Google in Hot Water for Their Rampant Location Data Tracking

Share this article

Okay, this is old news, but most of you probably know Google is tracking your every step in case you own an Android device and have your location tracking setting turned on. Also, if you use an iOS device and rely on Google Maps for navigation and Google Search, you know that using those with location history turned on will track all of your movement when using Google Maps and your location every time you type anything on Google Search. It turns out Google recorded your location even when you kept your location history off.

In theory, switching off your location history should prevent Google Maps as well as other Google services (like Search, or Allo, or any other app made by Google) from keeping data about your location every time you open one of those. And since Google is well, Google, a company thriving on targeted advertising knowing their users’ location is one of the most important things they can get meaning that all Google services and apps track user location one way or another.

If you keep your location history on your phone (in case you use an Android device) will create a pretty accurate route containing your complete activity for each day. Every walk, commute, visit every place (along with time spent) are shown on an interactive map when you go to your location history timeline. And if you thought your timeline wouldn’t be filled with location data if you keep location history off, think again.

Collecting location data without users’ consent

A recent study conducted by Associated Press in collaboration with Princeton privacy researcher Gunes Acar found out that regular location stamps are made even though Acar turned off his location history setting. You can find how Google made regular recordings of his location on an interactive map available here.

Google breaking trust
Google's location data breaches break user's trust

What’s interesting is that on the support page regarding location history Google stated that “You can turn off Location History at any time. With Location History off, the places you go are no longer stored,” according to AP. But if you visit the same page now, after the story got out, you can see that the text on the page states that “You can turn off Location History at the account level at any time. This setting does not affect other location services on your device, like Google Location Services and Find My Device. Some location data may be saved as part of your activity on other services, like Search and Maps.” So, what has been changed about location history that made Google to rewrite the support page information?

Well, nothing. They just got caught and now that they know that we know they track out location even with location history turned off they finally provided a clear explanation why they track out location. You see, when you visit your activity controls, you will find seven sliders in total used to turn on and off various settings. And above the infamous location history, you will find an option called Web and App Activity. You see, this is where the tracking originates from. The setting is turned on by default and while turned on, it allows some Google apps and services (Search, Maps) to collect and store user location data.

Be Aware of Google's Location Tracking
Be Aware of Google's Location Tracking

Every time you open Google Maps a snapshot of your location is recorded. If you search for local weather your location will be recorded. And every single Google Search query will create a snapshot of your location.

Since this option is turned on by default, that means that everyone who uses at least one Google service is tracked by the company, no matter if they keep location settings or location history turned off. That includes every single Android user and all those with an iOS device who use Google Maps and Google Search. So, if you want to prevent this turn off both Location History and Web & App Activity.

“There are a number of different ways that Google may use location to improve people’s experience, including: Location History, Web and App Activity, and through device-level Location Services,” Google responded to AP when asked for a statement on the issue. “We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.”

But what Google did (and still does in case you keep Web & App Activity on) is wrong on every level and just shows that large internet corporations like Google and Facebook will use shady techniques if that means they can get their hands on their users’ private data, completely disregarding privacy and their users’ desires. Because, if someone turns off Location History that probably means they do not want to be tracked.

This whole mess will end up in court because a Google user going by the name of Napoleon Patacsil filed a lawsuit against the company on the basis that "Google expressly represented to users of its operating system and apps that the activation of certain settings will prevent the tracking of users' geolocation," even though “That representation was false.” We’ll see how that will end because Mr. Patacsil seeks that his lawsuit represents all Google mobile users regardless of the OS they use.

This isn’t the first time Google used shady practices to track users. Last year, Quartz reported about the site’s finding that all Android phones, even with location services turned off, zero apps installed, and empty SIM card tray, gathered data about addresses of nearby cellphone towers. And as soon a phone got internet access, it would send the data to Google. Google responded by saying the company doesn’t store the recorded data and soon rolled back the practice.

Incognito browsing isn’t really incognito

But just days after AP published their article another study caught Google with their pants down, yet again. The study, commissioned by the trade org Digital Content Next, discovered that when a person logs in to their Google account while being in incognito mode on Chrome, Google can connect their anonymous browsing data with their Google credentials.

In other words, Google can link your incognito browsing data in case you log in to your Google (or YouTube) account while in Google Chrome Incognito mode. This is because all sites using Google AdSense store temporary cookies when users visit them in incognito mode, which are deleted by Chrome once the mode is disabled.

The good thing about the find is that, in case you exit incognito session without logging in to Google or YouTube account, all incognito data will be deleted. Also, if you (and who will do this is beyond us) delete cookies while being incognito mode but before logging in to Google account, Google won’t be able to link and store your private browsing data from the specific session. And while the study found Google has the means to do this, it didn’t discover whether the company actually does this. So, never log in to your Google account while privately browsing.

Google Home and Chromecast location data leaks

You thought that’s all? There’s another. We said there are three of them, didn’t we? Well, the third mess Google had gotten itself into is tied to the company’s hardware. Specifically, about location data leaked by Google Home and Chromecast. These two devices are pretty popular because the first is a neat little smart speaker equipped with the most powerful AI assistant made by Google and the second device turns any TV into a smart TV.

Google Chromecast
2nd Generation Google Chromecast

A little experiment performed by Tripwire’s security expert Craig Young showed that getting location data from Chromecast or Google Home was an incredibly simple thing to do. He managed to get his location data by setting up a website with malicious software. He then accessed the said website with his PC, and as the site got opened, it discovered Young’s Chromecast, which was connected to the same personal wireless network as his PC, and requested personal location data. And Chromecast sent back data as soon as the request reached it.

The hack worked with both Google Home and Chromecast; it worked on a PC and Macintosh, and on both Chrome and Firefox browsers. The single prerequisite is that one of the said devices is connected to the same router as the PC from which the site containing malicious software is accessed from. Google patched both devices, but the sour taste remains along the fact that the interned giant again had the main part in a severe issue with collecting and leaking private location data.

Google Home Device
Google Home Device

Google is getting itself in more and more scandals tied to collecting user location data, leaking private data, collecting private data without permissions, and having access to all kinds of data that should be private. But the problem isn’t Google – they are a public company, and in the world of the open market every company does whatever it takes in order to maximize their profit. So, until governments across the world start punishing internet conglomerates like Google, Amazon, and Facebook, those companies will continue with their ruthless practices.

GDPR is a good starting point, and we hope that more governments will start fighting for peoples’ online privacy rights in the future. But that will hardly be the case in the US considering the current administration and its scandalous behavior towards regular citizens. The problem is that all these companies reside in the US, meaning there’s a slim chance they will rarely get any more than a small slap in the wrist anytime soon.

Turning off location tracking permissions

If you want Google to stop collecting your private data you can turn off all or some Google service permissions. Bear in mind that some apps and features such as Google Assistant, Google Maps navigation, personalized YouTube content, and others won’t work as intended (or at all) with specific permissions turned off.

If you still want to turn those off just visit your Google account activity controls page – you should be logged into your Google account prior to visiting the page - and make sure to turn off – or pause, as Google calls it - Web & App Activity and Location History. You can turn off other activities, but some will disable specific Google services. And once you turn off the two activities that track your location, you can delete your location history by going to your personal Location Timeline page and then click on a small trash can icon located in the lower right corner of the page next to the layer – map or satellite – selection. And that should be it!

Stephen Schroeder is the founder of Turtler and loves using the app to lessen his wife’s stress when he’s bicycling as far as he’s allowed to go.

Stephen Schroeder is the founder of Turtler and loves using the app to lessen his wife’s stress when he’s bicycling as far as he’s allowed to go.