I recently published a post about the blurry boundaries between standard system services and Google Maps on Android. I argued that these boundaries made it hard to talk about consent and competition around location services. However, the branching factor for the data sharing made the argument complex and hard to follow.
Even as I was writing that post, in the train on the way into Berkeley, I started getting notifications from the Google app about the weather at my location. The Google app (aka Google Now) is a virtual assistant that is intended to provide context-sensitive helpful information to users. It is closed source, pre-installed, and it cannot be uninstalled or disabled. And I had already turned off all its permissions, directly from the app settings.
Unlike the previous case, in which the blurry boundaries raised subtle questions about consent and competition, this seems unambiguously wrong. Let us review the facts.
- The Google app cannot be uninstalled or disabled.
- The Google app does not have a built-in control for location tracking but says that location data collection should be modified in the app settings.
- I have explicitly stated, through app settings, that I don’t want the Google app to have access to my location.
- The Google app has access to my location, as shown by the prompts it generates which include my location.
It seems like there is no way for Android users to keep Google from sensing their location data automatically in the background. What am I missing here?
Fundamental to the concept of consent is the ability to say “no”. Google’s bargain has always been data collection in return for services. Billions of people are comfortable with this bargain, and freely consent to it. However, for the consent to be meaningful, there should also be the ability for those that “would prefer not to” to say “I don’t want the service, so I don’t want you to collect data about me”.
And at this point, it appears that Google allows you to control the former through the list of feeds, but apparently, not the latter, even through app-level permission controls. This is problematic since the tracking includes reading the location with at least city level accuracy every few hours, and even coarse location data can be used to create unique travel fingerprints, which can then be linked with other data sources for re-identification. And the Cambridge Analytica scandal has shown us the problems with giving up full access, without the underlying security and privacy controls that the RISE lab is working on, to our raw data. Even if the data is shared with something as innocuous as a personality quiz, we lose control over the ways in which it can be used. Google should allow users to uninstall the assistant if they don’t want it, have controls for tracking in addition to feeds, and actually honor those controls when it does have them.
The geeky details
If the previous argument convinces you, and you are not particularly interested in the innards of technology, you can stop reading here. If you are a tech geek, and you are curious about the details of how I investigated and ruled out potential alternate explanations, read on.
While investigating this issue, I found it extremely surprising that Google would make such an obvious mistake, especially after the GDPR went into effect. So while my initial observations were on my personal phone, I spent some time creating a basic experimental setup and procedure, and focused on results in a more controlled setting. I also collected many more results in parallel from my personal phone and those of my family but it turns out that I don’t need them for this argument. Note that because these are observations of an adaptive system without user-accessible tuning parameters, they are necessarily opportunistic. However, I have been able to rule out several potential theories through counterexamples.
- A test Nexus 6, factory reset to android 6.0.1, all permissions turned off for the Google app. Logged in with only one account that nobody else shares. No additional apps installed. Location history turned off.
- Running the most recent version of the Google App (126.96.36.199) and of Google Play Services (12.6.85)
- Check phones periodically
- If there is a weather alert, take a screenshot
- If there is no alert for a while, also take a screenshot so that we can also capture negative results
- If the weather alert is not for the location where you are, take screenshots of IP -> geolocation using https://iplocation.net
- Periodically, check the Google activity dashboard to see what had been logged
Is this data coming from GeoIP?
This was my first thought, since the first place the test phone showed alerts was at home. It is possible to estimate the location of a device by using the IP address that it connects to the internet with, since IP addresses are allocated to organizations in address blocks. If the app periodically pinged a Google server, the server would get access to the IP address because of the structure of the IP protocol, and could then look up the location. Since the app is not then reading the information from any device-specific sensors, this could arguably meet the letter of the permissions although it certainly seems to violate its spirit.
However, I get these alerts even when disconnected from WiFi, and when the geolocation information from multiple providers is contradictory at best and completely incorrect at worst. For example, on Wed, I got alerts for Mountain View when I was not connected to WiFi, and the GeoIP information ranged from Danville to San Jose.
More compellingly, on the trip back from Berkeley yesterday, I got an alert for Mountain View around Millbrae, when the GeoIP ranged from New York to New Mexico.
Is the alert coming from another app (such as Maps) instead?
No, the icon clearly says “G”, not “M”. On Android 7.0, where the alert includes the name of the app, it is clearly “Google”. Also, when the phone received this alert, no user visible apps were accessing the location. The only location accessor was Google Play Services, which implements the “Fused Location Provider for acquiring location information with as reduced power usage as possible“.
Is the location being inferred from WiFi signal strength signatures?
Maybe. In fact, my intuition is that the underlying mechanism is some variant of this approach. The High Accuracy Location service, available as the Fused Location Provider through Google Play Services, includes the mapping from non-GPS sensors (WiFi, bluetooth, accelerometer, etc) -> location to provide location information to all apps. However, using that mapping would appear be a violation of the permissions, since using non-GPS sensors to determine location is still determining the location. Note that I have turned off all location permissions for the Google app, not just access to GPS. The Google app is also not displayed as a location user, so any location lookup appears to be using non-standard channels.