Low pressure over your personal data: Météo France leaks your geolocation

The public establishment allows Madvertise to track you, including when you say no

Published by Pixel de Tracking on July 10, 2020

Météo-France flouts your choices and leaks your geolocation

If you want reliable weather forecasts, Météo-France is an excellent choice. The weather data used by the Apple Weather app on the iPhone (the default application) comes from The Weather Channel, an American company acquired by IBM in early 2016, and its forecasts for France are unfortunately not very reliable. Since Météo-France is a public administrative establishment, I expected not to be tracked on its iPhone application. I nevertheless wanted to verify this by following this procedure:

On first launch, Météo-France asks to use your location:

stance

It is hard to be suspicious: Météo-France needs your location to display the weather forecast for the city where you are (otherwise, you have to enter the city manually). I therefore authorize Météo-France to use my location, and I am then shown the privacy policy:

confidentiality

Météo-France clearly asks for access to geolocation data, including longitude and latitude, for advertising purposes. Météo-France therefore indicates that if you click on “I refuse everything”, your data will not be collected. Let's scroll through the screen to check the different purposes and click on "I refuse everything":

consent1consent2

As you can see from the screenshots, the approach is sound: the different purposes are all unchecked by default (an "opt-in" system). I still check the data sent by stopping the recording of my Charles Proxy session and sending the logs to my computer for analysis:

launch

Surprise! I have not yet browsed the app, and have merely refused advertising tracking by Météo-France's partners, but I am already being tracked by numerous companies:

  • Facebook : Météo-France calls Facebook's advertising monetization solution for apps, Facebook Audience Network. And this solution is particularly demanding when it comes to collecting your data, with no clear explanation for why Facebook gathers so much information: Facebook retrieves, for example, the total and free memory of your iPhone (in bytes), your battery level, whether your battery is charging, and your accelerometer settings.
  • Google : Météo-France calls Firebase, Google's toolbox for developers, which allows it to customize its application without an update. Météo-France also calls the advertising monetization solution for applications Google AdMob.
  • Smart AdServer : French advertising monetization solution used by Météo-France.
  • Madvertise : via mng-ads.com, another French advertising monetization solution. Madvertise is Météo-France's exclusive ad sales house. Madvertise is therefore co-responsible (with Météo-France) for the advertising calls to Google and Smart AdServer. If we look at the details of the data sent to mobile.mng-ads.com (reminder: I refused any collection of personal data, and I did not click on any screen), we see 7 requests leaking my GPS coordinates (longitude, latitude), making it possible to know my home precisely.

Madvertise, Météo-France's exclusive ad sales house, therefore appropriates your geolocation. Yet I clearly refused any collection of personal data. So who is this service provider that let me “choose” whether partners could collect my personal data? It is Madvertise again (!) via the domain cmp.madvertise.mgr.consensu.org. Let's recap:

  • Météo-France, via Madvertise's Consent Management Platform (CMP), asks the user for their consent for the collection of personal data by partners (of which Madvertise is one).
  • I refuse any collection of personal data.
  • Madvertise ignores my choice and collects particularly sensitive personal data: my geolocation.

I continue browsing, surveillance intensifies

What happens when I browse the Météo-France application? To see whether the application stops leaking my personal data, I launch a new analysis via Charles Proxy and browse the application for 2 minutes:

continued

We can see that, in addition to the previous trackers, which are still very much present, new trackers appear:

  • Integral Ad Science : via adsafeprotected.com, this company specializes in visibility measurement (is the delivered ad visible on screen or hidden?), fraud detection (is the ad shown to a human or a bot?) and "brand safety" (is the site on which the ad appears aligned with the brand? typically, brands rarely appreciate streaming sites).
  • AppNexus : via adnxs.com, acquired by the American telecoms giant AT&T in 2018, this company offers an advertising monetization platform as well as an advertising space purchasing platform.
  • Index Exchange : via casalemedia.com, advertising monetization platform.
  • MobSuccess : an advertising space purchasing platform (DSP) specializing in apps.
  • Teads : an ad network specializing in the InRead format (autoplay advertising videos that appear in the middle of articles), acquired by Altice (notably owner of SFR) in 2017.
  • OpenX : another advertising monetization platform.

We can also see that Météo-France continuously leaks your geolocation to Madvertise. I cut the screenshot, but there were twice as many requests in just 2 minutes of browsing (and each request contains my longitude and latitude):

Madvertise

One last point: if you continue to use Météo-France by relaunching the application (or if you reinstall it, as I did for these tests), it asks to use your location even when you are not using the app (!)

geolocation

Note that the reason given by Météo-France is the same as when the app is active: directly accessing the forecast for the city where you are and letting you share your observations. In short, there is no benefit for the user, but an authorization that allows Madvertise to become the perfect spy by tracking you even when you do not launch Météo-France.

While waiting for better iOS-side protection, protect yourself

Seeing a public establishment as reputable as Météo-France violate the law and allow a tracker to follow you continuously is particularly shocking. If the CNIL unfortunately remains powerless in the face of these repeated GDPR violations, you still have options:

  • Prefer the Weather application offered by Apple on iOS (even if it is less reliable) or browse the Météo-France website with a content blocker.
  • Use an app that blocks trackers to be better protected against surveillance on apps such as Météo France: DNSCloak, Adguard or NextDNS on iOS.

And very soon, you will be better protected thanks to iOS 14, an update that will allow you to give selected applications only an approximate location (within a 25 km2 area), which is sufficient for applications such as weather apps.

approximate