Even after a host of news reports have revealed the ways in which Angry Birds creator Rovio shares with third parties, the Android version of Angry Birds in the Google Play store, updated on March 4, continues to share personal information, according to researchers at FireEye. In fact, more than a quarter billion users who create Rovio accounts to save their game progress across multiple devices might be unwittingly sharing all kinds of information – age, gender, and more – with multiple parties.
“Once a Rovio account is created and personal information uploaded, the user can do little to stop this personal information sharing,” explained bloggers at security firm FireEye in the analysis. “Their data might be in multiple locations: Angry Birds Cloud, Burstly (ad mediation platform), and third-party ad networks such as Jumptap and Millennial Media. Users can avoid sharing personal data by playing Angry Birds without Rovio account, but that won’t stop the game from sharing device information.”
With more than 2 billion downloads of Angry Birds so far, this sharing has the potential to affect many, many devices. To investigate the mechanism and contents of the information sharing, FireEye researched different versions of Angry Birds and found that multiple versions of the game can share personal information in clear text, including email, address, age and gender.
Most users create Rovio accounts to save game progress and scores; but the registration process captures birthdays, the user’s email address and gender. And, the end-use license agreement (EULA) and privacy policy grant Rovio the rights to upload the collected information to third-party entities for marketing.
If users sign up for the newsletter, which offers new games, episodes and special offers, then the player’s first and last name, email address, date of birth, country of residence and gender are captured. This information is aggregated with the user’s Rovio account profile by matching the player’s email address.
It then goes on to explain in the analysis that Rovio shares the information with its ad partners.
“Angry Birds collects user’s personal information and associates with customer id before storing it in the smart phone storage,” researchers noted. “Then the Burstly ad library embedded in Angry Birds fetches the customer id, uploads the corresponding personal information to the Burstly cloud, and transmits it to other advertising clouds. We have caught such traffics in the network packet captures and the corresponding code paths in the reversed engineered source code.”
The issue has been covered by mainstream media, FireEye pointed out – the New York Times reported on Angry Birds and other data-hungry apps last October. In January, the newspaper teamed up with public-interest news site ProPublica and UK newspaper the Guardian for a series of stories detailing how government agencies can use the game (and other mobile apps) to collect personal data. And the CBS news magazine 60 Minutes reported earlier this month that Rovio shares users’ locations.
The EULA clears a path for sharing information with merketers, but Rovio, for its part, issued a statement earlier in the year that said it "does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world." It noted that the report was "speculation." And, it said that if agencies were targeting ad networks, "it would appear that no internet-enabled device that visits ad-enabled web sites or uses ad-enabled applications is immune to such surveillance."