Tile’s New Owner Selling Precise Location Data on Millions of Kids

Tile Mate Marketing Photo Credit: Tile
Text Size
- +

Toggle Dark Mode

News broke last week that Apple’s biggest competitor in the item tracking space was about to get a big boost thanks to its acquisition by Life360. Now, however, it’s beginning to look like Tile may have just made the proverbial deal with the devil.

According to a new report by The Markup, Life360 appears to be the antithesis of Apple regarding user privacy, basically happily selling off its users’ location data to pretty much anybody who wants it.

To make matters worse, Life360 is primarily a family safety app, so it’s used by parents who want to keep track of their children’s movements. However, in doing so, they’re also basically disclosing their kids’ whereabouts to everybody else that Life360 has partnered with.

The Markup notes that this includes about “a dozen data brokers” who deal with Life360 directly, but the problem is that those brokers then turn around and see that data “to virtually anyone who wants to buy it.”

As part of an investigative report, journalists for The Markup spoke with two former employees of Life360, along with two other individuals who previously worked at location data brokers Cuebiq and X-Mode — large behind-the-scenes data aggregators that most of us have likely never heard of.

The Markup discovered that the app acts as a firehose of data for a controversial industry that has operated in the shadows with few safeguards to prevent the misuse of this sensitive information.

While these folks spoke out anonymously for fear of repercussions, they did so because of concerns with how the location data industry operates without much public scrutiny or oversight.

All of them also described Life360 as “one of the largest sources of data for the industry.”

A former X-Mode engineer said the raw location data the company received from Life360 was among X-Mode’s most valuable offerings due to the sheer volume and precision of the data. A former Cuebiq employee joked that the company wouldn’t be able to run its marketing campaigns without Life360’s constant flow of location data.

The Markup

In an emailed response to The Markup, Life360 founder and CEO Chris Hulls refused to confirm or deny the accuracy of the report, defending the company’s data collection policies as critical to building features that have “saved numerous lives.”

We see data as an important part of our business model that allows us to keep the core Life360 services free for the majority of our users, including features that have improved driver safety and saved numerous lives.

Chris Hulls, founder and CEO, Life360

A Multi-Billion Dollar Industry

As a 2019 New York Times investigation revealed, location tracking has become a multi-billion dollar industry, and there’s virtually no legislation to prevent companies from collecting and using this data or even being transparent about who they’re dealing with.

For his part, Hulls added that Life360 would be supportive of legislation that would require public disclosure of its partners. However, since this legislation doesn’t exist, all the contracts between Life360 and its myriad data brokers, including strict confidentiality clauses that don’t even allow Life360 to admit that it’s doing business with them.

While much of the location data is anonymized, that doesn’t necessarily protect personal privacy since each user is usually still represented by a persistent identifier. While your actual identity may not be associated with the data, as the New York Times discovered two years ago, with enough data, it’s relatively simple to tie each of these so-called “anonymous” data points to an actual person.

Of course, Life360 is far from alone in providing this kind of location data to brokers. While most people are afraid of big tech companies like Google and Facebook infringing on their privacy, you should really be afraid of the dozens of smaller companies you’ve never heard of that are collecting the wealth of this information.

As with Life360 and its partners, these companies don’t make apps that you’ll see on your iPhone. Instead, they work in the shadows, signing contracts with other developers, like Life360, or with advertising and analytics networks that developers embed into their games and other apps, often with no idea how much of their customer’s information they’re giving away in exchange for a few dollars in advertising revenue.

To make matters worse, once the data is in the hands of the brokers, the original developers have little control over what happens from there. As The Markup reports, brokers like X-Mode, SafeGraph, and Cuebiq supply data to everyone from hedge funds and targeted advertising firms to government agencies.

For instance, Cuebiq told The Markup that it “provides access to an aggregated set of data” to the Centers for Disease Control and Prevention (CDC) to help track “mobility rends” related to the COVID-19 pandemic. Some of the raw location data used to create this aggregate set comes from Life360, but there are undoubtedly numerous other sources as well.

While Cuebiq explicitly denies selling data to law enforcement agencies or offering raw location data feeds to government partners, others like X-Mode and SafeGraph aren’t necessarily as scrupulous. Public records show that X-Mode has sold location data to the U.S. Department of Defense, while SafeGraph has also sold location data to the CDC.

Relying on Honor Among Data Brokers

For its part, Life360 insists that its contracts prohibit the selling or marketing of its user data to government agencies for law enforcement purposes, although it only added this clause last year.

The company also claims that it anonymizes all of its data. However, the two former employees who spoke with The Markup said that it doesn’t take the necessary precautions to ensure such data can’t be traced back to individuals. For example, it doesn’t make any efforts to obscure or reduce the precision of the location data to preserve privacy.

Instead, Life360 trusts the data brokers to abide by contracts that prohibit them from “re-identifying individual users” and relies on them to obfuscate the raw data that they receive before sending it out to others.

While all of this is disclosed in the fine print of Life360’s privacy policy, it’s done in the usual legalese that prevents most people from really understanding what this means. The relevant section reads that Life360 “may also share your information with third parties in a form that does not reasonably identify you directly. These third parties may use the de-identified information for any purpose.”

However, as Justin Sherman, a cyber policy fellow at the Duke Tech Policy Lab, points out, this doesn’t make things very clear, and most people “are probably not aware of how far their data can travel.”

Families probably would not like the slogan, ‘You can watch where your kids are, and so can anyone who buys this information.’

Justin Sherman, cyber policy fellow, Duke Tech Policy Lab

Sherman also raised the specter of data being sold to insurance companies that could use it “to figure out where they’re traveling and increase their rates.” While Hulls said that Life360 “doesn’t share users’ private information with insurers in ways that could affect insurance rates,” it’s important to read that statement carefully, as he doesn’t say that Life360 doesn’t share users’ private information with insurers.

The Big Problem

The biggest problem is that without any government regulation, this entire data brokerage industry appears to be relying on the honor system and contractual agreements to control the flow of data and the surrounding privacy. As a result, companies like Life360 don’t have any direct control over where their users’ location data ends up once they send it out to brokers. There also doesn’t appear to be any oversight in place to confirm that it’s being handled properly.

Despite its recent acquisition of Tile, Hulls has said that Life360 has no plans to sell data from Tile devices. Earlier this year, it also purchased Jiobit, a company that makes wearable location trackers aimed at young children, pets, and seniors, for $37 million. Hulls noted that it doesn’t plan to sell data from Jiobit devices, either.

Still, plans can and do change. Last year, Life360 made $16 million from selling location data, which accounted for nearly 20 percent of its total revenue. With the company still struggling to achieve profitability, it will be hard not to find ways to increase that revenue stream, which means Tile users may want to be extra vigilant at keeping an eye on their privacy policies.

By comparison, AirTags can barely even be called a side business for Apple, which already has some of the strongest privacy policies in the industry. Moreover, there’s really no financial incentive for Apple to get into the data brokerage business when it’s already raking in hundreds of billions of dollars a year from selling hardware and services.

Social Sharing