If you use Pandora’s Android app, beware: Pandora’s channeling your personal info to third party advertisers, including your birthdate, gender, Android ID, and GPS information.
Evidence for this first appeared in the Wall Street Journal earlier this week, which reported that the company was one of many smartphone app manufacturers under investigation for allegedly obtaining and distributing information about users illegally to third parties (In fact, Pandora has been subpoenaed by a federal grand jury on the subject), which led security firm Veracode to investigate further and uncover some disturbing information:
[Y]our personal information is being transmitted to advertising agencies in mass quantities… In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a persons life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other’s house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them.
Veracode identified five separate ad libraries that received information from Pandora’s app, and believes that a user’s GPS information, birthday, gender, IP address, and postal code are transmitted to these libraries, along with information about the app and device themselves. Pandora has, in the past, argued that the information is necessary to craft personalized music streams, but when contacted about this latest information by Ars Technica, the company declined to comment.
More on TIME.com: