Everyone is double dipping anymore. Pay for the app, but you're really the product being sold. Any app that can get location access is probably doing something you don't like with it. Your "Smart TV" is hoovering up as much as it can to send upstream (including using content recognition algorithms on the DVD and game console inputs), your "connected car" is almost certainly doing the same thing, your OSes are probably doing it... the whole of the modern tech industry is rotten, and nowhere is this more clear than the cell phone data mining industry.
There's big money in this sort of backend data analytics... deception? deceit? Whatever you want to call it.
> He did confirm that X-Mode buys data from Life360 and that it is one of “approximately one dozen data partners.” Hulls added that the company would be supportive of legislation that would require public disclosure of such partners.
You don't "accidentally" end up with a dozen data partners unless your goal is data collection and sale.
I'll offer a guiding principle that's been serving me well: If you can imagine how the data is being abused, it certainly is. If you can't come up with a possible way for some bit of data to be abused... someone else is more creative than you and has found a way to monetize it.
If I were cynical, I'd suspect Life 360 (and similar companies) were created first with the goal of selling location data, and from there worked backwards to figure out what sort of app/company would require a continuous stream of location data. And worked from there. Which is becoming more valuable as ios and android give users more granular control over apps getting location data...
Would not surprise me if there were people in these businesses who thought, "why would we leave FREE money on the table?" A promotion or two later after palming off their customer's data to whoever had the cash handy, they're off to do the same at another business.
I think they're called MBAs but I don't think it's unique to that style of professional.
I've never fully understood the concept of " if you don't pay for the product, you are the product", when it did the rounds a couple of years ago. Like, does this just magically mean that if I pay for something they're not also doing the same thing anyway?
It would be "You are the product" regardless of whether you pay or not.
Agreed. Many unfortunate things arise from it, especially when the needle moves from basic interests to flat-out greed. Pervasive removal would be a seismic social shift. The “common wealth” was a capitalist concept at one time.
I'm disappointed in myself for being surprised by this article, you're exactly right about this being the norm for similar software. I've found Life360 to be a helpful free tool in many regards but as is so often the case, if you aren't paying for the product then you are the product.
> violating the spirit of "If you're not paying, you're the product."
I don't understand how anyone who has ever owned a television, ridden on a bus, or flown in an airplane would think that statement has ever carried any weight with anyone.
I use it right now and it gives 24/7 livetime location reporting as well as free driver reports (top speed, number of hard braking events). There are other features you can upgrade to, but it's definitely useable at a free tier.
Their secret sauce is that they have spent a lot of time and money innovating on how to not kill battery life. The app polls users for location on different intervals. Periodically if no one has the app open, but if someone opens the app it will start polling people whose locations are available to them. Find My Friends has a similar approach, although it ONLY polls when someone has Find My Friends open that has a shared location available, and it doesn't store the data (last I checked).
Abusing technology to gather and monetize data that reveals users' "pattern of life" used to be limited to tech companies. Now that the tech industry rot has spread into other traditionally unrelated industries the abuse becomes systemic. We are now seeing the results of the spreading rot as a fundamental shift in our economic system from capitalism based on mass-production and financialization into surveillance capitalism[1].
We are already seeing entire industries shift from their traditional business models into surveillance oriented data. After a critical mass of businesses pivot to surveillance capitalism, the rest of the market becomes strongly incentivized to also become a surveillance capitalism style business or risk being left behind unable to participate in the new market.
Thanks for reminding me, that book has been on my list of "I should get around to reading..." for a while. It's a long slog, but seems more and more relevant.
> There's big money in this sort of backend data analytics..
Which is kind of weird, when you think about it. Why is this information valuable to companies? And why is it so valuable that so many companies can make money selling effectively the same information?
It makes sense why government agencies, particularly the police would place a value on this information. But they also have so many ways of obtaining this data that they can't be willing to pay much for yet another source of location data.
Location data is very easy to capture so tons of apps and websites do it, so there is large volumes of it, which makes it very cheap. For example when I run ad campaigns location data in general is literally just free, and if I want precise data (users who have visited this location) it’s max $2 cpm (1 thousand uses).
If I’m spending a few million on an ad campaign, a few thousand for location data is very much worth it.
> If you can imagine how the data is being abused, it certainly is.
I can imagine all sorts of crazy nonsense, including shadowy forces like the FSB and the Mossad planning drone strikes based on my wife's wirelessly-phoning-home CPAP usage, and underworld killers and kidnappers being directed to customers with >$50,000 USD in their bank accounts.
... Or I can limit my imagination to the sort of stuff that actually happens. It's a lot less sexy, and most of it doesn't have any impact on my life, and I'd really like conversation about it to focus on the parts of it that do. There's plenty of that, without us having to resort to speculative fiction.
I consider things like "A Roku TV performing content analysis on inputs from external jacks, so it can report up what DVD I'm watching," to be data abuse. Same goes for them scanning my network (which their privacy policy grants them permission to do). It's something that isn't useful to me, with the product I paid for (actually, I don't own a Roku, their privacy policy is "We do what we want, sucker!"), but is "sneaking around behind me" to do something non-obvious.
It doesn't have to be international intrigue for me to be upset with what some bit of consumer electronics is doing with my data.
"On Nov. 22, Life360 also announced plans to buy Tile, a tracking device company that helps find lost items. Hulls said the company doesn’t have plans to sell data from Tile devices."
I thought this sounded familiar. Combined with the acquisition of Fitbit by Google, for IoT devices you should therefore not only consider the current owner and its policies, but also future ownership?
This will make it even harder for me to buy anything from an IoT startup.
> Combined with the acquisition of ... you should therefore not only consider the current owner and its policies, but also future ownership?
That's been an unfortunate fact for a lot of things. Your loans, your bank accounts, your email accounts, your phones, your car...
It's very depressing to think that you can purchase something with one set of terms. Then the company can fold and you are unilaterally forced into a different set of terms, or else the Service is denied and your purchase is rendered to be a literal waste of money.
I’d argue that’s the same for any service. Privacy policy is ok now, wait for the company to be acquired, new company doesn’t have to adhere to old privacy policy.
Think about this for just half a second though -- What would be the value in buying location data on someone's Tile? Phone location data is valuable because it tells you where a human being with a wallet is.
If someone attaches a Tile to something (say their backpack), what's the use in buying that location data? Are you going to try to show location based ads to someone's backpack that they accidentally left in the library?
You’ve missed the point - the Tile app agressively pushes users to enable always-on location, which is not the norm for iOS apps, so Tile knows where your phone is all the time.
After a half second of thought: A backpack is usually with a human with a wallet. So is a phone, but the phone may not be reporting its location, or at least not reporting it to you, so the Tile is an alternative way to get the person's location.
99% of the time it tells you where the tile's owner is.
"But couldn't you just get that data from their phone already?"
No, because the Tile is the reason those people have the phone app installed and give it location data permissions. I wouldn't expect that they're selling locations of individual Tile trackers (thought they very well might), the more resellable data that Life360 gets here is access to the locations of all Tile owners.
well. if you know where the tile is for my car keys, my backpack, my wife's purse, whatever, but my phone is turned off.. then you probably still know where I am.
No but if a backpack gets close to the phone it would be an indication a person is about to leave. Could show a <insert coffee shop here> add. Not sure if it’s actually valuable but more info than phone moving around the house.
I found the sweet spot for IoT to be whether or not my phone's MAC is connected to my router. It's enough to trigger meaningful automations without killing battery life or sending sensitive data all the time.
I had issues with that since my phone's Wifi chip seems to have powersaving in it also, which means if my phone is screen-off in my pocket, it's not necessarily 'connected' to my router as far as the router is concerned. It effectively reconnects sporadically to grab push notifications or when I turn on the screen, but otherwise is mostly sleeping. I wasn't able to come up with a presence detection system more reliable than the one HomeAssistant uses, which is "is $my_phone inside $gps_fence"
What kind of granularity do you need? When I had that running I set the timeout to an hour which seemed to be enough to cover those disconnection periods. Of course, it meant that it takes an hour for Home Assistant to actually notice that my phone is gone but that was OK for my use-case.
I run HomeAssistant as the brains of my IoT. It connects to my Mikrotik router via api and treats every connected device as a presence sensor (this is mostly automatic aside from initial setup).
From there you just treat the presence sensor like any other sensor in your automations.
Whelp, time to get rid of my Tiles. Shame, I was just about to refresh.
Anyone have a recommendation for something else? I only need BLE, don't need crowdsourced finding, but I really want a slim form factor for my wallet and a more rugged form factor for my keys. I'm in the Android ecosystem (GrapheneOS).
Are you able to use the Samsungs? I know of Chipolo and I've used Trackr (looks like they stopped updating their product). But not sure if they sell your data.
This is very disappointing. I would love to hear from user crhulls https://news.ycombinator.com/user?id=crhulls the CEO Life360 (or so claimed, I can't verify). Too bad Hacker News doesn't have a notify on @ mentions. Then again, not being discord is a feature not a bug.
I am probably a little bit late here - would have loved to jump in sooner.
This is the most twisted reporting that has ever happened to us. We participated in good faith and they cherry picked individual phrases from our written answers and omitted including the ones that hurt their narrative. I literally gave them a list of suggestions on how the industry could be better regulated for all involved and they didn't even mention that.
I do acknowledge we have a data platform. They made it sound like we have no safeguards and anyone can buy data which is patently false. I also pointed them to this blog post which we sent out to 100% of our email list which is highly transparent. We are one of the few companies to have a privacy center which outlines everything we do in plain english with no legalese.
I'm very sad and disappointed. And an @ notify feature could have helped but as you say this is not Discord
You're literally trying to portray Life360 as the victim.
If Life360's mission is to keep children safe, exposing their location data simply cannot be part of that. These two activities cannot coexist without undue risk.
No parent is ever going to be okay with sharing thier kids location with countless 3rd parties. Pretending otherwise is just disingenuous.
> This is the most twisted reporting that has ever happened to us.
You're being obtuse and confusing "twisted reporting" with reporting a twisted business.
I have seen my friends use Life360 to track their kids and I was honestly surprised that they trust this company with real time location permissions. But I also understand the need for parents to keep a tab on their kids. So I ask this crowd are there any non-shady companies in this business? What methods are parents of HN using for tracking their kids? I realize people might have opinions on privacy of their kids and you are free to not "track" your kids but for some safety and assurance is also a big deal.
> But I also understand the need for parents to keep a tab on their kids.
It's weird how quickly this has become normalized. Parent's weren't able to track their kids' location with this level of fidelity until fairly recently. Yet now this isn't just a convenience but a "need" that parents have.
This all points to looming acceptance of 24/7 location tracking in society. If you're used to having your every move tracked as a kid, why wouldn't you accept it as something the government "needs" to do when you're an adult? Eventually, everyone who remembers what it was like before you carried a GPS tracking system on you 24/7 is going to die of old age. What will the world look like then?
We are. We're building the world of 1984, except paying to do it.
There are some upcoming requirements that cars "monitor for impaired drivers" somehow - which seems likely to be adding proximity-based blood alcohol sensors... or something of the sort? Details are unclear, but the speculation I've seen based on current technology is that your (always connected, always online, always updating...) car will now monitor the air to see if you might, perhaps, be impaired (or someone in the car is, it's far from clear to me how these sensors would work if a passenger were plastered).
I'm really not sure what I'm going to do when my current vehicle fleet needs upgrading, because "always online, always connected" is an anti-feature to me. Maybe just keep rolling my current stuff as long as I can keep it rolling.
I keep hoping that the upcoming generations will figure out how "edgy" being not-always-online is, and discover they like it. But that's a long hope.
Don't need to monitor their every move. I'm a parent that uses life360. I have notifications setup to alert me when the kids reach school and when their school bus drops them off in front of our house. Those are two spots I have setup in life360 to raise an alert if and when they are reached by their devices. Anything beyond that I know something isn't normal.
But the question remains, why do you need to know where they are? Is it concern for their safety, is it concern that they are doing something you may not approve of?
I'm fairly old so my experience of tracking kids is limited but I am really intrigued as to why we are now so concerned about having 100% visibility of what our kids are doing.
The flip side of this questions is how often do kids who are being tracked in this way either have problems that the tracking helps resolve, or deliberately work around the tracking so that they can do something their parents may not approve of?
I'd be interested in this for some circumstances with the kids knowledge - and generally I'm interested in companies that are trying to do this without an alterior motive (see: Notabli for photo sharing).
That said, as a parent, I also know that the knee-jerk reaction to get this tracking technology is really more of a crutch for me since the whole gig is to make them more independent so they can live lives on their own.
The sweet spot for tracking is that it allows you to give them chances for autonomy potentially earlier than you might otherwise be comfortable with a greater margin of safety. The challenge as a parent is to turn it off after the first N number of times you grant them the autonomy.
Ask them where they are and randomly verify every now and again by either showing up yourself or calling someone else you trust who is where they say they are. You and I weren't subject to epidemics of child kidnapping and murder because our parents weren't able to plant beacons on us.
Please don’t. Your children (especially if they’re almost adults) don’t deserve their privacy invaded and their data farmed. It’s the definition of helicopter parenting and there’s workarounds for it (trust me, I know). Wherever they want to go, they’ll find a way to fool the system.
We put an AirTag in our kid's backpack. That way we know when the bus left the school and when to go to the bus stop. Don't know what we'll do when our kid is more independently mobile...maybe an Apple Watch for real time communication over wifi.
You could give them a phone and ask them to call you when they get to the bus stop. Consequences of not calling you would be them getting board and having to wait for you to arrive.
This is where Apple shows itself as a leader in privacy, as their location data is encrypted from what I understand, at least after iOS 15. This protects you from rogue employees, at least this is what is claimed. At Life360 it would be very easy for many employees to creep on someones location history.
My understanding is there isn't really much auditing in the way of this functionality, and that customer support can easily go through your location history with zero to minimal auditing. They use an 'impersonate' feature to log into your profile on a web-app when supporting customers typically, which would make it easy for a bad actor to track you. Or they could just buy the data straight from the broker.
1. Absolutely minimize your internet exposure in ALL ways - avoid using internet-enabled tools AS A DEFAULT
2. Take personal responsibility for your and your family's security by non-internet means. In some cases that means less "convenience". And some cases absolutely include 2A means. The government is under ZERO responsibility to do jack for you when it comes to crimes and safety!
I'd guess you could use assigned names and location patterns to get a decent sense of what the tile is attached to. If it's on someone's keyring for example it's probably outside as much as their phone is. Then if the user has denied location tracking on their phone it becomes available through another route.
You know anyone using Tile who doesn’t put a Tile on their keys?
But more to the point, the Tile app makes a strong case to turn on, and leave on, location data. Easy to convince users, since they want to locate things.
I think (hope) there’s an open niche for companies which contractually bind themselves to not sell your data. I’ve switched to Neeva for search and mobile browsing, but for now I just have to take them at their word. Same with Apple.
There's a major "open niche" for up to date privacy legislation in the US. The privacy laws of the United States have never really been updated for the computer age. It's still safer to write a letter on paper and mail it than to send an e-mail, because the paper letter is protected by law.
The generation that's been in power since the 1980s and before has never chosen to protect citizens' privacy the way it was protected when they were growing up, because there's a profit in it for them and their supporters now.
Even creating a law like the GDPR on a national level in the US would be an improvement.
Ok there - I’m on board with the whole ‘this is scummy’ thing, but you’re really really stretching here.
You know what someone can do to ‘discover locations frequented by children’? About a million things. One of which involve paying a bunch of $$ to Life360 and trying to filter the data by age.
Like walk around the neighborhood. Look on Facebook/nextdoor (old people complain about congregating kids all the time), follow a kid after school, or just GO TO A SCHOOL (oh my God - the government forces kids into a single location every day of the week, now they’ll be victims!).
> One of which involve paying a bunch of $$ to Life360 and trying to filter the data by age.
The fact that the data is being made available to larger audience than it needs to fulfil it's stated purpose is a violation of trust. The expectation of the parents is that the data is exposed to minimum of people - employees of Life360. Instead, the data is shared with the employees of potentially hundreds of companies. None of whom need pay anything to Life360.
> About a million things. ... Like walk around the neighborhood ...
In less time than it takes to search one neighborhood by foot, someone can use big data to search a million neighborhoods. And thereafter rerun that search day after day, week after week, year after year. With no effort.
There's a reason so many companies are tracking everything, and so many companies are paying for that tracking data: it's powerful.
This is confusing. By my read (IANAL, but had to implement GDPR for a startup), under the GDPR selling location data like this is obviously illegal; why bother to gesture at GDPR compliance by listing all of the companies that you're illegally selling data to? Maybe this list is very out of data, but even at the time this should have raised a big flag. ("Datenschutzrichtlinie" seems to be "data protection guideline"? You need to say what the subprocessor is doing with your data, this is not sufficient explanation, unless this actually translates to something meaningful.)
> 5)1): Personal data shall be: ... a) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
This is exactly the sort of thing that GDPR was designed to prohibit. You simply cannot use data for a hidden purpose that isn't core to your product. Simply saying "we also sell your Personal Data" in the EULA is not compliant with GDPR. You have to clearly ask customers to opt in to non-essential processing.
I suspect that this processing is just for US customers - as far as I can tell, data brokers like SafeGraph are fundamentally not compatible with the GDPR, since approximately nobody would knowingly opt in to giving away their data to these companies.
(Anyone in the industry know more about how the EU data broker industry has evolved in the last few years? It's been a little while since I have been directly in contact with the EU regulatory system.)
Per GDPR, nearly anything you for which you get consent is legal. As your quote shows: a purpose must relate to a legal basis, and one of the legal bases is consent.
Was there actual consent? Unlikely, but I can't read the German in that clip explaining what's going on with these companies.
> Per GDPR, nearly anything you for which you get consent is legal.
I think this requires qualification. There are a bunch of cases where consent is not considered valid, and there are requirements on being explicit about what you're getting consent for.
> If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
In other words, burying consent in a 10-page EULA probably doesn't float. The subject can withdraw consent at any time. This must be easy to do.
And more importantly, see Article 6 - you can't just get consent for "monitoring your children" and then use the data for unrelated things that you claim are part of that task.
In this case the only way you could be compliant is if you had a pop-up that says "we'd like to sell your location data to other companies (listed here). This isn't required to offer you our location tracking service. Do you give consent? Y/N". In which case the story would not be news, as everybody would be aware that this is what the app does.
> In this case the only way you could be compliant
This is overstated. Yes, consent must be clear. But it doesn't have to be a popup; merely clear.
And you would probably be legal to require users to pay more to avoid data collection -- there are conflicting cases from the ICO / washington post case and the Austrian DPA / derStandard.at case.
According to the current privacy policy[1] they are Cubiq[2] and Cubiq's trusted partners[3], and then if you are in the UK/EEA then they have (interestingly) images that list who they share with right at the bottom - not searchable text ...
2. Cuebiq is not mentioned in the Part 2/EEA section of the privacy policy. Instead, as parent points out and according to non-searchable Annex 2, "precise location" data may be disclosed to: Arity 875 LLC, Foursquare Labs UK Limited, Google Inc., Placer Labs Inc., AvantGuard Monitoring Centers LLC, OnCall International LLC, Sontiq Inc.
I have decoded many privacy policies in my life, but unfortunately don't have time to work on this one. :D
Of course they are. Only naive people would have thought otherwise.
This is why I am inherently suspicious of all "parental control" apps. The entire category is filled with these shenanigans. I suppose I trust Apple's inbuilt Find My Friends feature.
Weather apps were full of this, too. I gladly paid for Dark Sky because they didn't do this.
Fun fact: they also bought Couple (later known as Pair) - an app from a decade or so ago - and then never revealed what they did with the data that users uploaded to it. It’s murky who has it now but it’s always been odd to me that there’s little awareness there as the app was quite popular for a bit.
I'm not sure what Life360 does but if it's primarily family tracking, I recommend using a private HomeAssistant instance which has the same functionality plus lets you do all kinds of automation based on people's location.
I just looked into that, and it seems it can tell if someone is at the house or not, but nothing beyond that?
My family doesn't use Life360 just to know if someone is at each home or not. They also use it to see if they're on the way home, or stuck somewhere, or if we've left our phone somewhere.
I don't see anything there that shows the location for the user is exact, or that it can be shown away from the home. I see exact locations for events near the home, but not the user itself.
Everyone is double dipping anymore. Pay for the app, but you're really the product being sold. Any app that can get location access is probably doing something you don't like with it. Your "Smart TV" is hoovering up as much as it can to send upstream (including using content recognition algorithms on the DVD and game console inputs), your "connected car" is almost certainly doing the same thing, your OSes are probably doing it... the whole of the modern tech industry is rotten, and nowhere is this more clear than the cell phone data mining industry.
There's big money in this sort of backend data analytics... deception? deceit? Whatever you want to call it.
> He did confirm that X-Mode buys data from Life360 and that it is one of “approximately one dozen data partners.” Hulls added that the company would be supportive of legislation that would require public disclosure of such partners.
You don't "accidentally" end up with a dozen data partners unless your goal is data collection and sale.
I'll offer a guiding principle that's been serving me well: If you can imagine how the data is being abused, it certainly is. If you can't come up with a possible way for some bit of data to be abused... someone else is more creative than you and has found a way to monetize it.