On Tuesday, the Transatlantic Consumer Dialogue (TACD), a coalition of 78 consumer groups, urged the FTC, an independent government agency tasked with investigating companies in the interests of protecting consumers, to turn its attention toward Google's "deceptive and misleading practices" on its Android operating system, which the group argues constantly encourages mobile phone users to turn on their location services.
"Location data and history can reveal in detail an individual's lifestyle, daily routines and interests," TACD wrote. "Over time, the data can be used to infer highly sensitive information such as religious beliefs, political views and sexual orientation."
Citing research by the Norwegian Consumer Council (NCC) titled "Every Step You Take," the TACD letter lists five ways Google "steers users to ‘consent' to privacy-invasive default settings": repeated nudging, in which users are simply asked more than once to turn on "location history" when using different Google services; deceptive click-flow, in which users accidentally enable "location history" without being aware of it; hidden default settings in which the web and app activity settings are automatically turned on when setting up a Google account; depriving users of sufficient information when presenting them with choices and misleading them about which data is collected and how it's used; and bundling features together such that a user is required to turn on invasive location tracking as a consequence of using other services.
While TACD characterizes Google's behavior as merely nudging users toward location tracking, web developer and technologist Chris Garaffa told Sputnik Tuesday, "The company's tactics are stronger and more underhanded than that."
"There are multiple settings needed to turn off all location-based services and history tracking, and Google intentionally does this in order to gather more location data on its users," Garaffa told Sputnik by email. "The company will, of course, say that this is intended to improve its search results, but those results also include advertisements."
"Far more insidious uses of this data are going to be the company using the data to generate profiles of its users. If you regularly are at or near a place of worship or a gay club for example, it could identify your religion or sexuality. It's possible with most online advertising companies to specifically target an audience based on general geographic location and interests — which could include religion or sexual orientation."
"Researchers have shown that, given a large enough set of parameters or a small target audience," he noted, "it could be possible to identify an individual person with this data."
Indeed, a report by researchers at the University of Washington published in October 2017 proved how easy it is to uncover someone's identity by using targeted ads in apps that track users' location information.
"If you want to make the point that advertising networks should be more concerned with privacy, the bogeyman you usually pull out is that big corporations know so much about you. But people don't really care about that," University of Washington researcher Paul Vines told Wired in October 2017. "But the potential person using this information isn't some large corporation motivated by profits and constrained by potential lawsuits. It can be a person with relatively small amounts of money and very different motives."
By creating a mobile banner ad and a website that served as the landing page if someone clicked on that ad, the research team was able to figure out some of the key aspects of a test subject's life by tracking their location information given to the ad.
The team spent the $1,000 necessary to place orders with a so-called "demand-side platform," enabling them to place their ad on specific places on specific apps, and even decide which kinds of phones on which their ad would appear. On top of it all, they could have the ad play only when targeted phones were within certain geographic areas. By tracking when users had the app open for longer than four minutes or opened it twice in the same location during that time span, they could pinpoint that user's location within 25 feet. After tracking a week's worth of data, the researchers were able to easily identify the person's home and work address, as well as their favorite coffee shop and their regular bus stop, Wired reported.
Unfortunately, Garaffa noted, the FTC is primarily an investigative body and has very limited enforcement capability. "While an investigation could reveal more about Google's practices, it's going to be up to Google employees who are aware of what's happening on the inside, as well as the general public, to defend our right to privacy," he told Sputnik.
A spokesperson for the FTC confirmed the agency had received the letter, but made no comments otherwise.
"Vast evidence shows the company does not practice what it preaches," TACD wrote, alleging Google was "removing individuals' control over their data by deceit."
It is, then, deeply ironic that Google should come out in favor of a "Framework for Responsible Data Protection Regulation," as Google counsel Kent Walker did late last month in Brussels, Belgium. The proposed framework would be part of a US federal bill laying down principles for organizations to follow when making decisions about collecting their users' personal information, One Trust reported.
"We've been on record for some time calling for comprehensive privacy legislation in the past years," Walker told the 40th International Conference of Data Protection and Privacy Commissioners, an annual meeting of the world's data commissioners on digital ethics.
Despite Google's pleading in Brussels, consumer groups from five European Union countries made complaints almost identical to TACD's about Google to privacy regulators on Tuesday, accusing the tech giant of breaking a new EU law on data mining.
In particular, the European Consumer Organisation (BEUC) alleged that Google tries to encourage users to switch on the so-called "location history" and widely used "web and app activity" settings in their mobile devices in a variety of ways, Sputnik reported. These are in violation of the General Data Protection Regulation (GDPR), an EU law that took effect earlier this year, BEUC said.
"These practices are not compliant with the General Data Protection Regulation (GDPR), as Google lacks a valid legal ground for processing the data in question. In particular, the report shows that users' consent provided under these circumstances is not freely given," the BEUC complaint said. Massive fines of up to 4 percent of global revenues can be levied against companies that break the law.
A Google spokesperson told The Hill Tuesday that "location history is turned off by default, and you can edit, delete or pause it at any time."
"If you pause it, we make clear that — depending on your individual phone and app settings — we might still collect and use location data to improve your Google experience," the spokesperson said. "We enable you to control location data in other ways too, including in a different Google setting called web and app activity and on your device."