Pandora's Android app gathers personal info, report says
Pandora, a free Internet radio service that streams and recommends songs, has an app for Android phones that finds, gathers and transmits "mass quantities" of personal data to advertising agencies, according to Veracode, an application security company that analyzed the app.
The personal information includes: your birthday, gender, postal code, a phone's unique device ID and even your GPS coordinates, according to Veracode.
"In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide some significant insight into a person's life," concluded Veracode researcher Tyler Shields in a Tuesday blog post.
Shields suggested that a person's current location, coupled with their gender, age and IP address, can be compiled "to determine who someone is, what they do for a living, who they associate with and any number of other traits about them."
While Pandora does request some personal information to customize music streams for users, Veracode said the music service was also sending data, possibly without even knowing it, to advertisers.
"The application developers may not even be aware of the privacy violations they are introducing by using third-party advertising libraries," he said. "They may merely think they are getting [the agreed amount] per ad impression, not that the ad library is leaking significant information about the user."
Veracode discovered that the Pandora app for Android was "integrated" into five advertising libraries, including AdMarvel, AdMob, comScore, Google.Ads and Medialets. In some cases, an ad library attempted to "capture GPS location information on a continuous looping mechanism," Shields said.
"I don't know about you, but that feels a little Orwellian to me," he wrote.
While apps that collect personal data to target ads and sell products is nothing new, they may come under increasing scrutiny as lawmakers look into how such information is collected, used and tracked.
Pandora revealed Monday in a Securities and Exchange Commission filing that it had been subpoenaed to turn over documents by a federal grand jury investigating how personal data is shared among smartphone applications.
The music service was not "a specific target of the investigation" and subpoenas were handed out "on an industry wide basis," the filing said.
-- Shan Li
Photo: An Android phone running the Pandora app. Credit: Pandora