Amazon sued for allegedly slurping sensitive data via advertising SDK
- Reference: 1738225395
- News link: https://www.theregister.co.uk/2025/01/30/amazon_sued_for_snarfing_sensitive/
- Source link:
The lawsuit, filed in federal court in San Francisco, aspires to be certified as a class action. Brought on behalf of plaintiff Felix Kolotinsky, the [1]complaint [PDF] alleges Amazon and Amazon Advertising have been "surreptitiously tracking and selling California residents’ sensitive movements and locations."
The legal filing takes issue with the Amazon Ads SDK, a software library that the e-commerce giant provides to third-party app makers to serve ads, while also allegedly collecting user data.
[2]
Ad tech firms like Amazon, Google, Meta provide software development kits (SDKs) so that developers can monetize their apps without reinventing commonly used code patterns every time. The cost of this convenience is that the SDK maker, in addition to the app developer, may gain access to valuable data, a fact that's often buried in terms of service or not disclosed at all.
[3]
[4]
"The data that Amazon collects from unsuspecting consumers is incredibly sensitive," the complaint asserts. "Amazon collects timestamped geolocation data that reveals where a consumer lives and works, and which locations they frequent.
"The collected location data reveals sensitive information about each consumer, such as their religious affiliation, sexual orientation, and medical conditions. This enormous volume of data enables Amazon and its advertising partners to build a comprehensive profile about each consumer, including their movements and whereabouts."
[5]
Concerns about data gathering through SDKs implemented by third-parties go back years, a testament to weak US state and federal privacy laws. Last year, however, the US Federal Trade Commission took action against data broker Mobilewalla and analytics firm Gravy Analytics over similar data privacy concerns.
In its discussion of the matter, the FTC [6]echoed the claim made in the Amazon lawsuit that geolocation data shared to target advertisements "can reveal visits to healthcare facilities, churches, labor unions, military installations, and other sensitive locations."
[7]GM parks claims that driver location data was given to insurers, pushing up premiums
[8]Allstate accused of quietly paying app makers for driver data
[9]Bitwarden's FOSS halo slips as new SDK requirement locks down freedoms
[10]Twilio's Segment SDK challenged with wiretapping claim
More recently, the Attorney General of Texas [11]accused insurance firm Allstate Corporation and its mobile analytics subsidiary Arity of gathering similarly sensitive data without consent via the Arity SDK. Allstate insists that its activities comply with the law.
With regard to Amazon, the complaint contends that the data collection occurred through various third-party apps that implement the Amazon Ads SDK, including NewsBreak and Speedtest by Ookla.
"The problem with the Amazon Ads SDK is that consumers do not know that by interacting with an app which has embedded the SDK that their sensitive data is being surreptitiously siphoned off by an unknown third party," the complaint says.
[12]
"Consumers are never informed about Amazon’s SDK nor are they allowed to opt-in or opt-out of Amazon’s data collection practices—if they even know what the Amazon Ads SDK is, let alone that it is embedded in the apps they are using. Amazon’s unauthorized data collection was neither incidental nor accidental, but designed to covertly siphon sensitive data from consumers’ mobile devices."
Amazon did not immediately respond to a request for comment.
The complaint makes claims under California Penal Code § 638.51, which prohibits the use of a "pen register" for covert recording or wiretapping, and the state's Comprehensive Computer Data Access and Fraud Act (CDAFA).
California courts have [13]reached different conclusions about the applicability of the wiretapping law to SDK-based data collection. And similar privacy claims, such as [14]a lawsuit filed last year against Twilio over SDK-based data collection that cites the CDAFA, remain unresolved. ®
Get our [15]Tech Resources
[1] https://storage.courtlistener.com/recap/gov.uscourts.cand.443429/gov.uscourts.cand.443429.1.0.pdf
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z5tb0x54Ytz0ztFCF7UJ7AAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5tb0x54Ytz0ztFCF7UJ7AAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5tb0x54Ytz0ztFCF7UJ7AAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z5tb0x54Ytz0ztFCF7UJ7AAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/12/unpacking-real-time-bidding-through-ftcs-case-mobilewalla?mkt_tok=MTM4LUVaTS0wNDIAAAGXMdI851a-ZO2WG_qiBt6gDDd433m2CA-v6cDNN6JuhgjgC_XCQ8A3VKjqmPcovHOkCeRUMJnIRg0qWydMeu92_MccBilW7XeHzTDdcITJHMjG
[7] https://www.theregister.com/2025/01/17/gm_settles_ftc_charges/
[8] https://www.theregister.com/2025/01/14/allstate_accused_of_paying_app/
[9] https://www.theregister.com/2024/10/24/bitwarden_foss_doubts/
[10] https://www.theregister.com/2024/08/09/twilio_privacy_lawsuit/
[11] https://www.theregister.com/2025/01/14/allstate_accused_of_paying_app/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z5tb0x54Ytz0ztFCF7UJ7AAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.bytebacklaw.com/2024/04/privacy-litigation-alert-two-california-decisions-weigh-in-on-pen-registry-and-tap-and-trace-tech-claims-but-reach-different-results/
[14] https://www.theregister.com/2024/08/09/twilio_privacy_lawsuit/
[15] https://whitepapers.theregister.com/
Re: You can complain all you want...
I can mostly agree with you but I think that people do care. I've had many conversations with 'normal' people (of the type who glaze over if you mention the dread word 'settings') and they have an anecdote about having a conversation IRL with a friend and then seeing adverts online which indicate that the conversation was eavesdropped by their phone. People find things like this creepy and intrusive. They don't know how to stop it. They think it is an unavoidable part of modern life and you would have to become a hermit to avoid it. They are not too far off the mark. I think people just want governments to sort it out for them, preferably without any effort on their part. Not sure I can blame them.
And this is why
when a site says "Install our wonderful app for more discounts", I never, ever, install their app.
It seems that the only reason any company makes these apps is to steal information about their customer that they can't easily steal via a web browser.
Re: And this is why
Faeces book is pushing its App very hard to me at the moment.
I wish I didn't have to use Faeces book at all (some family will not communicate other ways!), and I'm certainly not going to load an App and give it any more of my details than it already has! (Yes, I do regularly clean the data Faeces book claims it has on me.)
You can complain all you want...
But most people will always choose convenience over privacy.
And most people don't seem to care about their own or other people's privacy anyway.
As long as they get what they want for free...
All you can do is take care of your own.