I'm Matthew Setter. I'm a security researcher, privacy advocate, and a software engineer. I’ve been developing software since 2000. This blog is focused on helping you write more secure software and protect your online privacy.
Do You Know How Much Location Data Google Records About You?Privacy August 21st, 2018
Last Wednesday, I was interviewed on Radio Sputnik (based out of Moscow) about a recent article on the Guardian about Google recording your location history — even when you tell it not to. This was my first experience as a subject matter expert. So I wanted to share the experience with you.
Before I dive right in, here's how it all got started. Back on April 5th of this year, I was DM'd on Twitter by Radio Sputnik's producer, Daria Markova.
She asked if I wanted to come on and discuss a recent article on the Guardian, titled: "Google employees demand the company pull out of Pentagon AI project".
Owing to a hectic schedule at the time, I wasn't able to take up the offer. However, a little while later I replied, thanking Daria for contacting me and asked if she was still interested in having me as a guest in the future.
She was, and asked if I wanted to discuss another article from the Guardian, titled: "Google records your location even when you tell it not to".
As I read through the piece, I knew that I wanted the opportunity to discuss it. If you've not already read it, the article covers a report by the Associated Press, which talks about the fact that even if you explicitly tell Google not to record your movements (location data), it still will. What the?!
Here's a short excerpt:
An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you've used a privacy setting that says it will prevent Google from doing so...With Location History off, the places you go are no longer stored. That isn't true. Even with "location history" paused, some Google apps automatically store time-stamped location data without asking.
Google Maps Timeline Is An Information Goldmine!
Reading this section sparked a memory of when I first heard about Google Maps Timeline some years ago (back when I used an Android phone). At the time I was intrigued about what might have been stored in my Timeline.
However, shortly after logging in, I became very uncomfortable as I looked at the sheer volume of information stored in my account — and it's near pin-point accuracy!
There was so much damn information! The locations that I worked at around the local area, and in Nuremberg. How I got there. The times that I left and arrived. Even photos that I took at some locations.
What If Anyone Other Than Me Accessed My Account?
They'd be able to learn so much about me, such as:
- Where I'd likely be on a regular basis
- What a number of my habits are (based on where I go)
- How I travel
- When I travel;
- And the list goes on
As a result, I became much very appreciative of the need to be far less cavalier with the information that I was sharing electronically. I reviewed and updated the privacy settings of all my social media accounts — especially Facebook. I also reviewed the privacy and security settings for my iOS phone, among a host of other changes.
As a result, I felt confident that I was now in control of my personal information and could go on my normal daily life with a relaxed ease. But a further section of the article gave me reason to doubt this assumption:
"There are a number of different ways that Google may use location to improve people's experience, including: Location History, Web and App Activity, and through device-level Location Services," a Google spokesperson said in a statement to the AP. "We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time."
To stop Google from saving these location markers, the company says, users can turn off another setting, one that does not specifically reference location information. Called "web and app activity" and enabled by default, that setting stores a variety of information from Google apps and websites to your Google account.
From just these two paragraphs, you can see that controlling your privacy isn't straight-forward. And the more I mulled over this article, the more I wanted to be on the show to help better educate users, both technical and non-technical alike.
The Interview Was a Great Experience
As I've never been asked to be a subject matter expert before, I was both excited and nervous. I started asking myself so many questions, including:
- What would I say?
- Would I say "the right things"?
- Would I embarrass myself?
And on and on the list of self-talk questions went. However, I've recently taken on an attitude of "just do it — what's the worst that could happen?" and accepted the offer.
Daria stayed in contact and, like all professional radio stations, setup a date and time for the interview, covered the direction of the interview, and superbly managed my expectations. Being flat out with client work, there wasn't much time to prepare myself, but I still put in some time to get my thoughts in order.
Then, the moment arrived! The show's producer rang me and checked that I was ready to go. I waited a little while to be introduced on the show. And then it was my turn!
Well, what an experience. Here I was, on an international radio program, being asked for my opinions and knowledge about Google's approach to obtaining and storing user's location information. If you want to just skip to the good bit, have a listen to an excerpt of the recording below
The host was very professional and it was very easy to talk with her about the topic. What's more, she posed a number of compelling questions, including:
- Is it illegal, how Google obtains and stores user location data?
- What can the lay user do to be sure that they have fully opted out of having their location information stored
- What might happen in the future with all of the information stored electronically
In total, the interview lasted about 15 minutes. And it felt like such a roller coaster ride of an experience.
It Likely That Google's Breaching Some Privacy Laws
I, originally, wasn't completely sure if Google was breaching any privacy laws. However, after reading a recent post on The Register, and quite a number of others, I was wrong.
- It's not clear that you need to use them all to manage the location information that Google stores about you.
- It's not clear if you've paused Location History, how many other settings and tools need to be disabled.
- By not using clearly indicative terms, such as "web and app activity", it's easy for users to:
- Misunderstand what they need to do.
- Misunderstand what they're agreeing to.
- Not fully appreciate the implications of using Google's services.
- By requiring separate applications it shifts the burden to the user.
Here's why. According to The Register's article, the AP found that:
- Location tracking continues when the user thinks they have disabled it. That's because:
- User settings governing location markers are in different places
- Location tracking can be "Paused", but not permanently disabled
- Location tracking continues in Maps, Search and other Google applications regardless of the "Location History" setting.
- Warnings provided to both iOS and Android users are misleading
Sure, Google provides a set of well designed and developed tools for users to use. But they aren't explicit about what users need to do to manage their privacy when using Google services and Android smart phones. Users have to go to a lot of effort to ensure that if they truly want to opt out, that they indeed have.
I was discussing this with my wife over the weekend and she instantly appreciated that if users are presented with an option to pause or disable something, then:
- They'll likely believe that that's all they need to do.
- Not check if they have to take any further action.
Since this isn't the case, a large number of users will believe that they've opted out when they really haven't. So Google needs to revise how the popups and T's & C's are worded, as they are clearly inadequate.
What Can You Do To Stop Google Tracking Your Location?
If you don't want Google tracking you, here are a couple of things that you can do — right now:
- Don't use any of their services or products.
- Use an alternative, privacy-focused, search engine, such as DuckDuckGo or Qwant.
- Install the EFF's Privacy Badger.
By doing these things, you stand a fair chance of minimising the information that Google and others can track on you. But even with those, you're still going to be tracked to some degree, even if quite small, thanks to tracking cookies.
It's beyond the scope of this article. But I'll have a future article that covers the essentials of what you need to know to minimise the possibility of Google (and other sites) tracking you.
Remember, Even Free Services Have a Price
All this might sound pretty negative, but there's always an opportunity, if you but look for and are open to it. And so too does this situation.
Here's what it is; we're all expect to get a lot for free these days. But if a service is free — as in we don't have to pay a usage or membership fee — then there has to be a fee of another kind being paid somewhere.
In the case of Google (and Facebook, and others), it's by our data, time, and attention. We have to respect that this is how these services work.
And let's be honest with ourselves, servers, software developers, electricity, buildings, all the costs that go into making a service as detailed as Google or Android, cost a lot of money. So that cost has to be covered somehow.
Now that we know that, we have to start regularly checking how much information we're giving away, how often we're doing it, and if we're truly comfortable with that, and what that could mean for us years down the line.
While I'm not saying that we shouldn't share anything, we must take the time to consider what the implications of sharing so much information, so readily, and so openly means. We have to ask ourselves whether we're too trusting with our online privacy.
Have a look at what you've shared, what others share, and ask yourself if you're really so comfortable. If you're not, you need to do two things:
- Research the security and privacy settings of all the services that you use
- Update them to a level that you're comfortable with
- If they don't go far enough - strongly consider closing your account
- Review these settings on a regular basis
- Keep an ear out for online privacy stories and what tech companies are doing, and have been found to be doing
But most of all, start to slow down sharing so much. Do you really need to share that photo, thought, or idea? Perhaps you do.
If so, go on and share it. But perhaps you don't either. Or if you do, ask yourself who you really want to share it with, and just share it with them, if that's possible and practical.
I Don't Hate Google
This all might sound like I'm beating up on Google. Perhaps. Even if, I quite like them (for the most part). They provide a host of great tools and services, ones that I've enjoyed using for years. However, I'm not as comfortable with them — nor any other tech giant — as I once was.
I don't think that they're necessarily bad people, thinking only of profit before all else. But I do think that the advertising model has some inherent flaws, that lead to consumer privacy often being considered 2nd, 3rd, 4th - perhaps even last.
I am truly thankful to Daria for the opportunity to come on Radio Sputnik as a subject matter expert, and am looking forward to doing so in the future. It was rewarding to be able to help better educate the public about online privacy.
It was very satisfying to discuss the implications of sharing too much information online, without thinking about the consequences, and where this all may lead to. It's a topic that I will continue to follow in the future, and hope to talk about at length as well.
On privacy and online sharing specifically, while modern technology provides opportunities that we've never before seen, that doesn't mean that we're free from the responsibility of considering the implications of what that sharing might lead to.
Do we really want to share so much about ourselves so widely? Do we really appreciate just who we're sharing so much about ourselves with and what they might be able to do with that information?
I'm not asking you to stop sharing completely. However, I am strongly encouraging you to be more conscious about what you're doing, and to practice a little bit of restraint.
What do you think? Am I being too harsh, too conservative? Do you have a different opinion? I'd love to hear your thoughts in the comments below.
Online Privacy and Security Settings
If you're keen to review your security and privacy settings, and potentially want to restrict the number of people who can see what you share, I've included a set of links below for all of the major social media platforms.
- According to c|net, Google’s under investigation for tracking users' location without consent.
Join the Email List
If you enjoyed this post, why not join the email list and get all future posts straight to your inbox? In addition, you'll get background information, extra research, and other content that's only available on the list. I promise I'll NEVER spam you. And you can unsubscribe at any time.