Google risks mega-fine in EU over location 'stalking'

First big test for GDPR looms

Special Report Privacy campaigners say Google's obsessive collection of location markers violates Europe's privacy laws - potentially exposing the Californian giant to punitive fines.

Several privacy watchers agree that as it stands, users are misled, and can't give informed consent. That exposes the company to financial penalty under GDPR rules: which could be 2 per cent or 4 per cent of turnover.

"Burying its stalking settings, while distracting users with a deliberately crippled 'Location history' button, isn't just deceitful - it's unlawful," campaigner Phil Booth opined. "Without proper consent or legitimate purpose, Google is breaching the GDPR rights of every EU citizen it has been tracking.

"Under GDPR, such location data - associated with a Google account - is clearly personal data, breach of which could expose Google to a giant fine. The question is, will regulators act on this globalised prowling?"

Google data collection can Pause not Wipe

Click to enlarge

Even before GDPR, the EU's privacy "wise men" - the Article 29 Working Group, now the European Data Protection Board - regarded location data as particularly sensitive.

AP's investigation this week described how Google continues to collect an individual's location markers, even when users believe they've disabled the data collection. That's not news to Register readers, as we have regularly pointed this out - but it has shocked the rest of the media and the public. Google has a strong historic interest in location data, being dubbed an "obsessive stalker".

AP found that:

  • Location tracking continues when the user thinks they have disabled it. That's because:
  • User settings governing location markers are in different places
  • Location tracking can be "Paused", but not permanently disabled
  • Location tracking continues in Maps, Search and other Google applications regardless of the "Location History" setting.
  • Warnings provided to both iOS and Android users are misleading

While other companies collect location data, and Apple certainly does, it only uses it for internal purposes, and that doesn't entail "sharing" - whereas Google is creating a highly personal virtual profile of you accessible to advertisers. And that is where Google is vulnerable under the GDPR, Serena Tierney, a partner at VWV law firm and a data protection and privacy specialist, told us.

Google and the spirit of the GDPR

For Tierney, Google is actually vulnerable on two areas, based on the user information AP cited.

Firstly, the GDPR requires data collection to be for "specified, explicit and legitimate purposes".

"If Google is operating as AP describes, that isn't specified and explicit," Tierney said.

Secondly, there's what the GDPR calls the "data minimisation principle": that the personal data collected must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".

Serena Tierney

Serena Tierney

The legitimate purpose of the data collection must be clear. Is it only used for Google's own internal machine learning algorithms, say, or is it part of a personal profile sold to advertisers, Tierney asked.

"It's part of a wider public debate. Is this part of the social contract between society generally (including me) and search engines (including Google) that in return for getting free search, for example, we expect our personal data to be used for personal advertising, with no way for us to opt out?"

For example, she said, a parking app that obtains location data for the purposes of corroborating which car park you're using shouldn't then share that data with the nearest chip shop.

"Google would argue that they're getting our consent to do so - I would say they're not."

The first test

Rafe Laguna, of open source infrastructure provider Open-Xchange thinks that location markers could provide the first litmus test for the effectiveness of the new privacy rules.

“The Google location scandal could be the first real test of GDPR," he told us. "The regulation states that user consent must be clear, distinguishable and written in plain language."

Laguna added: "We will likely see European Data Protection Authorities take a stance on this issue over the coming months."

Google Pixel 2

Google and Facebook vie to provide advertisers with ever more detailed profiles. Google boasted about the value of your location to advertisers earlier this year.

Google was defiant in a canned statement sent to The Register this week that "Location History" is "entirely opt in", adding that: "We make sure Location History users know that when they disable the product, we continue to use location to improve the Google experience when they do things like perform a Google search or use Google for driving directions."

As we noted here earlier this year, the extent of Google's mobile data collection is only apparent if you configure a new Android device with a fresh "burner" Google account. Then it's apparent how inadequate the user controls are. Location isn't the only thing that's "Paused". Google even continues to record your browsing history when you put the browser into "Incognito Mode".

We contacted the office of Giovanni Buttarelli, the European Data Protection Supervisor, for a statement, but had not received a response at press time. ®

Similar topics

Other stories you might like

  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • W3C overrules objections by Google, Mozilla to decentralized identifier spec
    Oh no, he DIDn't

    The World Wide Web Consortium (W3C) has rejected Google's and Mozilla's objections to the Decentralized Identifiers (DID) proposal, clearing the way for the DID specification to be published a W3C Recommendation next month.

    The two tech companies worry that the open-ended nature of the spec will promote chaos through a namespace land rush that encourages a proliferation of non-interoperable method specifications. They also have concerns about the ethics of relying on proof-of-work blockchains to handle DIDs.

    The DID specification describes a way to deploy a globally unique identifier without a centralized authority (eg, Apple for Sign in with Apple) as a verifying entity.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading

Biting the hand that feeds IT © 1998–2022