Location intelligence company Cuebiq is sunsetting its software development kit and replacing it with a clean room-type product called Workbench that will allow data analysis in a more secure, privacy-safe way.
Cuebiq had been planning to make this move for around two years.
Even when there’s no malicious intent, SDKs pose a security risk and facilitate the type of wanton data sharing that isn’t a good look considering all of the privacy regulations coming into force and Apple cracking down on cross-app data sharing.
The average app has around 18 SDKs integrated, many of which, to be fair, do serve a legitimate purpose.
But regardless of whether there’s anything shady going on, simply having that many SDKs sharing data at a granular level exponentially increases the potential for a data breach or a cybersecurity incident, said Antonio Tomarchio, CEO and founder of Cuebiq.
“The more you share data, the higher the risk,” Tomarchio said. “That’s why we’re advocating a system which allows data owners to still make their data available for applications, but without sharing it.”
Developers need to change the way they do business, because the writing is on the wall as app stores tighten their rules and implement restrictions on data sharing.
In December, for example, both Apple and Google banned apps in their respective app stores from using location data company X-Mode’s SDK. As part of Apple’s AppTrackingTransparency framework, developers are responsible for all of the code included in their apps.
“This is a trend that will not stop,” Tomarchio said, “and so we have to find new solutions.”
Workbench, which has been in private beta for the past six months, is Cuebiq’s attempt to do so.
Whereas SDKs access and broadcast raw data signals from a user’s device to share with partners (and often without a data owner’s knowledge), the idea behind Workbench is to create a safe clean room or sandbox-like environment where apps and their partners can analyze raw data without it actually leaving the premises.
Apps can either upload their data to Workbench in private mode through an API to analyze it for their own purposes or they can safely monetize their data with other Cuebiq customers. Mobile developers will still be able to access an open source version of Cuebiq’s SDK to collect data. But they’ll only be able to do anything with it if it’s been properly collected with consent.
Cuebiq processes all of the data uploaded to its platform using differential privacy algorithms, which aggregate the data and remove any sensitive data points.
A retailer, for example, could run a query to see which ZIP codes its customers live in and how many miles on average they drive in order to get to a store, but the algorithm would obfuscate the device IDs and any specific locations in residential areas.
Cuebiq also discards any sensitive points of interest, including places of worship and single-disease healthcare facilities, like a cancer center.
“It’s still possible to enable an open data ecosystem in a privacy-safe way,” Tomarchio said.
But the current state of affairs, by which developers have little visibility into how the data generated by their apps is shared, isn’t sustainable.
“It’s a real concern,” he said.