Search This Blog

Showing posts with label Location data. Show all posts

Customers Deceived by Google for Collection of User Location Data

 

The Federal Court of Australia observed that somewhere between January 2017 and December 2018, Google LLC and Google Australia Pty Ltd (together, Google) deceived customers in a world-first compliance action by ACCC on personal location information gathered from Android mobile devices. 

As a result of the 2019 legal proceedings against Google, the Australian Competition and Consumer Commission (ACCC) has stated that the rulings represent an "important victory for consumers" over protecting online privacy. Google deceived Android users to believe that the tech giant will only collect personal information, the ACCC said. 

“This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court’s decision sends a strong message to Google and others that big businesses must not mislead their customers,” ACCC Chair Rod Sims said. “Today’s decision is an important step to make sure digital platforms are upfront with consumers about what is happening with their data and what they can do to protect it.” 

The Court ruled that in the initial installation Google misrepresented the setting of 'Location History' as the only Google Account setting which impacted whether Google obtained, maintained, or used personally identifiable information on the location of a device once consumers had created a new Google Account. In reality, Google was also able to capture, store and use personal location data during activation through a different Google Account setting entitled 'Web & App Activity.' Though this setting was set by default.

Also between 9 March 2017 and 29 November 2018, customers were deceived by the fact that Google didn't bother to tell them that perhaps the configuration was related to the collection of personal location data after they had accessed the 'Web & App Activity settings on their Android system. The Court held that the actions of Google could trick the audience. 

“We are extremely pleased with the outcome in this world-first case. Between January 2017 and December 2018, consumers were led to believe that ‘Location History’ was the only account setting that affected the collection of their location data, when that was simply not true,” Mr. Sims said. He also added, “Companies that collect information must explain their settings clearly and transparently, so consumers are not misled. Consumers should not be kept in the dark when it comes to the collection of their location data.” 

The Court rejected the claims of the ACCC concerning certain declarations by Google on how users could prevent Google from obtaining and then using the location information and the purposes for which Google uses its personal location information. Though the ACCC seeks declarations, fines, instructions for publishing, and conformity orders.

Location Data of More Than 100 Million Users Got Compromised

 

Shazam, a popular music app was a doorway to the user’s precise location. Threat actors took advantage of the Shazam app susceptibilities to discover the victim’s specific location. Ashley King, a British IT security researcher uncovered the vulnerabilities in the Shazam app which could expose the locations of android and iOS users.

The vulnerability in the Shazam app was termed CVE-2019-8791 and CVE-2019-8792, more than 100 million users were affected at the time. Threat actors used a single malicious URL to acquire access to the victim’s precise location. This URL led the victim to the Shazam app, Shazam then opens a WebView and executes the malware which results in sending the victim’s location data back to the threat actor.

Ashley King reported the vulnerabilities in December 2018 three months after apple acquired the Shazam app. The flaw in Shazam app was finally patched on March 26, 2019, both on iOS and android but the specifics of it were only revealed last week. 

Ashley explained via a blog post that “Shazam uses deep links throughout the app as part of its navigation. I found that a particular exported deep link (which was responsible for loading a website inside a web view) was not validating its parameter, allowing external resources to be in control. This web view included a few java scripts interfaces that allowed content to communicate with the Android & iOS API’s making it possible to pull back device-specific information and the last known precise location of the user”.

Apple and Google Play Security Rewards Program did not deem ‘location data’ as big enough of a security threat even though the vulnerability was patched – most firms do not see user’s location data as a privacy issue, Ashley concluded.

Google about to Roll Out One of the Most Awaited Features



In 2018, Google broke headlines for tracking its users location even after they disabled the sharing of location history via their privacy settings.

There were complaints against the company, stating, "Google represented that a user ‘can turn off Location History at any time. With Location History off, the places you go are no longer stored.’ This simply was not true."

In the wake of receiving intense criticism over location history, Google came up with necessary adjustments which now allow users to stop the tech giant from tracking them, except for the applications in which location data is of utmost importance such as Waze and Google Maps.

In an attempt to make Google Maps even more secure and trustworthy, the company added enhanced security features related to location privacy in Android 10; to further better the services and regain the lost user trust, Google is planning to add Incognito Mode to Google Maps and the feature is said to be in testing.

Users can always put restrictions on the location data collected by Google Maps by signing out of their Google account, but it will come at the cost of their convenience, therefore, Google is planning to introduce Incognito Mode which can be turned on by the users in the same way they do it for Youtube or Google Chrome to delink the search or navigation data from their main Google account.

In order to activate Incognito Mode, users can simply choose the option from their Google account avatar and they will be informed about the app being in incognito mode by a black status bar and the marker indicating the location will turn into dark from blue to mark the change.

To enable the feature, users are recommended to install Preview Maps version 10.26 or higher and for those who are not a part of Preview Maps test group, wait until the company releases it on a wider scale.