This week’s revelation that Google Inc. is collecting precise location data about Android users without their permission is just the latest example of the search giant’s history of privacy blunders.
Those that remember the Privacy Commissioner of Canada’s investigation into Google’s accidental collection of personally identifiable information (PII) through Wi-Fi networks scanned by its Street View cars, or how Google Buzz thrust what was considered to be a private service into the public sphere will hardly be surprised. But they should be disappointed, given Google’s past promises to change its ways. Canada’s privacy watchdog should also be at least giving Google a stern reminder of its past commitments.
An investigation by Quartz published Nov. 21 reveals that since the beginning of 2017, Android phones have been collecting addresses of nearby cell towers even when the user has disabled location services. Such information could be used to construct a detailed history of a users’ location with high precision. The idea that Google would collect such information about its users – although it claims that data was not saved – despite their explicitly opting out goes beyond a mere oversight.
It’s the sort of issue that the Privacy Commissioner of Canada has investigated in the past. When reached for comment by IT World Canada, the office declined to comment because it may have to investigate a complaint on this matter. But a spokesperson did provide background on the issue.
“Generally speaking, PIPEDA requires organizations to obtain consent for the collection, use, or disclosure of personal information. Furthermore, organizations may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances,” the office states. “Media reports suggest this issue was inadvertent and that the company is working to rectify it. We plan to follow up with Google to seek further information.”
Google responded to the Quartz investigation by promising to cease transmission of the data from Android phones. It also said that the data was never saved. But based on past commitments that Google has made to Canada’s privacy commissioners, as well as similar authorities in other countries, the fact data was being sent in the first place is a significant shortcoming in its commitment to privacy.
Keeping privacy authorities busy
In 2010, public privacy regulators from Canada, Germany, France, Israel, Italy, Ireland, New Zealand, Spain, the U.K., and the Netherlands sent an open letter to Google and current chairman Eric Schmidt. It detailed how Google failed to consider privacy when launching new applications and services. Particularly egregious was the launch of Google Buzz, which transformed Gmail inboxes everywhere into a social networking profile complete with publicly-facing information. At a press conference in April 2010, the coalition of privacy watchdogs described that transgression as “the last straw.”
Since Google says it was examining the use of Cell ID codes as a way to improve message delivery, it appears it once again prioritized the delivery of its services above privacy concerns. This is just the latest straw to be tossed upon a pile of hay that long ago broke the proverbial camel’s back.
In 2011, Canada’s privacy commissioner requested that Google undergo an independent third-party audit of its privacy programs. This followed an investigation into Google’s collection of some PII from open Wi-Fi networks while it was collecting imagery for its Street View service. The office also recommended that Google adopt an improved privacy model that would see privacy-qualified staff review and approve new products.
One wonders if that was done in the case of this new method to improve message delivery.
In May 2014, the federal office concluded another investigation that focused on what granting permissions to an app meant in terms of consent to collect, use and disclose personal information. In this case, the office found the original complaint was not well-founded, but it did find that some of Google’s information about Android’s permission model was unclear. It encouraged Google to clarify the function of the permissions model and better explain in to users.
Here, even when a user had clearly denied permission to Android for location-sharing services, that data was still transmitted.
Google’s first steps in promising to cease the practice are a good start. Next steps should see the firm working with a third party, either in the form of a reputable privacy auditor, or independent government body, to transparently demonstrate to Android users that their privacy is intact.