EVMap
EVMap copied to clipboard
ev-map
Privacy considerations regarding the mapbox sku token
Hi, I just made a short privacy check for the app. While it's really privacy friendly compared to all the charging apps, I found a ID attached to every mapbox call, the so called "sku token".
https://api.mapbox.com/fonts/v1/mapbox/DIN%20Offc%20Pro%20Regular%2cArial%20Unicode%20MS%20Regular/256-511.pbf?access_token=pk.abcdefghijk123456789&sku=100kuya9kxy4977079c7b3449b0975364ae06e21266
A scandal from 2019 shows how problematic a collection of pseudonymous location data could be, so I tried to take a closer look.
I didn't find many information on the token. Here is a mapbox function createSkuToken() showing how it's generated, but I can't tell if this is really belonging to the SDK you are using.
This source code states, that the token changes every 12 hours, but in my test the changes are so subtle that a user still could be tied to it's former ID:
19.10.2021 / 19:30: sku=100kuyd42em7d79922aa4764ddfae1155a13a350d0d
20.10.2021 / 09:42: sku=100kuz7dog97d79922aa4764ddfae1155a13a350d0d
I also tried to change the telemetry setting on the mapbox map in your app, but this didn't alter the sku attachment.
Does anyone have any ideas or further information on this?
Oh, thanks for checking!
I am currently excluding the proprietary Mapbox telemetry components and replacing them by a dummy implementation as suggested here. So even if the telemetry setting is enabled it shouldn't actually send any additional telemetry.
As far as I understand, the SKU token is needed for billing purposes on the Mapbox side, as the cost is based on the number of monthly active users. So removing that token would probably break their terms of service, and randomizing it would cause huge costs (as their API would believe each request to come from a different user).
So with the dummy implementation, will there still be attached sku's?
I just checked streetcomplete, they use jawg.io and this works without pseudonymous IDs:
GET https://tile.jawg.io/streets-v2/16/34870/22743.pbf?access-token=abcdefghi12345678& HTTP/2.0
So, this is how the sku is build: Prefix + timestamp + userID
public static String obtainMapsSkuUserToken(String str) {
String l = Long.toString(System.currentTimeMillis(), 36);
return MAPS_SKU_PREFIX + l + str;
}
public String getSkuToken() {
if (!this.isManaged) {
this.skuToken = getSharedPreferences().getString(MapboxConstants.KEY_PREFERENCE_SKU_TOKEN, "");
} else if (isExpired()) {
String generateSkuToken = generateSkuToken(getUserId());
this.skuToken = generateSkuToken;
this.timestamp = persistRotation(generateSkuToken);
}
return this.skuToken;
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="com.mapbox.mapboxsdk.accounts.userid">7d79922aa4764ddfae1155a13a350d0d</string>
<long name="com.mapbox.mapboxsdk.accounts.timestamp" value="1634715463690" />
<string name="com.mapbox.mapboxsdk.accounts.skutoken">100kuz7dog97d79922aa4764ddfae1155a13a350d0d</string>
</map>
If this helps .. I just checked Transportr - this FOSS app also uses Mapbox and doesn't attach sku's:
GET https://api.mapbox.com/v4/mapbox.mapbox-terrain-v2,mapbox.mapbox-streets-v7/4/8/4.vector.pbf?access_token=abcdefg123456&events=true HTTP/1.1
Probably because of deactivating telemetry instead of excluding the modules?:
MapboxTelemetry.getInstance().isTelemetryEnabled = false
Transportr uses an ancient version of the Mapbox SDK (version 5 instead of 9), which does not yet use the per-user billing scheme (see https://www.mapbox.com/pricing/ - it was introduced with v8).
As you already found out, the SKU is also sent when telemetry is disabled - because it is needed for billing, not for telemetry.
Using jawg.io data might also be possible, but it seems their free tier is much smaller than Mapbox's and might be easily exceeded by the current user base (e.g. 10k geocoding requests per month instead of 100k - the pricing for map tiles is not directly comparable as Mapbox bills per user).
Ah, I understand. Would be worth a try to ask them for special conditions like Transportr. Otherwise - I don't know ... Crowdfunding on goingelectric? Premium Version? I myself would just use it without GPS access, that would be a hassle, but a quite good protection against identifying the requests.
Yeah. I already had positive contact with the Mapbox community team for special conditions with them (which were not actually used so far as we are still a bit below their free tier limit), so it would be nice if we could improve the privacy while staying with them - but of course if that does not work out I can ask Jawg if they would be open to something similar.
First, I now sent a message to Mapbox support if they have any suggestions about this - let's see what they reply.
This is the first response from my contact at Mapbox that I received, I‘m still waiting for a reply from the technical team:
- You are correct that the SKU is to count MAUs, that is all. More here: https://docs.mapbox.com/android/maps/guides/pricing/ and https://docs.mapbox.com/help/glossary/sku-token/ .
- We do not track individuals' movement data overtime. Our telemetry pipeline is separate from the usage/MAU tracking. Our telemetry collection also anonymizes and chops up all movement data at the source so it is not possible to trace an individual cellphone's journey over time. More on telemetry data privacy here: https://www.mapbox.com/telemetry/
- For more on Mapbox and privacy: https://www.mapbox.com/legal/privacy
(MAU = monthly active user, the comment regarding telemetry does not apply since telemetry is disabled)