A report from ZDNet revealed the popular weather app AccuWeather has been collecting geolocation data from its users and selling it to third-party advertising firms—even when location sharing is turned off.

Security researcher Will Strafach first discovered the undisclosed practice of data tracking done by AccuWeather. ZDNet reported it was able to independently verify the researcher’s methods and confirm AccuWeather does in fact collect and share its users’ location information.

STRUCTURE SECURITY -- USE THIS ONE Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Photo: Newsweek Media Group

Strafach was able to intercept the traffic from the iPhone version of AccuWeather that was being sent to a third-party server. What he found the app transmitting included the name of the Wi-Fi router the iPhone was connected to and the unique MAC address associated with the router.

That data was being transmitted to servers owned by Reveal Mobile, a data monetization firm. That information, which could be used with other publicly available information to pinpoint a user’s exact location, was shared even when the location sharing setting for AccuWeather was switched off.

When location data is enabled, AccuWeather shares incredibly detailed information including the exact latitudinal and longitudinal coordinates, altitude and speed of travel. All of which is also send to Reveal Mobile, albeit with permission.

According to its website, Reveal Mobile "turns the location data coming out of those apps into meaningful audience data" for advertisers. The firm claims when it receives information like MAC addresses and Wi-Fi data, it doesn’t use it for location purposes. Reveal Mobile also told ZDNet its data was anonymized so as to make it difficult to link to a specific user.

AccuWeather claims that its relationship with Reveal Mobile is new and none of the information the app has recorded and shared with the firm has been made usable yet, though that likely provides little comfort for those who have had information shared without their permission.

AccuWeather’s privacy policy notes that the company and its partners may use geolocation tracking technologies, but makes no mention of using it for advertising purposes. It’s unsurprising an app that displays the local weather would need to know where a person is located, but users have no reasonable expectation that information would be used in advertising—especially when they specifically choose not to share that information.

Apple doesn’t broadcast how many downloads apps receive on iOS, but AccuWeather is undoubtedly one of the most popular weather apps on the platform. It has received more than 160,000 reviews and has a four-star rating. For reference, the AccuWeather for Android has received between 50 and 100 million downloads.

An app with such a huge user base potentially deceiving its users and using their data in a way that is not disclosed could catch the eye of regulators like the Federal Trade Commision, who have taken issue with similar violations in the past.

A 2013 case brought by the FTC against a popular flashlight app on Android claimed the app “deceived consumers by presenting them with an option to not share their information, even though it was shared automatically rendering the option meaningless.”

In response to coverage of the apparent unauthorized data sharing, AccuWeather and Reveal Media issued the following joint statement:

Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location trac king on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.

Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather.  In fact, AccuWeather was unaware the data was available to it.  Accordingly, at no point was the data used by AccuWeather for any purpose.

AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next.  Accordingly, we work to update our practices regularly.

To avoid any further misinterpretation, Reveal is updating its SDK and pushing out new versions of the SDK in the next 24 hours, with the iOS update going live tonight. The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing.  In the meanwhile, AccuWeather had already disabled the SDK, pending that update.

Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent.

AccuWeather will work with Reveal to restore the SDK when it has been amended and will continue to update its ULAs to be transparent and current with evolving standards. AccuWeather and Reveal continue to enhance methods for handling data and strive to provide superior, seamless, and secure user experiences.

We are grateful to have a supportive community that highlights areas where we can optimize and be more transparent.