Google under scrutiny for its promise to protect abortion location data | Google
Google’s promise to protect the location history of users who visit abortion clinics is under intense scrutiny after researchers discovered that a user who had brief access to a another user – like a boyfriend logging into his girlfriend’s phone – could then monitor the user relatively easily. movements.
The finding from Tech Transparency Project, a research arm of the nonprofit Campaign for Accountability, comes weeks after Google announced in a blog post that it would remove entries in sensitive locations – such as clinics. abortion centers or domestic violence shelters – if its systems identified that someone had visited one of these places. The July 1 blog said the change would go into effect “in the coming weeks.”
The Supreme Court’s decision to overturn Roe v Wade, the landmark decision that guaranteed women a federally protected right to have an abortion, has raised concerns among privacy advocates about data collection policies. data that could be used to track women by their intimate partners or by law enforcement agencies in case she seeks access to an abortion.
In a report released Thursday, TTP researchers made two discoveries following an experiment using two new Android phones. First, if an Android user (described as an “abuser”) could access another user’s phone (described as a “victim”) and log into their own account using a Google app on victim’s device, such as Google Play, the victim’s location history would then be visible to the attacker, without the victim being given clear notice that they could be located.
Second, the same experiment showed that the victim’s visit to an abortion clinic, a Washington-based Planned Parenthood, was visible to the abuser and not automatically deleted. In this case, the victim’s location history was disabled, but the attacker’s was enabled.
The route and time spent at the Planned Parenthood clinic was also visible to the attacker through the Google Maps app on the attacker’s phone. A week later, the location of the clinic remained in Google’s location history when viewed on the attacker’s phone and in a desktop browser.
TTP said: “It is unclear how Google plans to implement these [abortion-related] policies and how long sensitive locations will remain on users’ location calendars before the tech giant removes them.
“When TTP took a phone to an abortion clinic, the exact location of the clinic remained in Google’s location history for over a week, suggesting that either Google has yet to put implement these changes, or the company’s system for detecting and removing sensitive locations is faulty.”
The TTP experiment replicated a similar discovery that was published by respected malware intelligence researcher, Pieter Arntz, on his blog in 2021. In this instance, Arntz reported that he may have inadvertently “spied “His wife’s whereabouts after installing an app. on his wife’s Android phone, which eventually led to him receiving location updates on his own phone.
Arntz said he submitted a problem report to Google with specific information about how he obtained location information and made suggestions on how the tech giant could take steps to protect users. user location data from inadvertent sharing. In his case, and TTP’s experience, Google timeline was enabled on his phone but not on his wife’s, so he noted that he shouldn’t have been able to receive places visited by his phone .
Second, he said his wife should have received an explicit warning that “someone else has logged on to [a Google app] on your phone”.
Contacted by the Guardian, Arntz said Google never responded to his report on the issue or his blog post, even though the blog post received a lot of attention from privacy experts at time of its publication.
Katie Paul, director of TTP, said: “Google was made aware that its own tools could be used for harassment nearly a year ago, and the company has done nothing about it. The issue n It has only gotten worse since then. We have a duty to warn people about how easily someone can follow them without their knowledge or consent.
The researchers also pointed out that Reddit forums include posts from users who explain how they found out partners were cheating on them because they were connected to their partner’s mobile phone through Gmail or other apps.
Paul added, “Google says it wants to protect women by removing abortion clinics from their location histories. Our study shows that they did not. Even if they end up keeping that promise, attackers can still use Google tools to track their victims anywhere else in the world. It’s up to Google to close this dangerous loophole.
In a statement to the Guardian, Google called the TTP experiment “an unlikely scenario” because it would force an unwanted user into a device, breach the security of someone’s device, and cause the user does not realize that another account is connected.
A Google spokesperson said, “We encourage everyone to regularly check the accounts associated with their device and only share their device password with people they trust. We make it easy for you to verify and manage accounts associated with your device from any Google app, including removing any unwanted or unknown accounts.
“We’re always looking for ways to provide people with more controls and protections in every scenario, no matter how unlikely.”
The spokesperson added, “Location History is a Google Account-level setting that’s turned off by default, and we provide easy tools to help you delete all your data or set automatic deletion controls.
“As we announced earlier this month, if our systems identify that a person who has opted in to Location History is visiting an abortion clinic, among other places, we will remove those entries from Location History. positions shortly after their visit. The change is now in effect and will apply to all such visits in the future.