Home The Bridge

Privacy review and violations

NoNameNamerNoNameNamer ✭✭✭✭
edited February 2022 in The Bridge
  • Platform: iOS
  • Region: Europe, under the territorial scope of GDPR
  • Personalized ads consent: not given, not in the game, not in iOS settings
  • Login: email + password

In the conditions above, my personal data is being shared with ad providers as soon as the game launches. It ranges from unique tracking IDs, to pure fingerprinting information and even my IP address. I will list ad providers and link to pastebins of unencrypted HTTPS traffic that includes URLs, request headers and payloads, response headers and payloads. In some cases, payloads are base64 encodings for which I have provided the decoded data. In other cases, an extra encryption layer prevents me from seeing what is being shared (I cannot imagine a scenario in which this encryption is necessary if not to hide privacy violations). These pastebins only serve to provide proof, I will not provide an exhaustive list of pinged URLs or the entire traffic. In most cases, I had to redact personal information and replace it with <removed> tags (including cookies, IP, ISP, country, city, zip code, geographical coordinates, mobile carrier, timezone, language, while various persistent or sessions IDs are only partially <removed> so that we can see how they are shared across the board). Other fingerprinting info is left intact as they are only useful to them.

  1. Facebook - On launch, without connecting to Facebook, the game shares some data with Facebook via 2 endpoints. Even though the IP is not shared as far as I can tell (there is a fairly large encoded payload in one of the headers which I cannot read), but sufficient data is given to allow identification. An immediate red flag is sharing my available disk space among other things, which, like battery status, is a well known piece of information used in fingerprinting with major success. After these 2 payloads are sent, Facebook replies with the result of my identification, which, among other data, includes my IP.

    Here are the 2 requests and responses:
    POST https://web.facebook.com/adnw_logging/
    POST https://web.facebook.com/adnw_sync2/

  2. Isprog.com is given screen width, height, model, country, version numbers, various IDs and the IP address

    GET https://wins.isprog.com/lb (new lines are added after each URL parameter for readability)

  3. AdColony - everything about the screen, everything about the device, country, carrier country, platform, language, timezone, time, locale, version numbers, various IDs including one that is being shared with multiple providers, battery level + encrypted payloads. The result is that AdColony eventually responds with details about me such as: country, region/city, zip code, IP, ISP, etc.
    One of these responses also includes a list of available endpoints, and one of them is meant for reporting in-app purchases. I have not made a purchase to see if purchase info is sent anywhere.

    POST https://adc3-launch.adcolony.com/v4/launch
    POST https://events3alt.adcolony.com/t/5.0/session_start - encrypted payload
    POST https://events3alt.adcolony.com/t/5.0/session_end
    POST https://iosads4-6.adcolony.com/configure - IP response at the end
    POST https://wd.adcolony.com/logs - more of this sensitive info is sent to this /logs endpoint, I guess for logging?

  4. IronSrc - IronSource itself logs some info related to the device and platform, including a device ID hash and "application user ID" that's shared with some of the other ad providers.

    GET https://logs.ironsrc.mobi/logs - decoded payload

  5. Supersonicads - now owned by IronSource, much of the communication is further encrypted and unreadable. Small parts of the payload are redacted in case anyone happens to decode/decompress/decrypt them, but do let me know if you have thoughts on this - it's possible some of them are actual ads, precached on the client. Various IDs, keys and country code are readable in the URL parameter list in some requests, but most info is shared in that last request below, which includes: tracking IDs, city, country, carrier, ISP, language, device info, screen info, free disk space, small encoded payload, etc.

    GET https://init.supersonicads.com/sdk/v7.1.10
    POST https://outcome-ssp.supersonicads.com/mediation
    POST https://pm-gateway.supersonicads.com/auction
    GET https://outcome-cdn.supersonicads.com/rewarded-video/iab-notification/win/<id> - tracking info here
    GET https://networksdk.ssacdn.com/mobileSDKController/mobileController.html - an HTML page being fetched which includes a script that does something, possibly gets executed when ads are run - I did not dig through it.

  6. Swrve - user ID, session token, unique device ID, device info, screen info, timezone, country, city, a so called "iOS token", some version numbers, and OS install date (how many in your town installed the exact same iOS on the exact same iPhone model at the exact same second?)

    POST https://30819.api.swrve.com/1/batch
    GET https://30819.content.swrve.com/api/1/user_resources_and_campaigns

  7. Doubleclick / Google - everything about device and screen, version numbers, many different IDs with no indication of what they mean, and a couple of encoded payloads. Aside from that last thing, this looks really clean relatively speaking (no language, timezone, country, locale, carrier, etc.)
    GET https://googleads.g.doubleclick.net/getconfig/pubsetting
    GET https://googleads.g.doubleclick.net/mads/gma - most data shared here

  8. AppsFlyer - an app id that is also shared with Supersonicads and Isprog, but the bulk of the information is encrypted. This endpoint is pinged just about every other action taken in the game.
    POST https://launches.appsflyer.com/api/v6.2/iosevent


I have decided to share this information because this looks unacceptable to me. I do not know what WRG's privacy review entailed the last time the disreputable IronSource was a hot topic, but my findings directly contradict what we have been told before, and we clearly haven't been told everything.

From WRG:
etmksl2g2z7q.png
Also from WRG:
u67rawi4v16s.png

PS: If I forgot to redact some personal info, please let me know in a DM.
«134

Comments

  • PeetsPeets ✭✭✭✭
    I actually prefer they know all that stuff.
    That way I get good adds instead of boring ones.

    As long as my bankaccount and money related stuff is blocked, it's ok for me.
    So what if they know my region, my height, my age.

    If people really wanted privacy then facebook, instagram, tiktok, etc would have failed.
  • (HGH)Apollo(HGH)Apollo ✭✭✭✭✭
    edited December 2021
    Not seeing much issue here either. Everything we do online creates information that is collected and sold to one degree or another. At least with Ironsource I get something back, dilithium for the game and fun. I was not happy when all the complaints about Ironsource before got rid of the offer wall on iOS so I am less willing to get on board with another Ironsource attack. I was glad I was able to still use android to get offers and dilithium. Others I know were not and missed out. Offer wall dilithium got me Fencing Picard and Admiral Jameson which I was very happy to get. Do you have more proof WRG lied? Could u break it down a bit more?
    Let’s fly!
  • Navarch Navarch ✭✭✭✭✭
    I suppose the only honest feedback I have is that if you believe the company is doing something unlawful: take it to the proper authorities and let them do their jobs.

  • PeetsPeets ✭✭✭✭
    edited December 2021
    Peets wrote: »
    I actually prefer they know all that stuff.
    That's absolutely not the point.

    It is required by law in many countries that the user is informed about what information of the user is given to whom. And it is additionally required in most of these countries, that the user has to be asked for consent before using the user's data.

    I received that message the first time I launched the game.

    Edit: For the original poster. He did not mention this.
    But did he click the "do not sell my personal information" button?

    Edit 2: Did someone actually read the privacy policy? Check topic 6.
  • Navarch Navarch ✭✭✭✭✭
    Quick question for Shan and others at WRG: is this something you’re looking into?
  • PeetsPeets ✭✭✭✭
    I remembered correctly that it was asked :)
  • KatlaKatla ✭✭✭
    edited December 2021
    Well, this is awkward.
  • PeetsPeets ✭✭✭✭
    The consent is for the ads not the privacy policy.
    You do that when you install the game.
    Also did nobody actually read the privacy policy?
  • KanonKanon ✭✭✭✭✭
    Consent to personalized ads is not consent to share everything/anything. Consent was given to a partial/small/required set of personal information, needed for personalized ads, but NNN`s log are far beyond that.
  • Question for those who are more informed on this subject:

    Does my adblocker program on my iPad help avoid the collection of data that NoNameNamer identified?
  • Question for those who are more informed on this subject:

    Does my adblocker program on my iPad help avoid the collection of data that NoNameNamer identified?

    I would highly dount it - as I belive the OP states that the data is shared on launch (i.e. during the initialisation pahse of the game)
  • SSR BarkleySSR Barkley ✭✭✭✭✭
    edited December 2021
    judging by fact that this is only on page 1, most of the avid base of players that actually ever read the forums have already quit and dgaf anymore. (that's saying more about WRG and the game itself than anything)
    /SSR/ Barkley - semi retired
    Second Star to the Right - Join Today!
  • AviTrekAviTrek ✭✭✭✭✭
    judging by fact that this is only on page 1, most of the avid base of players that actually ever read the forums have already quit and dgaf anymore. (that's saying more about WRG and the game itself than anything)

    Or most of the players realize this is par for the course for mobile applications these days. Especially when as Shan pointed out we agreed to it by downloading the game.
  • ShanShan ✭✭✭✭✭
    Not consenting to personalized ads does not mean not consenting to any data being used to present you with non personalized ads.

    That being said I will take a deeper look at some of the points presented and consult with our privacy team.

  • ~peregrine~~peregrine~ ✭✭✭✭✭
    Shan wrote: »
    Not consenting to personalized ads does not mean not consenting to any data being used to present you with non personalized ads.

    That being said I will take a deeper look at some of the points presented and consult with our privacy team.

    Presumably, then, if I were to install your app on a platform that does not present ads at all (e.g. Windows, etc.), then your app would not collect such data as the OP outlined. Do I have that right?

    "In the short run, the game defines the players. But in the long run, it's us players who define the game." — Nicky Case, The Evolution of Trust
  • PeetsPeets ✭✭✭✭
    edited December 2021
    I have checked 3 other mobile games and they are doing the exact same thing. (checked their privacy policy)
    Then I did some digging on the web and it seems this is very common practice.
  • PeetsPeets ✭✭✭✭
    edited December 2021
    DCPilot wrote: »
    When you told your mother that other kids were also sticking gum under their desks, not just you, did that get you out of trouble?

    This has literally nothing to do with the issue which is a person giving you "wrong" information instead of actually reading the policy.

    Also, did you actually read what they said.
    "...we can confirm that we do not collect any personal information without legal basis such as consent,..."

    You gave consent when installing the game.
This discussion has been closed.