Your cell phone is talking behind your back – all night long

Kait Baumgartner was surprised to learn her name, gender, age and e-mail address were uploaded hundreds of times to companies she had never heard of. (WTHR Composite)

INDIANAPOLIS (WTHR) — At 2:00 a.m., you're probably not talking on your cellphone. But your phone is talking about you.

A WTHR investigation found our cellphones are sharing personal information about us all day and night, delivering that information to companies we've never heard of.

"Those companies are very aggressively collecting your data — as much as they can, as fast as they can – because it's valuable," said cyber privacy expert Patrick Jackson. "But most people don't realize what their phones are doing and what's going on behind the scenes. If they did, I think they'd be really creeped out."

The process is silent and it's fast. In fact, while you are reading this story, the apps on your phone will likely be asked many times to deliver personal information to companies that are eager to learn all about you. And chances are, they'll get it because – without realizing it – you've agreed to hand over your valuable information to strangers.

So exactly who are these companies, what personal data are they receiving, and can you do anything to stop it?

To find out, 13 Investigates used sophisticated software to track a complex trail of personal data streaming from several cellphones. The results expose a hidden world that consumers are not supposed to see. And when you get a glimpse of the information that your phone is sharing behind your back, you'll understand why it was designed to take place in secret.

Why it's creepy

Patrick Jackson is a cyber privacy expert and the chief technology officer at Disconnect. (WTHR Photo)
Patrick Jackson is a cyber privacy expert and the chief technology officer at Disconnect. (WTHR Photo)

To help expose exactly what your phone is doing, WTHR contacted Jackson, a former National Security Agency researcher who is now chief technology officer at Disconnect. The California-based company has developed technology to track the companies that are tracking you.

Specifically, Jackson and his company are able to dig deep inside a phone to monitor app trackers. Those trackers are imbedded within the apps you install on your phone. They collect information about you for a variety of reasons – most often to figure out your habits and preferences so they can serve you pop-up ads and other marketing that might interest you.

To do that, your apps allow the trackers to send specific — sometimes sensitive — information to dozens of companies that are constantly collecting and downloading your personal data.

"It's happening all the time. It's non-stop," explained Jackson. "What they do with that information after they collect it, we don't really know. The only thing we can verify is the data is being transferred from your phone directly to their servers, and after that, it's really anyone's guess. And you don't see it happening. There's no indication what's going on behind the scenes."

WTHR helped Kait install software on her phone to closely monitor what personal data was being shared by app trackers. (WTHR Photo)
WTHR helped Kait install software on her phone to closely monitor what personal data was being shared by app trackers. (WTHR Photo)

App trackers will gladly accept as much information as they can get their hands on. So even while you and your phone are sleeping, many of the app trackers are not. They are programmed to wake up your apps in the middle of the night to transmit data that's extremely valuable to marketing, analytics and advertising companies. A single app tracker may be imbedded inside several apps installed on your phone, allowing it to scoop up different data from different sources, which it can later piece together to create a much more detailed picture of who you are, what you like to do, and where you spend your time.

"If a stranger was constantly following you down the street, you'd be looking over your shoulder all the time and eventually you'd say, 'Stop following me. This is creepy. I'm not comfortable with this,'" Jackson told WTHR. "That's what these app trackers are doing – even hanging out in your bedroom – but we don't really realize they're there, so most people just allow it."

Jackson offered to conduct a test for 13 Investigates by installing software on a phone that would allow him to closely monitor each of the app trackers, seeing all of the personal data they collect and who they are sending it to. First we would need a volunteer – someone who was willing to have their personal data captured for our experiment.

Eye-opening test

Kait Baumgartner agreed to let WTHR test her phone. (WTHR Photo)
Kait Baumgartner agreed to let WTHR test her phone. (WTHR Photo)

Curious to learn who her phone is talking to, Kait Baumgartner agreed to participate in WTHR's tracking experiment. The busy mom and owner of the popular Indianapolis Moms Blog says she relies on dozens of apps on her smartphone to get through her day.

"I use them for work and social media. I use them when I go to the store and to order stuff. I use them to check the weather. I'm on my phone pretty much all the time," she said.

Baumgartner understands the apps on her phone need to collect some information to work properly. For example, a weather app may ask for your city or zip code to help deliver a more accurate forecast based on your location. What she did not realize is just how much data is being collected, how private some of that information is, and what happens after an app gets ahold of it.

To begin the test, the Westfield mom downloaded Disconnect tracking detection software on her iPhone, giving Jackson permission to see what information app trackers were requesting. Within moments, Jackson was observing hundreds of data requests as Baumgartner's personal information was quickly distributed to tracking companies all over the world.

Kait's phone was sharing details like the make and model of her device, her advertising ID number, even her email address. (WTHR Photo)
Kait's phone was sharing details like the make and model of her device, her advertising ID number, even her email address. (WTHR Photo)

Her apps frequently transmitted her exact location – longitude and latitude – to app trackers based in Boston, New York, San Francisco, London, Dublin and Singapore. Those companies received detailed information about Baumgartner's cellphone, including the make and model, the settings, the wireless carrier, the size of her screen and even how much battery life was left before her phone would lose power.

"They wouldn't collect it if it wasn't valuable to them," Jackson said as he reviewed Baumgartner's data. "They are collecting her location at separate times and then bundling that and sending it off. That lets me know they're not just tracking her location, they're tracking her movement."

Apps on her phone freely gave out Baumgartner's advertising identification number, a unique identifier that marketing companies assign to keep track of consumers' habits and interests based on the apps they use and websites they visit.

“That's kind of scary to have so much information out there about you that you don't even realize is out there”

As Baumgartner navigated her way through some of her favorite apps, every click and swipe was being recorded and uploaded by an app tracking company that monitored every article she read, every photo she viewed and every order she placed.

Her name, gender, age and e-mail address were uploaded hundreds of times by companies Baumgartner had never heard of.

She never suspected a thing.

"I feel like that's sneaky. I don't like it at all," Baumgartner said, learning the results of her test. "They're sending out private information – like exactly where I am with my kids with me – and that's kind of scary to have so much information out there about you that you don't even realize is out there. I don't understand why these companies need to know all that."

Jackson's analysis revealed that app trackers bombarded Baumgartner's phone with more than 1,400 requests for data in just a single weekend. And when he monitored the app tracker traffic on my phone, Jackson discovered even more.

Blindsided 5,000+ times a week

Kait Baumgartner and I have very different apps on our phones, but Patrick Jackson confirmed they behave the same.

Like Baumgartner, I downloaded Disconnect software on my smartphone to allow Jackson to see what app trackers were doing in the background. The cyber privacy expert and I watched the results together, and they were breathtaking.

Within the first 60 seconds, app trackers initiated 119 requests for data from my phone. They received my precise location through latitude and longitude readings, my unique advertising identification number and lots of information about my cellphone – including IP address and settings.

As we continued to talk, the number of requests for my personal information continued to climb. A single ad placement company, Amazon Ad Services, passed along my geolocation to 20 app-tracking companies a whopping 1,743 times in less than 30 minutes.

Patrick Jackson is concerned about what happens once your data leaves your phone and is downloaded by dozens of companies. (WTHR Photo)
Patrick Jackson is concerned about what happens once your data leaves your phone and is downloaded by dozens of companies. (WTHR Photo)

"I'm in the business of making that stop," Jackson told me, shaking his head. "I'm concerned because users should be in control of their own data. It belongs to you and you should decide who gets access to it."

Jackson's company offers a free app called Privacy Pro that allows iPhone users to detect and block many (but not all) app trackers. Privacy Pro showed trackers hit my cell phone more than 5,100 times in just one week, not including all the data requests from Amazon. Those annoying requests, transferring my personal information to companies that I don't really want to get my data in the first place, can suck up a lot of data: about 1.7 gigabytes over the course of a month, according to the Privacy Pro app.

Phones operating on Google's Android operating system are also targeted by app trackers, but Google won't allow Disconnect's tracker-blocking software in its Google Play store. Google, which operates a massive and profitable app tracking platform, prohibits apps that interfere with ad displays, according to Jackson.

Is it really a big deal?

“They've opened the door for those companies to suck up that information about you without giving you back anything in return”

The idea of hidden trackers lurking in the background of your cellphone and taking your sensitive information in the middle of the night might sound scary, but most do not have sinister intentions.

Companies like Mopub, Appboy, Cuebiq, Localytics, Taplytics, Urban Airship, DoubleClick, Sift Science, Segment, Nimbus, Embrace and Nexage are not household names for consumers. But they support the companies that have nationally-known household names by helping to make their apps more profitable.

The goal of most of these marketing, advertising and research firms is to collect enough data about you to serve up an ad on your mobile device that you'll actually click on. The vast majority of apps that you've downloaded on your phone rely on app trackers to analyze how consumers are using their service, to place effective ads and to improve their bottom line. It's a big business, and some of the companies that track apps are now worth hundreds of millions — or even billions — of dollars.

Despite the intentions, there are two issues Jackson finds particularly troubling about the business of app tracking.

First, most consumers are unaware that these companies are gobbling up their personal information.

When you first download an app on your phone, you are required to agree to the app's user agreement and privacy policies. Those policies usually state that the app you are downloading may share your personal information with third-party companies including app trackers. So when you download an app, you are essentially giving permission to share your personal information with an app's tracking partners.

But it is not uncommon for the user agreements and privacy policies to extend dozens of pages, and researching exactly who the app trackers are and how they will use your personal information can actually take hours.

The privacy policy for the Weather Channel app stated up to 38 companies could receive your data. (WTHR Photo)
The privacy policy for the Weather Channel app stated up to 38 companies could receive your data. (WTHR Photo)

For example, Baumgartner uses The Weather Channel app, which has a 26-page privacy policy. The policy is both thorough and transparent, offering the names of all of The Weather Channel's 38 approved ad and analytics vendors and inviting users to check out the linked privacy policies of each of those app trackers. To do that – taking the time to review all of those privacy policies to learn how the companies might use the information you've agreed to share with The Weather Channel — requires an additional 500+ pages of reading. The most transparent of policies is not truly transparent if important information is buried in an avalanche of corporate documents that few people will look at.

It's no wonder most consumers do not read any of the privacy policies they encounter when downloading an app.

"There's pages and pages and pages of agreements that you go through and, to be honest, I've never read those agreements," Baumgartner told WTHR. "Who has all that time?"

As a result, Jackson says few people understand what they're giving up when they agree to use an app.

"It makes perfect sense that you'd give your location and other personal information to a company that you want to provide you a service," said Jackson. "But then they allow other companies to piggyback on what you've authorized them to do, and they've opened the door for those companies to suck up that information about you without giving you back anything in return. That's not something users expect."

"Ticking time bomb"

“It's just a matter of when a breach is going to happen and how many people it affects”

Jackson's second concern is what might happen to your data once it is distributed to dozens of companies that download it onto their servers.

Many apps require their tracking partners to keep your private information strictly confidential once they receive it, and use of your sensitive data is supposed to be limited to purposes directly related to the app. At the same time, many privacy policies acknowledge that user data may still be vulnerable.

"We use commercially reasonable procedures to protect the personally-identifying information that we collect," explains Meredith Corporation, publisher of the People Magazine app, in its privacy policy. "No security system is impenetrable, however. We cannot guarantee the security of our databases, nor can we guarantee that information you supply won't be intercepted while being transmitted to us over the Internet."

Transportation company Lyft informs its mobile app users "We are committed to protecting the data of the Lyft community. Even though we take reasonable precautions to protect your data, no security measures can be 100% secure, and we cannot guarantee the security of your data."

"Is this data going to be breached? You never really know," said Jackson, speaking in general terms about an industry that maintains billions of pieces of identifying personal data on hundreds of millions of people. "If it's not breached, maybe it's going to be sold to some third party doing robocalls and now they have a lot of information on you. You have to be so careful about who you're allowing to collect your data because it's a ticking time bomb. It's just a matter of when a breach is going to happen and how many people it affects."

Jackson points to recent security and data breaches as cause for concern. Last year, hackers infiltrated Google's DoubleClick ad service to deliver ads that contained malware. Popular app Timehop was also compromised by hackers, who stole information from more than 20 million accounts. The company said the breach included the e-mail addresses of about 18.6 million people.

Kait Baumgartner is one of Timehop's users, and the security of her personal information took on new urgency following 13 Investigates' experiment.

App tells WTHR it will fix mistake

“You never want to collect personal information that's not needed”

WTHR's privacy test showed Timehop sent Baumgartner's e-mail address to one of its app trackers – not once, but 242 times. Informed of the findings, the company admitted the transfer of her e-mail was unnecessary and a mistake.

Timehop chief operating officer Rick Webb told 13 Investigates the company thought it had taken steps in mid-June to stop sending all of its users' e-mail addresses to Embrace, a third-party company that improves the speed and reliability of apps.

"[We] realized it wasn't needed and removed it… We only use Embrace for analytics and debugging, and do not use it for any personal data use," Webb said, adding that Timehop also instructed its vendor to ignore and delete any of the user e-mails it received.

But weeks after the company believed it had successfully curtailed the sharing of user e-mails, Jackson discovered Timehop was still sending Baumgartner's e-mail address to Embrace dozens of times each day.

"You never want to collect personal information that's not needed," Jackson said. "That's just asking for trouble."

Timehop's privacy policy warns users "While Timehop uses commercially reasonable means to secure your information, we do not guarantee that your personal information will not be improperly accessed, disclosed, or destroyed by breach of any of our safeguards."

Late last week, Timehop chief technology officer Dmitry Trytel told 13 Investigates he had figured out the source of the problem identified by 13 Investigates and is taking immediate action. In response to WTHR's inquiry, Timehop is now preparing to release updated versions of its app on both iOS and Android platforms that eliminate the e-mail error, and Trytel has again asked Embrace to delete all e-mail addresses previously shared by his company.

Transparency is important

Kait Baumgartner's phone was sharing her exact location to app trackers based in Boston, New York, San Francisco, London, Dublin and Singapore. (WTHR Photo)
Kait Baumgartner's phone was sharing her exact location to app trackers based in Boston, New York, San Francisco, London, Dublin and Singapore. (WTHR Photo)

Most of the companies that discussed their apps with WTHR defended their use of app trackers as beneficial not just to their bottom line, but also to their users.

"We work with advertisers and that helps allow us to provide our service for free," said Sara Gorman, a spokeswoman for The Weather Channel. "We are transparent about how we use data, and we clearly provide this information in the privacy settings, privacy policy, and opt-in notices within The Weather Channel app and"

The communications director for told WTHR the company uses an app tracker "to consolidate information so we can build and promote products that help home buyers and sellers make informed decisions." Communications director Lexie Puckett Holbert added that user information is not sold to third parties, and that the app's privacy policy "clearly states how user information is collected and shared."

GasBuddy recently re-designed its privacy policy to be very user-friendly. Director of marketing and communications Allison Mac said the GasBuddy app frequently collects location data from its users to accomplish several goals: help them save money on fuel by finding nearby gas stations with low prices, quickly navigate them to those locations, provide push notifications to alert motorists of price hikes in specific areas, notify users of local promotions, and enhance their advertising experiences. (During WTHR's test, the majority of app tracking requests generated from the GasBuddy app came from advertising-related trackers such as DoubleClick, 2mdn and other Google ad servers; Cuebiq; and the Amazon Ad network.)

“The real culprit tends to be the app developers and how they create the apps”

Jackson says most companies rely on third-party vendors to operate and optimize their apps, and they often do not fully understand just how many app trackers are running in the background, quietly collecting and transmitting their customers' private information.

"The real culprit tends to be the app developers and how they create the apps," he said. "Many times, they do not fully disclose what they're doing with user data."

During 13 Investigates' test, WTHR discovered its own app developer had been collecting location data from viewers and sharing it with ad networks. (The same developer currently operates many media websites for TV stations and newspapers across the nation.) WTHR immediately alerted the vendor, which updated its privacy policy to improve transparency and make the policy more clear. WTHR is now evaluating its relationship with all of its vendors and taking extra precautions to make sure viewers data is safe.

How to stop app trackers

The best way to protect yourself against apps sharing your personal information with trackers is to limit your data from being collected in the first place, according to Jackson.

"Once it leaves your phone, there's really no way to get it back," he said.

Jackson offers the following steps you can take right now to minimize the amount of personal information that app trackers can obtain about you:

Audit all of the apps on your phone. Regularly review your apps and erase those that you no longer need. Leaving an unused apps on your phone is not a good idea. Even when they are not being used, they can still send out personal information about you.

Turn off your phone's "ad tracking." It just takes a moment if you know where to go. This won't stop all app trackers from handing over personal information to app trackers, but Jackson says "It adds a speedbump to make it harder for companies to track you." Here's how to do it:

If you have an iPhone, go to your phone's "Settings" then scroll down to "Privacy." At the bottom of the Privacy section, tap on "Advertising" and then slide the "Limit Ad Tracking" switch to ON. While you are there, click on the "Reset Advertising Identifier" to reset the unique ID number that your phone assigns to you so that advertisers can better track your habits.

If you have an Android phone, open your "Settings" app, and then locate and tap "Google." Next, select "Ads" and turn ON "Opt out of Ads Personalization."

Rename your phone. This is a step you'll want to take if during set-up, you named your phone after yourself. (i.e. John Smith's iPhone) Many app trackers get your phone's "name" with every data request they receive. If you named your phone after yourself – especially including both your first and last name – you are giving up personally-identifying information even when app trackers seek only general information such as the app you using. Try using just initials or, if you want to have a little more fun, use an emoji as your phone name. Here's how to do it:

If you have an iPhone, go to "Settings" and then select "General" and "About." The first option will be "Name" and that is where you can rename your phone.

For an Android, open "Settings," then scroll down and tap "About Phone" at the bottom of the Settings menu. Tap on "Device Name," enter a new name and then tap "OK" or "Done."

Install an app tracker blocker. There are several available, including Disconnect's Privacy Pro Smart VPN, which offers both a free and upgraded version that detects and blocks many of the most common app trackers that impact users (available for iPhone only); Firefox Lightbeam is a free ad-on that identifies and blocks third-party app trackers while using that browser; AdBlock is another highly-rated app ad blocker that is free if you want it to be, or you prefer to pay, that's ok too.

Review your phone's location tracking settings. You probably give your phone and at least some of your apps permission to track your location. If you haven't taken a look at those settings in a while, you're probably allowing some apps to track your every move that you probably don't want doing that. Take a few minutes to review those settings and limit the location tracking to those that truly make sense.

If you have an iPhone, go to "Settings" then "Privacy." The first item in the menu is "Location Services." Select that and determine if you want your phone's overall "Location Services" to be ON. While in that menu, you'll be able to check each individual app to determine if you prefer the app's location tracking setting to be set at Always, Never or While Using.

If you have an Android, reviewing and deactivating your location tracking settings is a little – or a lot – more complicated. Google doesn't really like you messing with those settings. Here's a link to a really thorough rundown on how to change these Android settings, compliments of the The Verge.

Disable "Background App Refresh." Your phone's apps stay up-to-date with the latest info because of a feature called Background App Refresh. It automatically refreshes news, sports scores and other time-sensitive information even when your apps are not actively being used and simply hanging out in the background. It is the default setting for all Apple phones. But that cool feature also allows app trackers to download a lot more info from your phone, because some apps are set up to send out data every time they are refreshed – whether that happens automatically or manually. To limit this, you can always chose to disable that feature on your phone. Be forewarned, if you like having things up-to-date without having to manually refresh each app when you open it, disabling this feature might be more trouble than its worth.

If you have an iPhone, go to "Settings" then "General." Once there, you'll see "Background App Refresh." You can then then decide whether to select ON or OFF for all apps in your phone, or to make a selection one app at a time.

If you have an Android, select "Settings" followed by "Data Usage." Then choose "Mobile Data Usage" and select an app from below the usage graph for the app you are interested in. Tap "Allow background data usage" to the OFF position. Repeat for any additional apps that you'd like to disable the background app refresh.

Opt out. Some apps offer users an option to opt out of certain types of tracking. You will have to read each app's privacy policy to see if that is an option and how to actually opt out.