Google tracks your location—even when you tell it not to

Google is under fire again, for tracking your location, and continuing to do so if you turn tracking off.

Or alternatively, for doing a terrible job of explaining the purpose of its labyrinthine privacy settings. Take your pick.

The more cynical among you might assume this is a dark pattern—a deliberate attempt to confuse users into doing what Google wants. The thinking goes that if anyone complains, Google can just reply that the complainers are drooling idiots who didn’t RTFM. In this week’s Security Blogwatch, we follow your every move.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: How dangerous is orbital debris? 

State of Security Operations 2018: Go Inside World SOCs

GPS settings FAIL

What’s the craic? Ryan Nakashima, Alan Fram, Mary Clare Jalonick, and Jonathan Drew tag-team to type Google tracks your movements, like it or not:

[We] found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent [it]. Researchers at Princeton confirmed these findings.

Storing your minute-by-minute travels carries privacy risks. … So the company lets you “pause” a setting called Location History. Google says that will prevent the company from remembering where you’ve been.

“You can turn off Location History at any time. With Location History off, the places you go are no longer stored.” That isn’t true.

The privacy issue affects some two billion [Android] users … and hundreds of millions of worldwide iPhone users.

Critics say Google’s insistence on tracking its users’ locations stems from its drive to boost advertising revenue. … Ad buyers can target ads to specific locations … and typically have to pay more to reach this narrower audience.

Wait. Are you serious? Kieren McCarthy sarcastically says Google’s apps won't take no for an answer:

Google has admitted that its option to "pause" the gathering of your location data doesn’t apply to its Maps and Search apps. … However, Google assured [us] that it is all fine and above-board because the small print says [so].

The mistake people make is … assuming that turning off an option called "location history" actually turns off the gathering of location data – which is obviously ridiculous. … In the pop-up explanation … Google is entirely upfront when it says … "This setting does not affect other location services on your device."

[But] it forgets to tell you that "Web and App Activity" is where you need to go to stop Search and Maps from storing your location data. … But it gets even weirder than that: because if you expect that … would actually stop [storing] web and app activity … then you've ended up in the wrong place again. … You need to go to Google settings.

It's almost as if the approach taken by Google is purposefully confusing [so] it can continue to make huge sums of money selling it to third parties. … We asked Google to explain … and it sent us a statement explaining why we are idiots.

At which Rob Beschizza is appalled: [You’re fired—Ed.]

Google says it is "being perfectly clear." The … interactive map of [a] researcher being tracked over a three day period shows what is perfectly clear: where you are.

How to fight back? Here’s gracchus:

Once in a while I use a location spoofing app to place myself at some random location somewhere else on the globe. I don’t know if it actually pollutes their data but if it does introducing a bit of FUD into their system can’t hurt.

And I’m not sure that word means what this Anonymous Coward thinks it means:

The other week, I was walking past a train station and bingo, I got a message from Google Maps kindly telling when the next train would be. It might have been nice if I wanted the message and I opted in but I didn't.

I don't use Google Maps. … But yep, the perverts at Google don't respect my wishes and knew exactly where I was.

I had turned off location/all history, that only seems to mean they don't tell me what my history is. … Google = Pure perverts.

Does anyone else remember when Google was competent, not just perverts?

But Jason Keirstead expresses his DISAPPROVAL:

Disabling "Location History" *IS NOT THE SAME THING* as disabling Location TRACKING.

That is a DIFFERENT SETTING. … It is RIGHT IN THE QUICK SHORTCUTS.

What an idiotic article.

And this Anonymous Coward offers a pomaceous whatabout:

Apple [is] far worse. Apple just force you to create an account when you first setup an iPhone, and location track you with no way to opt out.

On Android, a Google account is entirely optional. … With no Google account, there is no Google location tracking. (Your network of course can always triangulate your location, [which] is true of every phone made in the last 25 years.)

It's clearly mentioned in page 12 of the Apple terms of service and page 22 of the privacy policy.

Speaking of Apple, here’s John Gruber:

The saga of Apple Maps’s launch is long and complicated, but Google’s desire to track our location was at the heart of it. Apple wanted new features like turn-by-turn directions and vector graphic map tiles; in exchange, Google wanted iOS to allow Google to track user location.

[Now] Google is saying, with a straight face, that it’s perfectly clear that disabling the feature named “Location History” does not prevent Google from tracking your location.

There’s nothing surprising about this, but that doesn’t mean it isn’t shameful.

So this is a job for GDPR. Is it a bird? Is it a plane? No, it’s Andy Blanchard:

The GDPR fines against revenue, not the profit or net income after all the financial shell games to avoid taxes have been played out. Assuming the worst case fine under the GDPR, 4% of global revenue, [which] would wipe out approximately one third of of their net income for the year.

They'd still be in the black, but that's hardly a minor cost of doing business.

Closer to home, Maya Kosoff ponders DC’s likely reaction:

Google is now the foremost purveyor of digital ads. In fact … nearly 40 percent of the U.S. digital advertising market.

Brin and Page’s brainchild is almost certainly poised to become the next front in the privacy wars. … If Congress needs a fresh target, Google is a sitting duck.

Meanwhile, Paul E. King tells us how to fix it:

If you’re actively interested in disabling location across the phone, revoke it for ALL services and apps, turn off GPS, stop, kill, or uninstall Facebook, Twitter, any phone portal software, get third party … firmware, flash it, then throw the phone away because it’s still probably trackable.

The moral of the story? Beware of creating your own dark patterns. And if you care about location tracking, check your MDM settings.

And finally …

How dangerous is orbital debris?


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Topics: Security