back to article Stormy times ahead for IBM-owned Weather Channel app: LA sues over location data slurp

The Weather Channel app duped users into providing location data that the company then sold for advertising and other commercial purposes, according to a lawsuit brought by Los Angeles City Attorney Mike Feuer. The complaint, filed in Los Angeles Superior Court on Thursday, alleges that the mobile application, owned by IBM's …

  1. vtcodger Silver badge

    I'll have the super large bucket of popcorn

    it's not yet clear how many reside in California

    I expect that data is available from IBM ... For a price.

    1. BillG
      Boffin

      Re: I'll have the super large bucket of popcorn

      All app companies obey strict rules.

      However those rules are the Ferengi Rules of Acquisition.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'll have the super large bucket of popcorn

        Rules like:

        21 - Never place friendship above profit.

        39 - Don't tell customers more than they need to know.

        52 - Never ask when you can take.

        60 - Keep your lies consistent.

        74 - Knowledge equals profit.

        87 - Learn the customer's weaknesses, so that you can better take advantage of him.

        199 - Location, location, location.

  2. JohnFen

    Yes

    The world of mobile apps is pretty much a privacy cesspool, and if you just assume that any data an app has access to will be sold to third parties, you'll be correct far more often than not. This is why I strongly resist installing and using apps, and when I do install and use an app, I make sure that it's firewalled off so that it can't send any data anywhere.

    Sadly, this problem is getting more frequent in the desktop world as well.

    1. W.S.Gosset

      Tech/Syntax question

      > and when I do install and use an app, I make sure that it's firewalled off so that it can't send any data anywhere.

      That's precisely what I would like to do. However, I've seen precisely 0 capability to do this on Android. Can you tell me how you did it?

      1. JohnFen

        Re: Tech/Syntax question

        Yes, but it requires you to root your device. Root your device (or, even better, replace the ROM with a plain Android install), then install AFWall+. That application is just a front end that allows you to easily configure iptables (which is part of Linux and so already exists on your device) to perform firewall operations. You can easily set up rules on a per-app (or global) basis, so you can set what apps get to use what interfaces.

        By default, I don't allow any apps to communicate out. I'll make certain exceptions, though (such as the web browser), but even then I set up the rules so those apps are only allowed to talk through my VPN.

        If you're extra ambitious, you can also do what I do with the VPN -- I run my own VPN server, which funnels all of the traffic from it through my firewall and router at home as well, where I can implement even more sophisticated defenses.

        1. cynic 2
          Thumb Up

          Re: Tech/Syntax question

          Somebody downvoted this? Seriously? I’d love to know why.

          1. Pascal Monett Silver badge

            Re: Somebody downvoted this? Seriously? I’d love to know why.

            They work for Google ?

          2. JohnFen

            Re: Tech/Syntax question

            I assumed that it was because I recommended replacing the OEM Android install with a clean one, but who knows? Downvotes without a comment explaining them are meaningless, and I tend to ignore them.

          3. Tree
            Trollface

            Re: Tech/Syntax question

            Musta been Mark Suckerburg. He needs a higher wall around his mansions.

        2. TaabuTheCat

          Re: Tech/Syntax question

          But how do you separate surveillance communications from app functionality? If the app makes an SSL connection "home" to function, there is likely no way to filter out the privacy data included in that stream. How many apps function without connectivity somewhere? Very few these days.

          1. cynic 2
            Boffin

            Re: Tech/Syntax question

            Surveillance stuff’s usually done by advertising SDKs linked to the app that do separate HTTP calls - it usually isn’t piggybacked onto functional requests. So that stuff can be filtered out in your VPN. When in doubt, route the traffic through something like Charles Proxy. If you don’t understand what you see, ditch the app!

            And yes, that’s a lot of work. It’s easier to live with a small set of curated apps. It’d be nice if there was a list somewhere that did privacy ratings, and was kept up to date.

        3. W.S.Gosset

          Re: Tech/Syntax question

          Thank you, sir.

        4. Dan 55 Silver badge

          Re: Tech/Syntax question

          For a no-root firewall try NetGuard. You can download it from F-Droid as well as the Play Store.

          1. JohnFen

            Re: Tech/Syntax question

            Yes, that's another option. That one doesn't work for me because you can't use no-root firewalls and a VPN at the same time (as near as I can tell).

      2. NonSSL-Login

        Re: Tech/Syntax question

        Another way is to decompile (or edit in other ways) the apps APK file and remove advertising links and libraries but it can be fiddly to find and edit out code that sends data back to their own servers. Doable though and easy once you have done it a few times.

    2. Roj Blake Silver badge

      Re: Yes

      Not allowing the app to send the data is a great idea.

      But if you want a weather forecast for where you are (or directions to somewhere from where you are, etc etc), you kind of have to tell them where you are.

      1. My-Handle

        Re: Yes

        There's a world of difference though between "Hi Weather App, I would like to know the weather at postcode SW1 1AB" once or twice a day (whether you're there or not), and the app reporting your exact GPS co-ordinates, available WiFi networks and visible mobile phone towers three times a second, to people or companies you don't even know of.

      2. JohnFen

        Re: Yes

        True, and if I want to do those things then it's easy to allow the communication just for that operation, then shut it down afterwards. Personally, I don't bother -- those services aren't worth the risk to me -- but it's easy to do.

      3. el_oscuro

        Re: Yes

        Not really. All of these companies just get their feeds from the NWS (weather.gov), which you can use directly itself. If you want it on your phone, it is https://mobile.weather.gov. No ads, spying, etc. You just give them your city and state or zip code, and you get the weather for the nearest station.

        The nearest station to my zip code is at Lat: 38.72°N, Lon: 77.18°W, Elev: 69ft, about 5 miles away.

        So any weather app asking for any location data that is more accurate than that is complete bullshit.

        1. Rajesh Kanungo

          Re: Yes

          Thank you !!!

  3. Jay Lenovo
    Black Helicopters

    Not for Everyone, but always Someone

    Internet data pilfering and misuse, an expectation of fail.

    After we finally eliminate prostitution, we can make this go away as well.

    On the other hand, it does seem to be recession proof and always in demand.

    We'd just like it NOT to be a primary flaw of our major companies.

  4. Anonymous Coward
    Anonymous Coward

    vigorously!

    "IBM defended TWC's disclosure practices. "The Weather Company has always been transparent with use of location data; the disclosures are fully appropriate, and we will defend them vigorously," the company said in an emailed statement.

    IBM can use Facebook's latest (vigorous) defense of deflecting blame by pointing out other slurp-happy app developers that are doing the same thing.

    (As if that makes it OK)

    "We also wanted to note that many companies offer the types of services you cover in the report and, like Facebook, they also get information from the apps and sites that use them in a similar manner. Amazon, Google and Twitter all offer login features."

    #qoute taken from Facebook's response to Privacy International (PDF)

    https://www.privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report

    I've been seeing a lot of "defending vigorously" in the news lately.

    Doing a quick web search for "vigorously defend" gets several hits (including several others from FB)

    "vigorously enforcing our policies to protect people’s information"

    #from: https://www.nytimes.com/2018/03/18/us/cambridge-analytica-facebook-privacy-data.html

    "The lawsuit is utterly without merit and we will defend ourselves vigorously,"

    #from: https://www.businessinsider.com/lawsuit-facebook-ads-based-on-race-2016-11?op=1

    "claims have no merit, and we will continue to defend ourselves vigorously".

    #from: https://www.theguardian.com/technology/2018/may/24/facebook-accused-of-conducting-mass-surveillance-through-its-apps

    "“We believe this complaint is without merit and we will fight it vigorously.”

    #from: https://marketingland.com/facebook-to-vigorously-defend-instagram-against-suit-over-terms-of-service-29549

    1. JohnFen

      Re: vigorously!

      Yeah, I'd noticed that. I figured that it's just the latest fad in the PR world.

  5. kwhitefoot

    GDPR?

    Do they do the same to EU residents? If so surely it is a GDPR violation?

    1. A.P. Veening Silver badge

      Re: GDPR?

      It is a GDPR violation. Unfortunately, there is a back log in issuing fines at the moment.

      1. Aodhhan

        Re: GDPR?

        It's not a backlog of fines needing to be issued.

        ...it's a delay from Belgium, to see if the guilty companies are willing to pay big $$$$ to the fat-cats in charge of the EU.

        This is why BREXIT is a good idea. EU isn't there to protect the people, it's to protect the privilege.

    2. Rajesh Kanungo

      Re: GDPR?

      2-4% of Global revenue or $2M in fines, whichever is higher.

  6. Pascal Monett Silver badge

    "To the contrary, the app misleadingly suggests . . ."

    I understand that this is a lawyer speaking, but that is a really nice way of saying that THE APP LIES.

    A lie is a lie, whoever says it, and I am (again) disappointed at the sheer amount of effort people go to to avoid saying the word.

    1. Doctor Syntax Silver badge

      Re: "To the contrary, the app misleadingly suggests . . ."

      "A lie is a lie, whoever says it"

      The lie misleading suggestion was probably written by a lawyer. If one of m'learned friends accused another of lying the accuser would probably end up getting disbarred.

      1. Anonymous Coward
        Anonymous Coward

        Re: "To the contrary, the app misleadingly suggests . . ."

        Misleading the court is just part of legal training; actual lying still has a few consequences. In a democracy.

        1. doublelayer Silver badge

          Re: "To the contrary, the app misleadingly suggests . . ."

          And the lawyer in question did it right this time, by stating things truthfully. The app did not lie, I.E. it did not say "We don't send your location data to the highest bidder, the second highest bidder, and on down the list." Instead, it said something along the lines of "Your location is required to retrieve weather information from your area". That falls under lying by omission, perhaps, but it is more correct to say what that was, which was an attempt to mislead without outright lying. I don't know whether the privacy statement had lies or just buried the truth in a bunch of hereunders. However, the last thing we need is for a word that doesn't imply in the strict dictionary definition to be the cause of a failed case to protect users' rights.

          1. JohnFen

            Re: "To the contrary, the app misleadingly suggests . . ."

            "The app did not lie"

            I disagree. When you are saying things in such a way as to be deliberately deceptive, you're lying even if every factual statement you make is true.

  7. Roj Blake Silver badge

    The Old Rule Applies Here

    If something is free, it's not the product - you are.

  8. Rajesh Kanungo

    IBM should settle, shut down the App.

    It will be better for IBM to not get its brand-name tainted, all for this silly app. Large corporations, governments, non-profits, etc. rely on IBM to be trustworthy. If they fail, they should just own it, slaughter the culprits, quickly, and move one. The longer they fight it the more they will look like FB. And customers will challenge them all the time. I hav a lot of respect for IBM as an entity and I have worked in security long enough to know that these mistakes occur but one needs to correct the mistakes and move on. I'd have said, 'Oh shit, we will fix it, and here is $20M for your city, used for buying IBM stuff (at full price, and we get a tax break), and lets smile for a photo-op and thanks for helping us. We love you for how you have helped us and make us a better IBM. Thank you.'.

    1. JohnFen

      Re: IBM should settle, shut down the App.

      I'm not so sure that IBM's reputation is that sterling to begin with. Regardless, this is too critical to IBM to give it up. It's one of the bedrocks of their plans to sell Watson services.

  9. JCitizen
    FAIL

    It looks like TWC...

    Is trying to copy the success of "The Weather Bug", which has successfully slurped user data for years and got away with it despite being classified as malware by many AV and AM utilities. Who wouldn't be tempted after watching WeatherBug stomp all over people for years, and still the victims go "MORE MORE"!! Every since AWS Convergence Technologies, Inc , the root company has changed its name and been bought out, and acted like a changeling. No wonder TWC was so tempted!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like