Peter A Clarke

Stories about Google knowing more about its users than the users themselves are so ubiquitous, like Google, that they rarely make their way onto the back page of a paper let alone the front page.  What is more concerning and noteworthy is recent run of stories of social media platforms, like Facebook, and data collecting companies, like Google, collecting and using data contrary to the supposed settings.  The Australian reports on the latest example of this egregious behaviour with Google knows your every move even with ‘location history’ off.  In short Google is tracking a phone’s movements even when settings to protect privacy are activated.  The way this was determined was through a test where software was installed to detect (described as tap) data being sent to Google.  This data stream was identified.  The nub of the problem is that the consent to use data went beyond that which was agreed, with that data being sold by brokers to police forces, governments and spy agencies.  The data collected includeslocation data as well as voice recordings of directions provided by Google Maps and details of wi fi routers.  In short Google is accessing and can use data to track a normal user even when they disable location history

The article provides:

Tests conducted by The Australian in Sydney — in which information being sent to Google was duplicated and analysed — show the technology giant tracks the phone’s movement even when those settings, ostensibly meant to protect the privacy of users, are ­activated.

Australian Privacy Foundation chairman David Vaile said the findings were disturbing, and Android users were being misled to think that the incognito privacy feature, where the device does not record any activity, meant that Google was not tracking the phone’s location either.

“They’ve proven time and time again that they’re unwilling to ­accept restraints on their data-collection practices,” Mr Vaile said. “They have essentially kept harvesting the data while giving a misleading impression that they have obeyed your wishes.”

Google’s collection of user data is already of concern to the Australian Competition & Consumer Commission, which last month launched Federal Court proceedings alleging the company had misled customers by not explicitly asking them for their permission to link their names with other identifying information such as internet activity. That data was later used to display advertising.

The Australian’s tests, which were conducted with the assistance of Oracle, included the interception of a secret stream of data from Android phones to Google, including location data, information about hundreds of Wi-Fi routers and mobile phone towers which users passed.

Google Map voice prompts ­directing users through traffic were also recorded and sent to Google along with the locations. The Australian was able to replay those prompts from the data.

The Australian has previously reported Android phones were transmitting a vast array of information — from locations to how active and how high up in a building users were — back to Google.

A spokesman for the Office of the Australian Information Commissioner, the nation’s data protection agency, said the collection of personal information by any company “must be collected by fair and lawful means, and individuals adequately informed about the purposes for the collection”.

A Google spokeswoman said: “Geographic information helps us provide useful services when people interact with our products, like locally relevant search results and traffic predictions.”

While Google has previously said it does not sell data to third parties, applications installed on Android devices could collect and track user locations and make those details available to others.

“People can disable location history and ‘web & app activity’, and edit or delete the information, at any time,” the Google spokeswoman said.

Disabling location history, however, does not end the flow of information from an Android ­device to Google, The Australian’s tests show. (Oracle, which ran the tests, is involved in separate and long-running litigation against Google.)

Richard Buckland, a computer systems security researcher at the University of NSW, said it was “almost impossible” to stop ­Google storing a user’s location data. “When you make that change in your settings you’re just politely asking Google not to ­record your location,” he said. “You’re essentially just saying, look I know you know where I am, but please don’t record my ­location.”

Professor Buckland said Google would automatically store time-stamped location data without asking, often in violation of a user’s preference, and even with location history turned off.

“It’s almost impossible for a normal user to be confident they’re not being tracked,” he said. “If you don’t want Google to know where you are, don’t take your phone with you.”

He said that even if a user “jumped through all the hoops” Google could still pinpoint the person’s latitude and longitude and link it to their account when they search for topics.

“It’s in their interests to collect as much information from you as possible and I would advise people who think they’ve managed to conceal their location to be very, very careful.”

ABOUT THE PROJECT (Q&A)

What was the experiment?

We tested various phone location settings to see what data an Android phone sends to Google beyond what the phone displays openly. It follows on from this.

What did we find?

We found location data was sent with location history set to OFF and incognito mode in Google Maps set to ON. We believe the public would expect to travel anonymously with these settings.

What else did we find?

One experiment involved travelling with these settings (location history OFF and incognito mode ON) in a car while performing voice turn-by-turn navigation with Google Maps.

The resulting data stream not only included location data but also voice recordings of the directions that Google Navigation spoke en route. I could play back all the turn-by-turn voice recordings sent with the data stream.

The phones also collected details of Wi-Fi routers in the vicinity, such as router network names (SSIDs) and equipment identifiers (MAC addresses). The stream included details of dozens of Wi-Fi routers in an apartment building, and routers at a work location.

How is the data collected?

Software was installed on two phones that would “tap” this extra stream of data sent to Google, and send the data to a server in the US operated by Oracle. The server was programmed to unravel this stream of data into its component parts.

We set up experiments, varying the settings between phones to see how each setting affected the data stream. We could access and analyse the data in a human-understandable form through this US software/server set-up.

Why undertake this?

Android users implicitly accept that they offer their data to Google for advertising purposes in return for a free operating system for their phone. However, the use of personal data generated by phones nowadays is distributed to many more agencies than advertisers, with brokers selling it to police forces, governments and spy agencies. It is likely that criminal organisations can also tap into this data. More and more agencies and people are getting access to your phone data.

Is the concern just the data sent to Google?

No. If a company such as Oracle can unravel this data, other organisations can too, by getting you to install apps and access your personal, phone and location information through them.

What the article reveals, or again highlights, is that feeling of impunity of Google who justify the practice by saying it helps provide useful service to people (whether those want to help or not), the timid, bureaucratic and supine Information Commissioner and the largely ineffective civil society groups, here the Australian Privacy Foundation who essentially fill the role of talking heads.  Until that dynamic changes there is very little