Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.
An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used privacy settings that say they will prevent it from doing so.
Computer-science researchers at Princeton confirmed these findings at the AP’s request.
Is anyone really surprised by this? Everything tracks you. Your smartphone, your smartphone’s operating system, the applications that run on it, the backend services it relies upon, the carrier it uses, and so on. Even feature phones are tracked by your carrier, and of course, even without a phone, countless cameras will pinpoint where you are just fine.
This ship has sailed, and there’s nothing we can do about it.
…for the next complaint about Windows 10.
The line that all tech companies are the same when it comes to the issue of data collection, that they are all chasing the same buck by collecting user data, is superficially attractive but deeply wrong and actually works to disorganise clear thinking on the topic of how to actually make things better.
There is a clear divide on the issue of user date and it’s not about good guys and bad guys, good companies versus bad companies. It’s about business models.
User data is valuable so lots of companies collect user data, but there are different sorts of user data, and the difference is utterly crucial.
I would argue there are two broad types of user data collected by tech companies.
There is aggregated but anonymous user data, where companies collect statistical data in such a way as to be able to analyse sales trends, market segments, broad patterns of consumer choice etc, in order to plan their marketing and products strategies.
Then there is the collection of non-anonymous user data, where the data collected is tied to specific individuals and therefore individual activity is monitored, tracked and recorded.
It is the latter category, the non-anonymous sort of data collection that is the troubling one. Non-anonymous user data is is obviously valuable in a wide variety of ways both to the collecting entity and as a commodity to be sold on to third parties, and is generally much, much more valuable than anonymous user data so lots of companies will be tempted to try, often surreptitiously, to collect it. That means that all companies should be held to a high standard of transparency and choice (i.e easily accessible user op outs) as to what data is collected by them.
But the really big issue are those giant tech companies whose entire revenue stream is utterly dependent on collecting non-anonymous user data, and that means Google and Facebook. Because the core business model of both Google and Facebook is built upon the collection of non-anonymous user data both those companies have an unavoidable and very deep commitment to monitoring, tracking and recording the users of their services. That can never change as long as their business model remains the same. Google core business is primarily selling targeted ads, that means serving ads to you based on the data they have amassed about you. Facebook has a similar advertising business but it seems to be more involved in selling user data to third parties (hence the concern about Facebook’s role in the democratic political process). Arguably Amazon is drifting towards a greater revenue dependency on advertising income and as it does so the issue of it’s collection of non-anonymous user data will become bigger.
Tech companies that have business models that do not depend on the collection of non-anonymous user data have room to offer greater privacy to end users – if they choose to do so.
What is to be done? I tend to think that what is needed is a simple and straightforward regulatory framework that makes all companies offer end users the ability to simply opt out of all forms non-anonymous user data collection. Watching the way that companies have responded to the EU General Data Protection Regulation it is clear that any effective regulatory system must spell out very strict guidelines on how companies implement privacy controls. All privacy controls must be contained on a single page with a few toggle switch to turn off or on broad categories of data collection (i.e a switch that turns off all advertising related data collection, one that turns of the passing on of user data to any third party, or turns of location tracking etc). Clear links to privacy settings have to be right at the top of settings pages and all new users should be directed to the privacy page as part of the signing up process. Since the advent of the GDPR framework I have encountered numerous examples of companies attempting to the make the process of blocking the collection of non-anonymous user data as obscure, cumbersome and difficult as possible, obviously with the intention of pushing people in the direction of allowing user data collection by default.
Obviously this means action by the EU and the US and as many other countries as possible. I don’t hold out any hope for places like China where the political system is founded upon intrusive surveillance and censorship.
It’s worth pointing out that, in theory, the GDPR already tackles this last point you make about the complexity of opting out. This from the legislation:
“If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
That’s pretty explicit if you ask me. Those companies that make the process obscure, cumbersome and as difficult as possible (to use your words, but I’ve experienced plenty of examples I’d describe similarly), are quite possibly in violation of the GDPR. I don’t know of any cases that have gone to court, but they can’t be far off, so worth looking out for.
It seems explicit but it leavers a lot of room for companies to make the process difficult or cumbersome safe in the knowledge that even if they are taken to court clever lawyers can stretch the interpretation of those word.
For example I have encountered several web pages where I am asked to approve their data use before I can see the article, and if I try to change the settings I am offered a long list of different advertisers and data aggregators and I have toggle them off one by one, a long and tedious process. Obviously the designers of such a system hope that most users won’t bother or give up and just hit ‘accept button (something I have done on more than occasion.
The regulations should simply state that it is mandatory to have at the top and front of any privacy settings page a series of generic on off toggles so I can simply turn off of advertising, all third party use, all location data, etc, without any scary warnings.
In fact, given that a large part of the EU’s activities consists of setting detailed product specification regulations, the EU regulations should enforce a generic privacy settings page which all websites/companies have to offer to their users. If the EU can regulate in detail the type of motors a vacuum cleaner uses, for example, then it can also enforce a single design for privacy settings.
We’ll have to see what happens. I agree, those long lists of toggle switches are a usability nightmare that can take half an hour to plough through on a small smartphone screen (I know, I’ve done it, because I’m stubborn and have too much time).
Overall, GDPR seems to have had a positive effect, given that previously we wouldn’t even have been given the choice. But I’m hoping the pressure will intensify on the companies so obviously working against the spirit of the legislation, and eventually they’ll have to change. If they don’t I’d expect the legislation to be revisited again (as happened with the infamous cookie law), so there’s an argument that says it’s in the companies’ interests to get it right.
You could have just written fairly standard “BWAAH, GOOGLE ADVERTISING COMPANY, BWAAH!!!”…
“The ship has sailed” seems awfully defeatist, especially considering that articles like this AP one still seem to have resonance. The ship will have sailed when no one cares. I don’t really understand the point of being proud of knowing (or having known early) that this is happening. You’re either fine with it or you’re not, no?
It’s called the mentality of a slave. Weak, defeated, spineless.
We can do something about it: stop using smartphones. Stop using Google services. Stop using proprietary operating systems from big name companies.
Yeah, I also thought it would be very difficult or even unfeasible… But it’s not. Once I put my mind to it, I managed to completely drop smartphones, Windows (with the exception of work PC that does not belong to me) and MacOS from my life. And I am totally fine. To be fair, I am still using Gmail, Google Search and YouTube on my computer, but those are scheduled to disappear from my life, too.
So, Thom, please don’t tell me “there’s nothing we can do”. There’s nothing YOU can do, or more precisely, there’s nothing you want to do, because it would be inconvenient to you. I have news for you: fighting for your rights is never convenient.
Edited 2018-08-14 06:26 UTC
as I have visited a large number of ‘Not Spots’ in Western Scotland over the past two weeks.
Why else would I go to places where ‘the man’ (inc Google, FB, Amazon etc) can’t track me unless it is by Satellite?
/s /s /s
Seriously, this has gone too far. Can we not have some privacy in our lives? Or, must we be visible to our ‘fat controllers’ 24/7?
Putting my phone once it has been switched off into a metal container while I am driving must confuse the hell out of the snoopers. It disappeared from view in Tobermory only to appear eight hours later in York. What dirty deed did I get up to in that time eh? /s /s
Edited 2018-08-14 06:41 UTC
More important than hiding is poisoning their databases and knowledge about us. That gives us plausible deniability (in case a legal matter arises), makes their knowledge not really that valuable and consequently their targeted marketing very much fucked. Their entire business si disrupted. Anyone knows of apps or services that help doing it?
Statistical modelling is very good at separating noise from signal. The same goes for user interaction with ads and sites.
Poisoning the well, so to speak, seems like a nice alternative to going all dark, but it isn’t really an effective alternative. This has been already discussed multiple times on /r/privacy on reddit.
I use a phone without sim card (use the op card from an ngage Q-D), most places that i frequent allows me to use their wifi. no point in paying a provider.
The only problem i forsee is if i would need to call the emergency number when abroad but in my country you do not need a working sim card for that.
For messaging i use steam and soon i will be able to do calling over that as well for free.
Phone is a Samsung J3 with lineageos 14, blocked all google ports and addresses and no GApps is installed.
So yeah, there is something i can do about it.
Since you can call emergency number, your phone is kinda tracked anyway by the cell network even if without a SIM card…
What kind of post is this one Thom?
“I already decided to not fight, please do the same” .. ?