Location Data Collection Firm Admits Privacy Breach

By   ISBuzz Team
Writer , Information Security Buzz | Nov 01, 2021 03:17 am PST


A British firm which sells people’s location data has admitted that some of its information was gained without seeking permission from users. Huq uses location data from apps on people’s phones, and sells it on to clients, which include dozens of English and Scottish city councils. It told the BBC that in two cases, its app partners had not asked for consent from users. But it added that the issue had now been rectified. In a statement, the firm said it was aware of two “technical breaches” of data privacy requirements. 

Notify of
4 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Niamh Muldoon
Niamh Muldoon , Senior Director of Trust and Security EMEA
November 1, 2021 11:26 am

<p>Business leaders who do not understand that trust is a true business differentiator are likely to see an impact on their brand and business over the next couple of years if they haven’t already experienced it. By 2023, 65% of the world’s population will have their personal data covered under modern privacy regulations, up from 10% in 2020.</p>
<p>This problem must be addressed at every level of the organisation including boardroom and executive management teams. There is a slight increase in Trust and Security expertise sitting at executive management and boardroom levels but this is not consistent across all industries and businesses and not having this representation at these levels will continue to impact Trust and associated brand and reputation associated with it. Business leaders need to think of the operational controls that can be executed as part of the day to day operations and how they can use these control sets to create a high-performing team working with the security and privacy organisations. Marketing roles are changing and leaders in this space have moved to a global privacy operating model to support their business incentivising individuals for their personal data, marketing behaviours and insights.</p>

Last edited 2 years ago by Niamh Muldoon
Chris Hauk
Chris Hauk , Consumer Privacy Champion
November 1, 2021 11:20 am

<p>This incident underlines the need for app users to investigate what personal data apps collect and to make sure that they have ways to control what data is collected. Always check the app\’s privacy policy to determine what information is collected and shared. Users should also make sure to visit their device\’s security and privacy settings to tightly control any app\’s access to info.</p>

Last edited 2 years ago by Chris Hauk
Paul Bischoff
Paul Bischoff , Privacy Advocate
November 1, 2021 11:19 am

<p>Firms like Huq take advantage of the fact that most people have no idea whether the apps they use share their personal data with third parties. I bet if you asked 100 people whose location data is collected and sold by Huq whether they were aware of that fact, 99 of them would say no. Huq is shifting the blame to vendors who sell its data, but Huq is equally responsible for sourcing legitimately collected data.</p>
<p>The BBC\’s article is not clear about what Huq will do with existing data that was collected or shared without consent. Will it delete that data?</p>
<p>Smartphone users should be wary of the apps they install and their permissions. Know that any app that collects data can most likely share it with third parties. Read privacy policies if anything is unclear. Deny location requests from apps whenever possible. Enter locations for weather apps manually, for example.</p>

Last edited 2 years ago by Paul Bischoff
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
November 1, 2021 11:18 am

<p>Collecting location data without explicit consent from the user where the user is clear on the benefits and risks associated with such collection is particularly concerning. Knowing the current location and patterns of behaviour for a high value target is appealing to cyber criminals. Were location data to be sold, even in anonymised form, it could easily be combined with data from other sources to build profiles of individuals. While it’s heartening to hear Huq state that they have rectified the situation within apps identified in the Vice story, this is a reactionary approach to data privacy. Businesses like Huq which depend upon location services data as part of their business model should approach how they collect and manage location data as a duty of care – one which requires them to proactively ensure that compliance with data protection laws is a top priority and that their data sources operate with similar integrity.</p>

Last edited 2 years ago by Tim Mackey

Recent Posts

Would love your thoughts, please comment.x