When is a privacy button not a privacy button? When Google runs it, claims lawsuit
'It looks like even Sundar Pichai is confused about how this control works'
A recently released video deposition in long-running lawsuit over Google tracking its users has claimed that even the CEO Sundar Pichai isn't clear on what's going on below him.
For the past three years, Google has been fighting a lawsuit that claims the company has a misleading menu that promises privacy but fails to provide it.
It's all about a setting called Web & App Activity (WAA) and a subsetting referred to as sWAA that extends purported privacy protection to "include Chrome history and activity from sites, apps, and devices that use Google services." The relevant menu button is available via one's Google Accounts web page.
When turned on, as currently described, the WAA button "saves your activity on Google sites and apps, including associated info like location" to personalize searches, recommendations, and other Google services. But when it's turned off Google still saves people's data, or so it's alleged in the complaint filed in July 2020, and amended for the fourth time in January 2023.
"Google had promised that by turning off this feature, users would stop Google from saving their web and app activity data, including their app-browsing histories," the fourth amended complaint [PDF] says. "Google’s promise was false."
Jonathan Hochman, an expert witness for the plaintiffs, provided a technical analysis of Google data collection, but his report remains under seal. As is common in such cases, Google has pushed for sensitive documents obtained during the discovery process to be redacted or sealed. This has become an issue in the US government's ongoing antitrust trial against Google, where much of the testimony and many of the documents have been withheld from the public.
However, a transcript of Hochman's video deposition [PDF] posted to the court docket sheds more light on claims. "... the WAA/sWAA switch, I have called it a fake control, because it doesn't do – technically doesn't do what it seems it should do," he explained.
Hochman in his deposition contends that even Google insiders, including Alphabet CEO Sundar Pichai, misunderstand the WAA control.
"It looks like even Sundar Pichai is confused about how this control works because he testified in front of Congress and told them something that is just wrong from a technical perspective…," he said.
This is spelled out more explicitly in a more recent court filing [PDF]: "For example, Google CEO Sundar Pichai testified to Congress that, within 'My Account' user can 'clearly see what information is collected, stored.' That supposedly 'clear toggle' Mr Pichai was referring to could only be WAA."
That document goes on to state: "Contrary to Mr Pichai's Congressional testimony, the founder of Google's Privacy and Data Protection Office testified in this case that he is 'not aware of any setting' that users can employ to prevent Google from collecting data related to their app activity."
Much of the issue, allegedly, is that WAA, rather than saving data when on and not saving it when off, simply saves data in a different place – not in the Google Account data set. Addressing the confusion about the bounds of Google Accounts, Hochman said, "So I'm aware that Google may save data in different locations, depending on where that WAA/sWAA switch is set. It is still collecting the same data and still saving it, but it may save it in different places."
Firebase burns through personal firewall
The complaint alleges that Google still collects data from users who disable the WAA setting "through various backdoors made available through and in connection with Google’s Firebase Software Development Kit, including not only Google Analytics for Firebase but also without limitation AdMob and Cloud Messaging for Firebase."
Firebase, a cloud database, was acquired by Google in 2014, and as of 2021 was said to be incorporated into three million mobile apps. Third-party app makers can integrate Firebase using the Firebase Software Development Kit, which adds support for Google Analytics for Firebase, as well as mobile ad service AdMob and Cloud Messaging for Firebase.
Google, it's claimed, collects data from mobile third-party apps, even those who disable WAA, using Firebase SDK code, as well as Google Mobile Ads SDK, AdMob+ SDK, and browser "WebView" technologies.
"All of these products surreptitiously copy and provide Google with app activity data while WAA is turned off, including personal browsing data," the complaint claims.
- Google - yes, that Google - testing proxy scheme to hide IP addresses for privacy
- What's unconstitutional about Google keyword search warrants? Nothing, says Colorado Supreme Court
- Google's third-party cookie culling to begin in Q1 2024 ... for 1% of Chrome users
- Online tracking is alive and well in link decoration
The complaint cites statements from Google's own employees that suggest WAA is confusing and poorly understood.
Quoting specific exhibits in the case, the complaint says, "Google’s employees recognize, internally and without disclosing this publicly, that WAA is 'not clear to users,' 'nebulous,' 'not well understood,' 'completely broken,' and 'confuses users,' where people 'don’t know what WAA means' and Google’s promise of control is 'just not true.'"
The complaint cites internal Google communication about the true nature of the WAA control: "As summarized by a Google employee in an internal email, 'WAA (or any of the other controls) does not actually control what is stored by Google, but simply what the user has access to. This is really bad. … I for one didn’t realize Google actually stored all of my activity even if those controls were off and I work at Google! Seems sort of silly to turn them off as I’m not any safer with them off than on.'"
An Orwellian landscape
The complaint points out that related allegations have come up in recent government litigation against Google. It cites documents produced by Google in a 2020 case brought by Arizona's Attorney General that mention Web & App Activity by name. Google settled that claim last year for $85 million.
"When users turned off their Location History in settings, Google continued to surreptitiously collect their location through other settings such as Web & App Activity and the company used that information to sell ads," the Arizona AG's office said when it announced the deal.
Google declined to comment but has disputed many of the allegations in its answer [PDF] to the fourth amended complaint.
The company in its filings has characterized the employee messages cited as "cherry-picked" communications that mischaracterize the technology or are taken out of context. Google maintains that the sWAA setting, through which third-party apps receive data, is so developers can understand app behavior and isn't saved to Google users' marketing profiles. Essentially, Google maintains that any data gathering is adequately disclosed and that app developers implementing Google Analytics are bound by the company's Terms of Service.
Coincidentally, earlier this year, Google began notifying some users of its services that they have Web Apps & Activity turned on. The message insists, "You're in control," and insists no action is required but allows that the setting can be changed.
Hochman in his assessment of WAA is unsparing.
"The situation I found upon the technical investigation was counterintuitive, it was not what I expected to find, and it is, frankly, kind of Orwellian, it is just very strange that you have a privacy switch that when you flip it, it just means we don't tell you that we're spying on you," he said.
"It is almost like the party slogan from 1984, you know, ignorance is strength, that's like what this is. That's what this control is. You flip the switch, you can remain ignorant of the fact that you're being spied on."
Yet whether Google has actually violated any laws here has yet to be decided. Last year, the judge hearing the case dismissed [PDF] claims that alleged violation of the California Invasion of Privacy Act and breach of contract. What remain are three claims under California's Comprehensive Computer Data and Access Fraud Act, invasion of privacy and intrusion upon seclusion. ®