The researcher identified over 75000 data points of his phone being tracked.
Most of us already know that our smartphones are being tracked constantly through either telecommunication service providers, tech giants like Google, or the various apps that we use.
One researcher decided to see where the information or data was collected similar to when a student traced his phone’s thief.
Detailing his narrative in a blog post, Martin Gundersen starts by requesting information about all the data held on him from a company named Venntel that had been known to provide the U.S Government, more specifically the U.S. Immigration and Customs Enforcement (ICE) with similar information in the past.
He did so under the rights granted to him under the GDPR act as a Norweigian citizen. The results were alarming.
After a few inquiries about the recent addresses Martin had visited, verifying his provided advertising ID and giving his current addresses, they sent him an email 1 month later.
The email contained information about his whereabouts since February 15 with 75,406 occurrences with every movement of him being tracked as shown in the data collection points illustrated below:
However, no names or contact information such as phone numbers were found in the data but still, the researcher believes the data is not anonymizing. Explaining further details, the researcher writes in his blog post that,
Simple searches in Google and the white pages would show there was a Martin Gundersen living in Sorgenfrigata in Oslo and working at NRK Marienlyst.
Over this, a question arose of how a U.S company could have access to his data? No app installed on his phone belonged to Venntel so how? Explaining this journey, Martin states,
A new round of access requests uncovered that some of the location data that ended up at Venntel originated from a Slovak app developer called Sygic, which have a portfolio of 70 different apps.
On 15 February, I installed two navigation apps from Sygic. Both asked me to consent to some terms for personalising my advertising experience.
Those 2 apps as shown in the flow-chart above then sent the data to Gravy Analytics which is the parent company of Venntel which although would technically result in violating the user-consent form that Sygic’s apps ask users to accept.
This is because Gravy states that it could use the data for sharing it with customers and even indirectly government agencies for different purposes which goes contrary to what Sygic made Martin agree to in the first place:
I have consulted with three lawyers, Malgorzata Agnieszka Cyndecka, Lee Bygrave, and Arve Føyen, who are all privacy specialists. They believed the fact that my personal information could be used for other purposes than I had agreed to was an apparent violation of the GDPR.
To conclude, there’s plenty more to what Martin discovered including another app tracking him serving as additional examples. Regardless, this proves to us that companies are still breaching GDPR but in ways that make it hard to identify them, particularly due to the complex flow of data.
Furthermore, data protection authorities also need to start imposing hefty fines which act as a deterrent and this will happen by closing in on all those who believe they may not be “checked” in the vast ocean of apps that exist out there.