Météo-France flouts your choices and leaks your geolocation
If you want to access reliable weather forecasts, Météo-France is an excellent choice. Weather data used by the Apple Weather app on the iPhone (default application) come from The Weather Channel, American company acquired by IBM in early 2016, and its forecasts for France are unfortunately not very reliable. Météo-France being a public administrative establishment, I expected not to be tracked on its iPhone application. However, I wanted to check it by following the following procedure:
- Closing the various background applications.
- Launch of the Charles Proxy application and enabling tracking.
- Launch of the Météo-France application, after installation.
At the first launch, Météo-France asks you to use your position:
It's hard to be wary: Météo-France needs your location to display the weather forecast for the city where you are (otherwise, you will have to enter the city manually). I therefore authorize Météo-France to use my location, I am then presented with the confidentiality policy:
Météo-France clearly asks you for access to geolocation data, including longitude and latitude, for advertising purposes. Météo-France thus indicates that if you click on “I refuse everything”, your data will not be collected. Let's scroll through the screen to check the different purposes and click on "I refuse everything":
As you can see from the screen captures, the approach is sound: the different purposes are all unchecked by default ("opt-in" system). I still check the data sent by stopping the recording of my Charles Proxy session and sending the logs to my computer for analysis:
Surprise! I have not yet browsed the App, having simply refused advertising monitoring from Météo France partners, but I am already being tracked by numerous companies:
- Facebook : Météo-France calls Facebook's advertising monetization solution for Apps, Facebook Audience Network. And this solution is particularly demanding when it comes to recovering your data, without us understanding why Facebook collects so much information: Facebook recovers, for example, the total memory as well as the free memory of your iPhone (in bytes), the level of your battery, if your battery is charging, as well as the parameters of your accelerometer.
- Google : Météo-France calls Firebase, Google's toolbox for developers, which allows it to customize its application without updating. Météo-France also calls the advertising monetization solution for applications Google AdMob.
- Smart AdServer : French advertising monetization solution used by Météo-France.
- Madvertise : via mng-ads.com, another French advertising monetization solution, Madvertise is the exclusive management of Météo-France. Madvertise is thus co-responsible (with Météo-France) for advertising calls to Google and Smart AdServer. If we look at the details of the data sent to mobile.mng-ads.com (reminder, I refused any collection of personal data, and I did not click on any screen), we see 7 requests leaking my GPS coordinates (longitude, latitude), allowing me to know precisely my home.
Thus Madvertise, the exclusive agency of Météo-France, takes ownership of your geolocation. However, I refused any collection of personal data. So who is this service provider who let me “choose” the possible collection of my personal data by partners? It's still Madvertise (!) via the domain cmp.madvertise.mgr.consensu.org. Let's recap:
- Météo-France, via Madvertise's Consent Management Platform (CMP), asks the user for their consent for the collection of personal data by partners (of which Madvertise is one).
- I refuse any collection of personal data.
- Madvertise does not take my choice into account and collects particularly sensitive personal data, my geolocation.
I continue browsing, surveillance intensifies
What happens when I browse the Météo-France application? In order to see if the application stops leaking my personal data, I launch a new analysis via Charles Proxy and browse the application for 2 minutes:
We can see that in addition to the previous tracers, still very present, new tracers appear:
- Integral Ad Science : via adsafeprotected.com, this company specializes in visibility measurement (is the advertising delivered visible on the screen or hidden?), in fraud detection (is the advertising displayed to a human or to a bot?) and "brand safety" (is the site on which the advertising is displayed in agreement with the brand? typically a streaming site is rarely appreciated by brands).
- AppNexus : via adnxs.com, redeemed by the American telecoms giant AT&T in 2018, this company offers an advertising monetization platform as well as an advertising space purchasing platform.
- Index Exchange : via casalemedia.com, advertising monetization platform.
- MobSuccess : advertising space purchasing platform (DSP) specialized in the application universe.
- Teads : ad-network specializing in the InRead format (autoplay advertising videos which appear in the middle of articles), has been purchased by Altice (notably owner of SFR) in 2017.
- OpenX : another advertising monetization platform.
We can also see that Météo France leaks your geolocation to Madvertise, continuously. I cut the screenshot but there were double the number of requests, in just 2 minutes of surfing (and each request contains my longitude and latitude):
One last point: if you continue to use Météo France by relaunching the application (or if you re-install it as I did for these tests), it asks you to use your position even if you do not use the App (!)
Note that the reason given by Météo France is the same as when the app is active: directly access the forecasts for the city where you are and allow you to share your observations. In short, no interest for the user, but an authorization which allows Madvertise to be the perfect spy by tracking you even when you do not launch Météo France.
While waiting for better protection on the iOS side, protect yourself
Seeing a public establishment as reputable as Météo France violate the law and allow a snitch to follow you continuously is particularly shocking. If unfortunately the CNIL remains powerless in the face of these repeated violations of the GDPR, you still have options:
- Prefer the Weather application offered by Apple on iOS (even if less reliable) or surf the Météo France website with a content blocker.
- Use an app that blocks trackers to be better protected against surveillance on apps such as Météo France: DNSCloak, Adguard or NextDNS on iOS.
And very soon, you will be better protected thanks to iOS 14, an update that will allow you to provide the desired applications with only one approximate location (per 25km2 area), which is sufficient for applications such as weather.
