AccuWeather responds to accusations they shared geolocation data without permission

Yesterday, from a post called Screw you, AccuWeather:

Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing.

And Jim’s followup:

How can you ever trust them again? You can’t.

Last night, AccuWeather released this statement:

Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.

Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.

And

To avoid any further misinterpretation, while Reveal is updating its SDK, AccuWeather will be removing the Reveal SDK from its iOS app until it is fully compliant with appropriate requirements. Once reinstated, the end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending removal of the SDK and then later reinstatement.

Read the rest of the statement here.

My gut says AccuWeather was caught by surprise here, rather than caught with their hand in the cookie jar. The way I read this, this is an issue with the Reveal SDK, not an intentional act of deception on the part of the AccuWeather app. Disagree?



  • NB

    I buy it. I feel like I have a good BS detector for things like this, and this seems to specific to be that. A good example of a lie is when Facebook was caught abusing audio APIs to stay open and they went “uhhh buhbuhbuhbuh it was a bUG!!!”

  • David Robeson

    “Accordingly, at no point was the data used by AccuWeather for any purpose.”

    I would ask: If they remove “by AccuWeather” will the statement still be true?

  • This is weird to me. I’d want to know about the weather where I am – the temp now, whether it will rain later, etc. – so AW using my location doesn’t seem unusual to me. That said, the shadiness of the whole thing is not cool. But I agree with Dave’s gut, they didn’t know this was happening in their app. And they’re taking immediate steps to fix it so this should die down pretty quickly.

  • John Kordyback

    For better or worse, as a software product company they are responsible for the SDK’s they use. Customers don’t care about the technical details, they are care about their privacy being affected.

    If this is true, then I feel sorry for them. However they are going to have to put on their big kid pants and full accept responsibility to have any hope of moving forward.

  • wince

    Disagree. They denied things they weren’t accused of and in doing so implicitly accused the original report of lying. Regardless of how they got here, they assumed exactly the wrong tone in their reply.

    “… no GPS coordinates are collected…” — no one said they were. The report was specifically about WiFi location information being sent even after opt-out.

    “… Wi-Fi network information that is not user information…” Uhh, no. Again, as described in the original report, it is user information, because, in many cases (and more and more cases, due to this information gathering) it communicates a user’s location almost as accurately as GPS. Whether you send my GPS coordinates or my WiFi information, you’re communicating where I am. That is user information. And the whole point of the SDK is to gather more and more Wi-Fi points, which enables them to pinpoint ever more accurately someone’s location without GPS coordinates.

    “…was unused by AccuWeather…” Again, no one said they were. The report said the information was being sent, by AccuWeather, to Reveal. Which it was.

    They were obviously “caught by surprise” here. Whether they caught by surprise in doing something they didn’t think anyone would find out about, or whether they were caught by surprise by Reveal’s SDK doing something they didn’t know about out is unclear. But judging from their response, which was combative and entirely unapologetic, I’m going with the former.

    • bmonkeyhammer

      actually, a mashable article (erroneously) said GPS was being transmitted. they have since added the AccuWeather joint statement to the article.

      • Cranky Observer

        Which is a neat way of dodging the original findings as reported by ZDNet, which showed the location in captured packets with the GPS turned off.

        • Alicenwalker

          Alpha257s

          <

          blockquote>Google is paying 97$ per hour! Work for few hours and have longer with friends & family! !yz298d: On tuesday I got a great new Land Rover Range Rover from having earned $8752 this last four weeks.. Its the most-financialy rewarding I’ve had.. It sounds unbelievable but you wont forgive yourself if you don’t check it !yz298: ➽➽ ➽➽;➽➽ http://GoogleFinancialJobsCash298MediaList/GetPay$97/Hour ★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★:::::!yz298z..,…

  • James Hughes

    I don’t like the tone of the explanation. An explanation which accuses people of misinformation and then explains that, basically, they have no idea what they are doing.

    • Mo

      Agreed. They said all the wrong things, after claiming they’d done nothing wrong, and then claiming they did nothing wrong knowingly.

      • James Hughes

        Plus, the more I think about it, how could they NOT have known something would be up? Reveal Mobile?? “Really? You mean Reveal Mobile was revealing things about mobile devices?” The name alone is HIGHLY suspect, if nothing else.

        To add to the salad analogies, it’s like making a salad and using an ingredient called “E-Coli” from a company called “Reveal Sickness” and being surprised when all your guests get sick. Sounds really fishy to me.

        Either way, I only ever used Accuweather on the internet, never on my iPhone. I’ve used the preinstalled The Weather Channel one, Dark Sky and less so the “actual” The Weather Channel app. The latter has too many in your face ads for me. It may be deleted soon.

        • Mo

          I just posted something you actually covered here an hour before in your first graf.

          Yeah, that salad analogy was poor to begin with, and the guy who came up with it sounds a little as though the idea of taking responsibility for almost anything is just an abstract concept. Hooray for baby neolibertarians!

  • Adam Bodnar

    While a company is responsible for any SDKs/code they use, I think one of the things that bugs me about this story and from what I’ve been able to tell, the researcher did not contact the company about this before disclosing it to the world.

    If this is an innocent mistake by Accuweather, why does a company deserve to have their name dragged through the mud for something like this. I think that’s why at least someone researchers contact a company and give them some time to respond/fix before they make their discovery public.

    • Likely because it looked intentional.

    • Mo

      Because they handled it poorly. And “innocence” has nothing to do with this.

  • Brandon

    Whether or not AccuWeather knew this functionality was in the Reveal SDK is irrelevant. Ultimately, it is AccuWeather’s full responsibility to know what is in the product they are sending out to their customers.

    As other’s have pointed out, there is some odd verbiage in their response. It seems like they are beating around the bush on collecting and selling user information. I still don’t trust them.

    • StraightlineBoy

      I agree with this. Regardless of intent they should take more care of customer data. If I leave my house unlocked and get burgled then ultimately I screwed up whether I left the door open deliberately or not. The App Store isn’t short of alternative weather apps so you simply can’t make slip-ups like this

    • Frank Malloy

      So if you make a salad with arugula that contains E-coli and you serve it up to a room full of guests who got sick, it’s your fault and the fact that you didn’t know there was E-coli in the arugula is irrelevant? And it is your responsibility to know what is in the salad you are making for your guests?

      I believe SDKs are pretty much black boxes, and you can’t possibly know every minute detail of what’s inside them. That’s why you buy and use them – so you don’t have to know what’s in them.

      • Cranky Observer

        The question of liability you will have to discuss with a lawyer, but I can observe that if you serve that arugula without following local health department and FDA guidelines you are in a world of trouble.

        A systems developer building an app intended to be used by millions, using a tool from a company which promises on its web site to correlate geographic data, should be using Wireshark and similar tools (as the security research did) to verify exactly what it is/is not sending, yes.

      • Mo

        This is more like making a salad with mushrooms you found growing in a public park, without having done any due diligence about whether they were safe to eat.

        Nice try, though.

        • Frank Malloy

          So the SDK is an analogy to finding wild mushrooms? Was it created by hackers? Commonly available software used by many. More like store bought mushrooms wouldn’t you say?

          Nice try though.

          • Mo

            No. Not caring what went into the salad you fed people, or not having bothered to find out what you fed them is the analogy for hiring a company like Reveal Mobile.

            I’ll put it more simply. Accuweather either didn’t do their homework before hiring a vendor of this kind, or didn’t care enough about user privacy to have done their homework first.

            Your salad analogy is a weasel’s evasion of taking blame for bad decisions.

  • Herding_sheep

    That’s like doing business with the mafia and acting “surprised” when you found out they were murderers.

    I have no pity. Ultimately, they are responsible for their application and the SDKs they choose to incorporate into their app.

  • Honestly. … I deleted the app. I have other apps that perform the same duties, and I just do not want to be bothered.

  • I believe them. But it’s clear they didn’t search through what the frameworks they threw into their app were doing, which is nearly as bad if from an entirely different angle.

  • Cranky Observer

    Typical corpro-speak and blameshifting. I imagine Reveal Mobile has “updated” its web site in the last 12 hours, but as of last night their product description openly stated that they would geolocate product, I mean web site users, for their customers. It would of course all be anonymized I’m sure – in the same way the Census income data from Bill Gates’ census tract is anonymized.

  • Mo

    I don’t much care about the distinction here.

    If Accuweather knew what Reveal was revealing and lied about it, they’re mendacious turds.

    If they hired a company like Reveal without having done research and diligence on the services being provided, they’re irresponsibly incompetent fools.

    Either way, they deserve to be publicly called out for this.