Anyone following information security news will be aware of the string of data breaches and discovery of privacy-invasive practices by numerous high-profile companies, including as Sony, Apple and Google. Both Apple and Google have recently been embroiled in a public debate about mobile device privacy and user awareness of their practices.
Google’s Continuous Data Collection
In April, Google was forced to address user concerns about the location data it collects from its Android phones. Security experts, researchers and hackers, learned that certain Android phones were covertly sending streams of location data back to Google. This was counter to previous beliefs that the phones sent back occasional pings from specific location-based apps.
According to Samy Kamkar, security researcher and hacker, the information Google was collecting was not anonymous, rather it contained a unique identifier tied to the user’s phone. The data is then used by the company to build its database about Wi-Fi router locations, which is then used to get location fixes by other Android phones. The location-based data is also used to add traffic data to Google Maps.
Responses & Challenges
According to a Google spokesman, “We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices.” Google has also acknowledged the scope of information it collects from users, which includes GPS current location, timestamps, nearby Wi-Fi network addresses and device IDs. The company pointed out that all these practices were opt-in and it was possible for users to disable the GPS feature. However, functionality of their location-based services would significantly diminish.
In a May 2011 US Senate subcommittee meeting on mobile data collection, Alan Davidson, Google’s director of public policy for the Americas said that his company supports the development of a legal privacy framework that can “ensure broad-based user trust and that will support continued innovation.”
The company has also pointed out that the location data it collects is completely anonymized, contrary to reports that such data contains a unique identifier that is tied to the phone. In response, Google said the identifier is tied to the location, rather than the handset. However, the company admitted that the identifying number can be changed by doing a “factory reset” of the Android device, which means that this number remains consistent until that happens. Until the phone is reset, this number is effectively an identifier for the phone.
In response to Google’s practices, two women from Michigan filed a lawsuit in US District Court in Detroit on April 26, 2011. The $50 million lawsuit is an attempt to stop Google from selling phones with location-tracking software. According to Steven Budaj, the lawyer representing the case on behalf of plaintiffs Julie Brown and Kayla Molaski, the tracking of Android owners’ locations “puts users at serious risk of privacy invasions, including stalking.” The plaintiffs are also seeking class action status for their lawsuit. Thus far, Google has not commented on the lawsuit.
In South Korea, Google Inc.’s office was raided in early May, based on suspicions that AdMob (Google’s mobile advertising unit) was illegally collecting user collection data without consent. According to a South Korean police spokesperson, “We suspect AdMob collected personal location information without consent or approval from the Korean Communication Commission.”
A spokesman from Google confirmed that the police did visit the Seoul office and the company was cooperating with the investigation. This event highlighted recent and growing concerns in South Korea about the potential misuse of private information, along with the increased use of mobile devices, such as smartphones and tablets. Furthermore, Google has been the subject of a number of law enforcement investigations in the United States, Britain, France, Singapore and Switzerland, over its controversial data collection practices.
In April 2011, Google was at the center of public scrutiny, after security experts, researchers and hackers revealed that its Android mobile devices were continuously collecting user’s location data. Contrary to Google’s claims, it was discovered that this information was tied to a numerical identifier. This article looks at numerous responses to this discovery, in the US and abroad.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Personally Identifiable Information – PII (I.A.a.)
- Methods of Data Collection (I.B.a.)
- Consumer Privacy Concerns (II.A.a.)
- Phone-Home Software (II.A.l.i.)
- Prominent & Inconspicuous Notice (IV.A.)
- Location-Based Services (VI.E.)