunity.
Sandra And that's what we call the bidstream. So through bidding on that ad space, I end up collecting even more data about the users, data which then I can add to the data that I've bought from various apps, or to the data that is channelled to me through APIs, which pretty much allows anyone to collect this type of fine-grained information, but also gives rise to these massive aggregators, like X-Mode, who then sell all this data on to political organisations, or governments or the military, for use in any purposes far beyond advertising.
Kai And that's a real big rabbit hole here. There is hundreds and hundreds of specialised companies that aggregate data about certain segments of customers, that aggregate feeds of data from different apps and websites and sells this through exchanges to the ad agencies and the customers who are buying ads. And it is really important to understand that the advertisement itself is not just a way to funnel clients to your product to make the sales, but it is at the same time, a way to learn more about these users and grow your own data store. So digital advertising through bidstreams and the so-called ad tracking is a very lucrative way of generating aggregated datasets, which can now be used not just by advertisers and ad agencies, but by anyone who is willing to invest a few cents into this bidstream game.
Sandra And this is where a final light bulb goes off, and this is a pretty big one. And it has to do with conversations we've been having around companies like TikTok and WeChat.
Kai And by the way, the deadline for the TikTok sale passed this week, but the Trump administration seems to be otherwise engaged.
Sandra And we're of course talking about the attempt to ban WeChat and TikTok in the US, we've done a whole episode on what this would mean. And remember here, the big concern was that the data that apps like TikTok and WeChat have would be stored where the parent company is, that is China. So then the Chinese government, for instance, would get access to the TikTok user data.
Kai And we're going to put an interesting article from Gizmodo in the shownotes, which makes the point that this discussion really misses the point, once we understand how the ad ecosystem works. Because, while it is certainly important where user data of any such services such as TikTok or Facebook is stored, a lot of the user data is criss-crossing national boundaries by way of the AdTech or MarTech ecosystem all the time.
Sandra So what the article discusses in great detail with examples is how ad companies like AdTiger, which sells ad space from American companies to Chinese brands, still collect the bidstream type of data that we've been discussing, regardless of where the actual user data resides. And a report from three years ago found that there are about 50 such AdTech organisations based in mainland China, who all trade in consumer data overseas in places like the United States.
Kai So what we're saying is that the ad ecosystem is really trading a lot of user data to places like China, but also any other jurisdiction, and that the discussions around where data on servers resides is really just one minor aspect of how user data is being traded and shuffled around the world. Which brought us to another surprising insight. And that is that a company like Facebook, which is banned from China, so does not have any actual social media services in China, still has China as its second largest income source.
Sandra And to put this in context, last year they made $6 billion out of selling ad space to Chinese companies that wanted to target international Facebook users.
Kai And so climbing out of this rabbit hole, in which we could spend hours unpacking the minutiae of how this supply chain works, we want to ask one final question. And that is, what does that mean for the end user of these apps, of these social media services that collect data?
Sandra The usual conversation here would be around consent, that this can only happen if people actually consent to sharing their data and to companies doing things with their data. But of course, giving informed consent in this case is pretty much a fantasy. Because of course, as all these companies will point out, you are asked when you give consent that your data may be shared with other partners or sold to other organisations. But as Chris Hufnagel, the Faculty Director at the Berkeley Center for Law & Technology says, it's safe to say that for a reasonable consumer, so not a tech person, they would not have military uses of this data in mind, even if they read all the disclosures that accompany all of these apps.
Kai And just for example, X-Mode states in its terms and conditions that it collects anonymous location data "to power tailored ads, location-based analytics, attribution and other civic, market and scientific research about traffic and crowds". That sounds reasonably innocent. But we've just learned all the kind of ways in which such research or such location-based analytics can unfold when this data is sold to contractors.
Sandra So it's probably not the informed consent that will address this in the long term. And short of turning off most of our apps that use location services, or not using apps at all, it's probably the space where regulation will need to step in at some point.
Kai Which will be a mammoth task, given how sprawling the AdTech and MarTech industry is, it's a real gold rush at the moment. So understanding this industry is not easy. And we've only scratched the surface with this episode.
Sandra But that's all we have time for today.
Kai Thanks for listening.
Sandra Thanks for listening.
Outro This was The Future This Week, an initiative of The University of Sydney Business School. Sandra Peter is the Director of Sydney Business Insights, and Kai Riemer is Professor of Information Technology and Organisation. Connect with us on LinkedIn, Twitter and Flipboard and subscribe, like or leave us a rating wherever you get your podcasts. If you have any weird and wonderful topics for us to discuss, send them to firstname.lastname@example.org.
Sandra Oh shit, you know what we forgot?
Sandra World Toilet Day.
Kai Oh shit.
Sandra We should have said something about World Toilet Day, we always do.
Kai Speaking of data, we had all these cool stories around butt recognition technology and poop sensors and...
Sandra Plus all the COVID stories about sewage testing, and all the attention that's paid to social distancing and so on, but in Melbourne, whilst everyone's urged to be outside, there's very few public toilets in green areas. While people are socially distancing while they're having their picnic, they then have to queue up with hundreds of people to the one public toilet.
Kai One toilet per park when there's hundreds of people. And all the data you could glean from toilet finder apps as well.
Sandra I'm sure they'll be there next year. We'll do it next year.
Kai We'll do it next year.