Press “Accept” to let companies know every step you take

When you download a free app and accept their privacy statement, did you know that you may just have allowed data about your movement to be sold freely to anyone who’s willing to pay? EDRi's member Elektronisk Forpost Norge (EFN) shares more.

By Elektronisk Forpost Norge (EFN) (guest author) · October 20, 2021

Photo: Martin Gundersen, with permission from NRK

When you download a free app and accept their privacy statement, did you know that you may just have allowed data about your movement to be sold freely to anyone who’s willing to pay?

In an article by the Norwegian Broadcasting Corporation (NRK)1 in May 2020, it was revealed that data that tracked individuals could be freely bought from databrokers. The data is nominally pseudo anonymised by using a tracker ID instead of the actual identity of the person being tracked, but minimal effort is needed to figure out who the tracking data belongs to. eg. the location where you sleep and work is very easily discerned and from that, it is simple to find out the identity of an individual.

Danish TV22 followed up in July 2021 by acquiring data about 60,000 Danes and found among them 482,696 unique location points about the pensioner Otto Jensen amounting to on average one record every minute for the duration of the period they covered. The oblivious pensioner was unsurprisingly enough not happy about the revelation that his data was being sold and had some choice words to say about the situation.

Analysing the data received they could reveal that the tracker data collected by Huq Industries, is installed in at least

576 Android apps. They also revealed that most of the data was from Android users, with only 1.75% of the data coming from iPhone users. Following Danish TV2s revelation the Danish DPA opened an investigation3.

NRK4 is following up this month by analysing several apps using a code scanner, revealing that the tracker API used by Huq Industries could be found in 103 apps, a number that has increased to 148 by the time this article was written5

In their response to the Danish DPA6 Huq Industries revealed an example of how they acquire permission to process personal data. GDPR-experts Vebjørn Søndersrød and Jan Sandtrø, both concur that their collection of data appear to be in violation of the GDPR.

Google does not allow7 apps in their store to share information in this manner and confirmed to the NRK that they are reviewing the company.

CTO of Bouvet, Simen Sommerfeld has a crucial piece of advice, after being confronted with one of Huqs agreements. If you install an app and it requests to use location data, you should be very hesitant about accepting it. And if you allow it, be prepared that anyone could buy your data.


1https://www.nrk.no/norge/xl/avslort-av-mobilen-1.14911685

2https://nyheder.tv2.dk/samfund/2021-06-03-otto-jensen-blev-overvaaget-hvert-minut-af-sin-mobil

3https://nrkbeta.no/wp-content/uploads/2021/08/Huq_DanishDPA_response.pdf

4https://nrkbeta.no/2021/10/07/trykker-du-godta-kan-mobilbevegelsene-dine-legges-ut-for-salg/

5https://reports.exodus-privacy.eu.org/en/trackers/408/

6https://nrkbeta.no/wp-content/uploads/2021/08/Huq_DanishDPA_response.pdf

7https://support.google.com/googleplay/android-developer/answer/10144311