Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Privacy considerations regarding the mapbox sku token

See original GitHub issue

Hi, I just made a short privacy check for the app. While it’s really privacy friendly compared to all the charging apps, I found a ID attached to every mapbox call, the so called “sku token”.

https://api.mapbox.com/fonts/v1/mapbox/DIN%20Offc%20Pro%20Regular%2cArial%20Unicode%20MS%20Regular/256-511.pbf?access_token=pk.abcdefghijk123456789&sku=100kuya9kxy4977079c7b3449b0975364ae06e21266

A scandal from 2019 shows how problematic a collection of pseudonymous location data could be, so I tried to take a closer look.

I didn’t find many information on the token. Here is a mapbox function createSkuToken() showing how it’s generated, but I can’t tell if this is really belonging to the SDK you are using.

This source code states, that the token changes every 12 hours, but in my test the changes are so subtle that a user still could be tied to it’s former ID:

19.10.2021 / 19:30: sku=100kuyd42em7d79922aa4764ddfae1155a13a350d0d 20.10.2021 / 09:42: sku=100kuz7dog97d79922aa4764ddfae1155a13a350d0d

I also tried to change the telemetry setting on the mapbox map in your app, but this didn’t alter the sku attachment.

Does anyone have any ideas or further information on this?

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:9 (5 by maintainers)

Top GitHub Comments

1reaction

rufpostencommented, Oct 20, 2021

Ah, I understand. Would be worth a try to ask them for special conditions like Transportr. Otherwise - I don’t know … Crowdfunding on goingelectric? Premium Version? I myself would just use it without GPS access, that would be a hassle, but a quite good protection against identifying the requests.

0reactions

johan12345commented, Nov 12, 2021

This is the first response from my contact at Mapbox that I received, I‘m still waiting for a reply from the technical team:

You are correct that the SKU is to count MAUs, that is all. More here: https://docs.mapbox.com/android/maps/guides/pricing/ and https://docs.mapbox.com/help/glossary/sku-token/ .

We do not track individuals’ movement data overtime. Our telemetry pipeline is separate from the usage/MAU tracking. Our telemetry collection also anonymizes and chops up all movement data at the source so it is not possible to trace an individual cellphone’s journey over time. More on telemetry data privacy here: https://www.mapbox.com/telemetry/

For more on Mapbox and privacy: https://www.mapbox.com/legal/privacy

(MAU = monthly active user, the comment regarding telemetry does not apply since telemetry is disabled)