Google Location History allows the company “expansive and continuous” data on a user’s movements as “they watch their user’s seek the support of reproductive health services, engage in civic activities, or attend places of religious worship”
[WASHINGTON, D.C.] – U.S. Senators Richard Blumenthal (D-CT) and Edward J. Markey (D-MA) wrote Federal Trade Commission (FTC) Chairman Joseph Simons requesting an investigation of Google’s collection of sensitive location data and “the potential deceptive acts and practices used by Google to track and commoditize American consumers.”
After an investigation by technology publication Quartz revealed Google collects Android users’ location data – even when location services are disabled – Blumenthal and Markey wrote to Google CEO Sundar Pichai to demand answers. According to the Quartz investigation, Android devices are continually and covertly collecting users’ location information and sending this information to Google, including when location services are disabled, the phone has been reset to factory condition, no apps are running or the SIM card is removed.
Google’s response to the senators’ letter failed to assuage concerns that the company is taking adequate steps to protect user privacy, even “[raising] questions about their characterization of basic consumer protection terms” like opt-in, consent, and notice. “This set of options is inadequate and the confusing consent process is replicated throughout Android’s various settings, where location privacy is often mischaracterized or subdivided so few users could effectuate their choice to opt-out of Google’s location data gathering,” the senators wrote.
Google’s opaque privacy setting have allowed the company to develop “an intimate understanding of personal lives as they watch their user’s seek the support of reproductive health services, engage in civic activities, or attend places of religious worship. All that it takes for users to expose themselves to this collection is to once allow an ambiguously described feature, for example when trying to display photos on a map on the Google Photo service, silently enabling the feature across devices with no expiration date.”
The full text of the letter is available here and copied below.
The Honorable Joseph Simons
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Dear Chairman Simons:
We write to bring to your attention our concerns regarding Google’s collection of sensitive location data within its “Location History” service, and to urge you to investigate any deceptive acts and practices associated with the product. As recent events have demonstrated, the American public is increasingly concerned about the stockpiling of intimate data on their personal lives unknowingly collected from their online accounts and devices. Based on our investigation and public reports on Location History, we have significant reservations about Google’s failure to clearly account for how that location data is collected and used by the company.
Since 2009, Google has promoted continuous tracking of user location within several of its products through a service now called Location History. When a user enables Location History, they not only provide Google with periodic data from one device, they deepen the volume and invasiveness of collection across devices and on a continuous basis. While Google describes the tracking as an opt-in feature, our own investigation found that the consent process frequently mischaracterizes the service and degrades the functionality of products in order to push users into providing permission. This conflicts with recent industry-wide changes to improve privacy on smartphones, particularly where Google forces users on Apple devices to enable more permissive settings. Moreover, Google does not offer full and accessible information to consumers on the use of their data, including in advertising and commercial analytics services. These factors raise serious questions about whether users are able to provide informed consent.
Based on our longstanding concerns regarding digital tracking, we wrote to Google demanding a full explanation of their collection of location data on December 1, 2017 (Attachment 1). Google replied in a letter dated January 12, 2018 (Attachment 2).
There has been a long established, bipartisan recognition that precise geolocation data is sensitive—raising expectations of user consent and notification. This means there should be clear opt-in consent to collect this information. Yet, Google’s policies, documentation, and response letter raise questions about their characterization of basic consumer protection terms such as “opt-in”, “opt-out”, “notice”, “consent”, and “anonymization.” Google claims Google Location History is opt-in, but both the device and application settings on Android phones frequently pushes users into providing “consent.” Often the actual user choice is a screen that provides two choices, neither of which is a clear “No” (see Attachment 3). This set of options is inadequate and the confusing consent process is replicated throughout Android’s various settings, where location privacy is often mischaracterized or subdivided so few users could effectuate their choice to opt-out of Google’s location data gathering (see Attachment 4).
In January, Quartz published a detailed article on the service and Google’s failure to provide an effective opt out of collection. Quartz’s technical investigation found that when Location History is enabled, Google reported back even more device sensor information than usual, including barometric pressure, wireless signal information, battery status, and a determination about how the user is moving (such as whether they are on a bicycle). In its response letter, Google acknowledged that when Location History is on, it stores additional information from publicly-available Bluetooth “beacons,” low-power devices intended to provide proximity experiences to businesses. These sensors provide Google with not simply an understanding of what city a user is currently in, but the exact floor and movements within a building.
Once a user allows Location History in one application, they enter into the expansive and continuous collection of location data that is not adequately communicated to users. Google describes Location History as an ‘account-level setting,’ which means that Google defaults to collection across all devices that a user is logged into. This data is collected from users even when an individual is not actively using a Google application. On Apple’s iOS devices, Google forces users to downgrade privacy settings that would otherwise only allow tracking when an app is open in order to use features that require Location History – effectively, users have to allow Google to always track them or not use the features at all. Since Google does not provide periodic reminders or clear indication that Location History is on, users can easily enable the service and have their location monitored well beyond their intended use of the application.
Our concerns regarding Google’s push for location tracking are exacerbated by the company’s opacity regarding the use of this data. Consumers have a right to know how their sensitive information is used, particularly when it comes to commercial purposes. Google typically describes Location History as a service to provide “better results and recommendations on Google products,” offering an example of recommending new places or giving traffic predictions. Google does not provide a full and explicit account of its use of the Location History in products and services, only including mentions of improving “location accuracy” and “battery life.” Further information is often only found in passing reference across disparate and unrelated product information pages intended for different audiences.
For example, in its “Business Help” page, Google states that Location History is used to provide information for businesses on Maps and Search related to popular times, wait times, and visit duration. This disclosure is not offered to consumers. Google makes no mention of the use of Location History for advertising purposes in its consent mechanisms, despite the fact that it clearly uses this data for ad targeting and analytics. A general purpose “Why you may see particular ads” page states that Google uses location information in ad products to infer demographic information. While that page does not disclose how it infers location, another help page includes an example scenario that indicates Location History data is used in targeting of advertisements:
Dorothy gives her mailing address to an online athletics store when she buys a pair of sneakers. This athletics store puts Dorothy's mailing address in its customer database, then shares its list of mailing addresses with Google. Google matches this list with addresses associated with Google accounts (ex: addresses saved in Google Maps, or addresses from location history [emphasis added]). Later, when Dorothy is signed in to Google and is browsing online, she may see an ad from the athletics store.
This example describes the AdWords Customer Match service that allows advertisers to upload their list of customers to continue to target them as they browse the Internet.
While many of the practices described implicates further consumer protection and privacy concerns, the troubling potential of this tracking is exemplified within the description of Google’s “store visits” advertisement service:
Store visits are measured exclusively using data from Google users who have activated Location History, which provides a location timeline, stored against the user’s Google Account. Google correlates the observed store visits from those users who have activated Location History with those users’ ad clicks and then uses that data to estimate the aggregate number of store visits for all users who clicked on the advertiser’s ads.
In December 2014, Google announced Store Visits analytics to provide aggregated reports of visits to retail locations by Google users who had clicked on an ad for the advertiser’s products or services. Google has expanded its use of Location History in advertising analytics since its introduction. In March 2017, Google announced that it had applied “deep learning models” to provide better accuracy for multi-story malls and dense geographies. Last October, Google announced that it will provide “impression-based store visits.” With the change, Google will provide advertisers with information on whether people visit stores just based on seeing the advertisement, even if they do not click it.
Google has also expanded the amount of information provided to advertisers, including the time taken for people to visit a store after clicking an ad, how many store visits come from repeat customers, and demographics on which groups are more likely to visit the store. In fact, Google’s response revealed, “Google uses location information in our ads products to infer demographic information [emphasis added], to improve the relevance of the ads users see, to measure ad performance, and to report aggregate statistics to advertisers.” We are particularly concerned about the use of location data for demographic inferences.
The power of this fine-grain, large-scale monitoring of the behaviors and movements of consumers is illustrated within Google’s regular blog posts about holiday shopping habits provided by the Location History data. Google has an intimate understanding of personal lives as they watch their user’s seek the support of reproductive health services, engage in civic activities, or attend places of religious worship. All that it takes for users to expose themselves to this collection is to once allow an ambiguously described feature, for example when trying to display photos on a map on the Google Photo service, silently enabling the feature across devices with no expiration date. A feature that is only intended by a user to add city information to pictures is then opaquely used to precisely track people into stores for advertisers. Products like Store Visits and Customer Match bridge people’s online activities with their daily lives in ways that they are not fully informed of.
Most consumers do not understand the level, granularity, and reach of Google's data collection, and there are serious questions about whether they have provided their informed consent and maintain a reasonable ability to avoid participating in this collection.
We are strong supporters of the FTC and its consumer protection mission. We have long advocated for robust enforcement where consumer harm is present. Congress empowered the FTC with a broad consumer enforcement mandate because it wanted the FTC to evolve with the marketplace. Today, data privacy and cybersecurity are two of the most important issues for consumers, and the loss of control over their personal data could have serious consequences for our economy.
We ask that you review Google’s response, our attachments, and their privacy policies and open an investigation into the potential deceptive acts and practices used by Google to track and commoditize American consumers.