After the Cambridge Analytica / Facebook scandal and the ensuing 'reforms' within the tech industry to reign in wanton data harvesting by predatory app-makers, one might be left with the impression that the practice had been reined in.
Yet, a deep-dive investigation by The Markup revealed that a popular family safety app used by 33 million people worldwide, Life360, has been selling data on the precise locations of children and other family members to around a dozen data brokers, who have in turn sold data to "virtually anyone who wants to buy it."
Two former employees of Life360 as well as two individuals formerly employed by data brokers Cuebiq and X-Mode revealed that the Life360 app "acts as a firehose of data" for shady info brokers in an industry which has "few safeguards to prevent the misuse of sensitive information."
When confronted with evidence, Life360 founder and CEO Chris Hulls had no qualms about his business model, telling The Markup: "We see data as an important part of our business model that allows us to keep the core Life360 services free for the majority of our users, including features that have improved driver safety and saved numerous lives."
Selling data has become a crucial component of Life360's revenue, jumping from $693,000 in 2016 to $16 million in 2020, comprising around 20% of its revenue that year, not including an additional $6 million from a partnership with Allstate's Arity. While the company reported a loss of $16.3 million last year, Life360 - which is publicly traded on the Australian Securities Exchange, has plans for an IPO in the US.
Life360 reported a loss of $16.3 million in 2020. Financial disclosures show they made $16 million selling user location data in 2020 – making up nearly 20% of their revenue.— Jon Keegan (@jonkeegan) December 6, 2021
According to the former X-Mode engineer, the raw location data from Life360 was one of the most valuable sources, as it included a massive volume of precise data. The former Cuebiq employee joked that the company wouldn't be able to run marketing campaigns without Life360's "constant flow of location data."
The company maintains that it doesn't sell data on any users under 13, in accordance with the Children’s Online Privacy Protection Rule (better known as "COPPA"), though they admitted that they do "disclose" information from younger children to third parties "as needed to analyze and detect driving behavior data, perform analytics or otherwise ,[sic] support the features and functionality of our Service," but not for "marketing or advertising purposes."
PARENTS using @Life360:— John Scott-Railton (@jsrailton) December 6, 2021
You have no idea who else may be tracking your family.
Why? Company is selling location data. Sometimes within 20 minutes.
Pic: how to disable.
More via @alfredwkng & @jonkeegan:https://t.co/DIbzJzRldY pic.twitter.com/1kzbNncvka
The data brokers
X-Mode, Cuebiq, SafeGraph and other similar companies purchase data from companies like Life360, and supply 'data and insights' to other industry players, as well as customers which include hedge funds and advertising agencies.
Cuebiq claims they don't sell raw location data, but instead provides access to aggregated data through its "Workbench" tool, which uses raw location data from Life360. One customer, the CDC, has been using the data to track "mobility trends" during the Covid-19 pandemic.
"The CDC only exports aggregate, privacy-safe analytics for research purposes, which completely anonymizes any individual user data," said Cuebiq spokesman Bill Daddi in an email, adding "Cuebiq does not sell data to law enforcement agencies or provide raw data feeds to government partners (unlike others, such as X-Mode and SafeGraph)."
According to Life360, they have a policy against selling or marketing data to any government agencies which might use the information for law enforcement purposes in 2020 (although The Markup notes they've been selling data since at least 2016).
"From a philosophical standpoint, we do not believe it is appropriate for government agencies to attempt to obtain data in the commercial market as a way to bypass an individual’s right to due process," said Hulls, adding that the policy extends to data brokers. How they enforce this is anyone's guess.
Read the fine print
Hulls said that all of Life360’s contracts prohibit its customers from re-identifying individual users, along with other privacy and safety protective practices. He said that Life360 follows “industry best practices” for privacy and that only certain customers like Cuebiq receive raw location data. The former X-Mode engineer said that the company also received raw data from Life360. The company relies on its customers to obfuscate that data based on their specific applications, Hulls added. -The Markup
As Justin Sherman, cyber policy fellow at the Duke Tech Policy Lab, told The Markup, "Families probably would not like the slogan, ‘You can watch where your kids are, and so can anyone who buys this information.'"
.@jonkeegan and I found that Life360 also sold to SafeGraph, a company that Sen. Wyden has flagged as a "data broker of concern" and has ignored his office's requests for information: https://t.co/VhhhK89yrQ pic.twitter.com/VxyjaUI2uU— alfred 🆖 (@alfredwkng) December 6, 2021
Yet, two former Life360 employees claim that the company's data security 'precautions' are shoddy, and location histories can be traced back to individuals by failing to "fuzz," or "hash" data, or to reduce the precision of the location data to preserve privacy.
Meanwhile, Life360 is expanding into other "digital safety" products - including (laughably) data breach alerts, credit monitoring, and identity-theft protection features. IT's also acquired companies which allow it to expand tracking and potential to harvest data. In 2019, they acquired ZenScreen, which monitors family screen-time. In April, it acquired Jiobit, a wearable location device company which targets younger children, pets and seniors, for $36 million. According to Hulls, he has no plans to sell data from Jiobit devices or its digital safety services.
Life360 also announced plans in November to buy Tile, a company which provides devices to help find lost items.
"I’m sure there are lots of families who do find very real comfort in an application like this, and that’s valid," Sherman told The Markup. "That doesn’t mean that there aren’t ways that other people are harmed with this data. It also doesn’t mean that the family couldn’t be harmed with the data in ways that they’re not aware of, such as that location data being used to target ads [or] used by insurance companies to figure out where they’re traveling and increase their rates."
Read the rest of the report here.