A smartphone application that gathers information on the location of its users was downloaded by more than 1.5 million people, and the data was sent to an advertising company in the United States, according to experts.

The application in question is a goldfish catching game that does not require any information about the user’s location to play.

As the GPS data makes it possible to identify a user’s location with a margin of error of several meters, it would be possible to presume the user’s home or office address if such information was accumulated, they said.

An image showing what type of information is collected appears on the screen before installation, but only a small number of users correctly understand the explanations, the experts said.

There have been no guidelines available on information gathering for smartphones despite the rapid spread of the devices. This seems to have aggravated the situation.

According to an analysis by KDDI R&D Labs in Fujimino, Saitama Prefecture, at the request of The Yomiuri Shimbun, the free application released on the Internet last month was designed to send Global Positioning System information from smartphones to a U.S. advertising firm at a rate of about once per minute.

When the application is installed, an image appears on the screen with a message reading “the range of access authority and positional information.” Approval of the reading of positional information is requested but there is no mention of its purpose and whether the information will be transmitted remotely.

The software development company that produced the application released it on 238 application markets since November last year, and 1.5 million people have installed it, according to the firm.

The collected information was found to have been used to display ads highly connected with the locations of application users.

“When we created the application, we built in the programs sent from a U.S. advertising company, with which we had made a contract for ad placement, without confirming their contents,” the president of the app development company said. “We had no idea that private information was being transmitted, because the game’s content has no connection with positional information.”

The U.S. advertising firm insists that information about users’ locations is collected to provide more convenient advertisements and that no problems will arise because information is treated anonymously.

As with the case of the application development company in question, programs for delivering ad content are provided by advertising companies to application developers. Many of the programs are believed to include modules capable of reading and gathering personal information, the experts said.

KDDI R&D Labs surveyed 980 applications both at home and abroad in August. They found 27 percent of them were equipped with functions capable of reading positional information; 11 percent were found to be capable of reading the contents of a telephone directory; and 58 percent of them were found to be capable of acquiring IDs associated with terminal devices and telephone numbers.

Keisuke Takemori, a senior researcher at the KDDI labs, said: “Virus infection of smartphones has emerged as a problem, but we are also in a situation where even legitimate application software could cause information leaks. Users are not told how the collected information will be used.”

In May last year, the Internal Affairs and Communications Ministry compiled guidelines on personal information gathering through information technology devices, calling for clarification of purposes and identification of who will collect such information.

The ministry pointed out the software in this case could “deviate from these principles,” but has yet to put forth effective measures to deal with it partly because it involves a foreign advertising company.

The ministry formed a study group on smartphone cloud security in October. The group’s main job is to work out measures against computer viruses. It has yet to launch a full-scale study of information gathering of legitimate application software.

Read more