Singapore investigating claims Muslim app developer sold user data to US military

Clocking more than 98.5 million downloads worldwide, the Muslim Pro app reportedly has sold "granular location data" to the US military -- an allegation it denies -- and is now being investigated by Singapore's Personal Data Protection Commission.

Singapore is investigating claims that local-based mobile app, Muslim Pro, has sold "granular location data" to the US military. Clocking more than 98.5 million downloads worldwide, the popular prayer tracking app has denied the allegations, saying it shares only anonymised data with its partners.

The Personal Data Protection Commission (PDPC) confirmed it was investing the allegations and had asked for more information from the developer of Muslim Pro, Bitsmedia. The regulator told local media: "We remind users to also be mindful of the type of permissions and personal data they provide and how it may be used. If in doubt, users should not download or use any application."

Founded in 2009, the Singapore-based Bitsmedia has offices in Malaysia and Indonesia. Its Muslim Pro app tracks prayer times and shows the direction to Mecca, amongst other features, and has been downloaded by users across 200 countries, according to its website

Singapore must be tougher on firms that treat security as value-add service

Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a "value-add service", and it's time the Singapore government holds those that fail to do so accountable.

Read More

Earlier this week, the app was reported to have sold granular location data to X-Mode, a US third-party data aggregator that sells its services to customers, which had included US defence contractors. US-Canadian news outlet Vice Media broke the news in its report, stating that Muslim Pro was amongst other mobile apps that had sold data to the US military and that had included timestamps, phone model details, and the name of the Wi-Fi network to which the phone was connected. 

Bitsmedia has denied the allegations, publishing two statements on Tuesday and Thursday and dismissing the report as "incorrect and untrue". 

Noting that it was in compliance with global data privacy laws and regulations such as the EU's GDPR (General Data Protection Regulation) and California Consumer Privacy Act (CCPA), Bitsmedia said it "collect, process, and use information" that its users made available to the developer when accessing its app to "improve our service" and facilitate "research and development"  (R&D) work for its app. 

It said this might include analysing data to better understand user behaviours, so it could "improve the overall functionality" of its service. It added that location data was used for prayer times calculation and facilitated planning and designing features, as well as for improving the overall user experience.

The app developer also insisted it did not share any sensitive personal information, such as name, phone number, and email. "Any data shared with partners is anonymised, which means that our data is not attributed to any particular individuals," it said.

"We apply industry-standard security arrangements and protective measures and select leading technology partners to keep our data safe and secure on our cloud infrastructure. We have also been open and transparent about the personal information we collect, store, and process."

While it had refuted Vice Media's claims, Bitsmedia said it had terminated all relationships with its data partners, including X-Mode, "effective immediately".

It said it collaborated with "selected technology partners" to improve the quality of its app and shared data with its partners for "common purposes such as advertising", which it noted was its main source of revenue. It said it did so "in full compliance" with all relevant laws and implemented "strict data governance policy" to safeguard its users' data. 

According to the app developer, it worked with third parties such as social media networks and data analytics companies, and shared data with the consent of its users. 

It also noted that, aside from its Community section, features provided in Muslim Pro are made available without users having to sign in to the app. "This contributes to the anonymity of data we collect and process," it said.

Should it be found to have breached Singapore's Personal Data Protection Act (PDPA), Bitsmedia could face financial penalties of up to 10% of its annual turnover or SG$1 million ($735,490), whichever was higher. 

Singapore just this month updated the data protection legislation to allow local businesses to use consumer data without prior consent for some purposes, such as business improvement and research. The amendments also allowed for harsher financial penalties to be meted out for data breaches, above the previous cap of SG$1 million. 

In his speech discussing the amendments, Singapore's Communications and Information Minister S. Iswaran said data was a key economic asset in the digital economy as it provides valuable insights that inform businesses and generate efficiencies. It also would empower innovation and enhance products, and be a critical resource for emerging technologies such as artificial intelligence (AI) that hold transformative potential, Iswaran said. 

Amongst the key changes in the PDPA is the "exceptions to the consent" requirement, which now allows businesses to use, collect, and disclose data for "legitimate purposes", business improvement, and a wider scope of research and development. In addition to existing consent exceptions that include for the purposes of investigations and responding to emergencies, these also now include efforts to combat fraud, enhance products and services, and carry out market research to understand potential customer segments. 

In addition, further amendments defined under "deemed consent" to PDPA will now permit organisations to share data with external contractors for the purpose of fulfilling customer contracts. This caters to "modern commercial arrangements" and essential purposes including security.

Businesses will also be able to use data without consent to facilitate R&D that might not yet be marked for productisation. All other purposes outside of "deemed" and "exceptions" to consent, such as direct marketing messages, will still require prior consent from consumers. 

The PDPC last year investigated 185 cases involving data breaches and issued 58 decisions. It ordered 39 organisations to pay SG$1.7 million in penalties, including the highest fines of SG$750,000 and SG$250,000, which were meted out to Integrated Health Information Systems and Singapore Health Services, respectively. 

RELATED COVERAGE