Anonymous sensor data helps find missing roads, determine road speeds and traffic, and classify biking and walking transit routes in cities. This data contributes to a better map of our world for your users.
We use telemetry from all Mapbox SDKs to improve our map, directions, travel times, and search. We collect anonymous data about how users interact with the map to help developers build better location based applications.
Location telemetry is critical to improving the map. We use the data to discover missing roads, determine turn restrictions, build speed profiles, and improve OpenStreetMap.
New streets: Location data is used to identify new streets, hiking trails, and bike paths.
Turn restrictions: Sensor data helps us better understand turn restrictions and identify one-way streets.
Speed profiles and traffic: Understanding posted and time-sliced real-world speeds improves traffic modeling and routing.
Lane detection: High-definition mapping requires intra-road analysis of lane counts and types.
As developers we understand the constraints of resources on mobile. Our data collection has been optimized in collaboration with developers in our community and has been field tested with millions of users to make sure we can improve maps without any noticeable impact on an application's footprint.
We specifically do not record advertising identifiers (IDFA on iOS, AAID on Android), so the data cannot be employed for advertising. Any identifiers on location data are ephemeral and never associated with users.
Users should be in charge of their own location data and when it is shared. Developers employing our Maps SDKs for iOS and Android are required by Mapbox to provide the ability for users to opt out of location telemetry reporting and must provide a location opt-out feature within the settings of any native app.
We secure all telemetry on-device and in transit to our servers. Communication between our SDKs and servers is via SSL, where we publish the SSL certificates in our source code:
iOS (Digicert, GeoTrust)
Android (Digicert, GeoTrust)
This publication of our SSL certificate is called SSL pinning and is best-practice in the industry. SSL pinning is used to ensure only Mapbox receives the data produced by Mapbox clients, and prevents Mapbox clients from reporting to a hostile network operator or other third party that is attempting to intercept network traffic.
Our SDKs also check for certificate revocation. We pin to multiple certificates issued by authorities that support the Online Certificate Status Protocol (OCSP). OCSP makes some attempts to intercept traffic impossible and others more difficult. (iOS natively supports certificate revocation checking.) SSL pinning and OCSP go a long way toward securing communications, but security best practices and technology are evolving quickly. We continue to iterate on our approach and are considering additional technologies such as Domain Name System Security Extensions.
Data is encrypted on our servers using Amazon's Key Management Service, which uses hardware security modules designed to be tamper-proof. We have designed this so that no one has access to the master keys – they remain within the security module and cannot be used or moved outside of it. Secondary private keys are created using our master key and are then used to encrypt the data. These keys are rotated twice daily and never stored in unencrypted form.
Access to mobile data within our infrastructure is restricted. Any change in access triggers alarms to ensure that no one gains access accidentally. Access to all of the involved infrastructure is constantly and automatically audited and reviewed by multiple members of our security team.