Tech companies have been in the spotlight in recent months as the Cambridge Analytica scandal and other controversies have brought concerns about deceptive data practices to the forefront of national debate. But while Facebook has so far been facing the most intense scrutiny from lawmakers and regulators, Google could be next in line.
Google is drawing fire from the privacy community for quietly tracking the location of smartphone users -- even when they took specific steps to prevent the tech giant from doing so. The practice was revealed last week by the Associated Press, which reported that Google services on Android devices and iPhones stored users’ location data even if they turned off the setting known as “Location History.”
The move could bring the company new attention from lawmakers. Sen. Richard Blumenthal (D-Conn.) has already spoken out, criticizing Google on Twitter:
It should be simple—“off” means “off.” Google’s relentless obsession with following our every movement is encroaching & creepy. I’ve called for an FTC investigation into its persistent privacy invasions. https://t.co/ycDLVo59zw— Richard Blumenthal (@SenBlumenthal) August 14, 2018
It could also prompt action from federal privacy regulators. Blumenthal and Sen. Edward J. Markey (D-Mass.) asked the Federal Trade Commission to look into Google's location tracking earlier this year, so the issue is likely already on the commission's radar. And on Friday, the nonpartisan Electronic Privacy Information Center, or EPIC, told the commission in a letter that Google’s practice violates a 2011 settlement between Google and the FTC requiring the company to be transparent about the data it collects on users.
“If the FTC does not enforce its Order, Google will perceive it as a suggestion,” wrote EPIC, which brought the initial complaint that led to Google’s settlement. “This is an opportunity for the FTC to make clear that the Commission will stand behind its judgments.”
Google entered the settlement after the FTC accused the company of privacy violations related to its now-defunct social network, Google Buzz, including publicizing users’ most frequent email contacts without permission. The agreement bars the company from misleading consumers about how they can control the collection or use of their information.
The FTC typically doesn’t comment on investigations unless a company announces that it’s subject to one, so it’s difficult to gauge whether Google's location tracking would result in an inquiry from regulators. But the FTC may have a “plausible case” given the delicate nature of location data, said Justin Brookman, former policy director for the FTC’s Office of Technology Research and Investigation.
The commission has “been adamant that geolocation information is very sensitive, it's very revealing, and it's also very personal,” Brookman, now the director of consumer privacy and technology policy at Consumers Union, told me. “They have to ask, 'What's the average person going to think when they see that [Location History] control?'”
The FTC is currently investigating whether Facebook violated its own settlement with the commission when it shared data on tens of millions of users with Cambridge Analytica.
Other privacy advocates also questioned whether Google's location tracking ran afoul of the settlement.
From Ashkan Soltani, former chief technologist for the FTC:
This is the confusing privacy dialogue from @google may land another @FTC inquiry.— ashkan soltani (@ashk4n) August 13, 2018
"Even with Location History paused, some Google apps automatically store time-stamped location data without asking." https://t.co/xE1Slqlk86 pic.twitter.com/yhsUCbigRZ
Whitney Merrill, a former FTC attorney:
And Matthew Stoller, a fellow at the anti-monopoly Open Markets Institute and a former congressional staffer:
Google has a consent decree with the FTC that it seems to have been violating. Every violation is a $40k possible fine. https://t.co/zz1EYnJUWb— Matt Stoller (@matthewstoller) August 13, 2018
As of last week, Google told users on its support page that if they disabled “Location History” on their devices, “the places you go are no longer stored.” But that wasn’t true, the Associated Press reported.
“Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it.)
For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like ‘chocolate chip cookies,’ or ‘kids science kits,’ pinpoint your precise latitude and longitude — accurate to the square foot — and save it to your Google account.
The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.”
Google has since updated its description to say that it continues to track users even after they turn off “Location History.” The company told the AP that it provided “clear descriptions” of its tools and that it has “been updating the explanatory language about Location History to make it more consistent and clear across our platforms and help centers.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Reuters on Friday reported another FBI investigation into a cyberattack against a Democratic congressional campaign in California. The campaign of David Min, who lost in a June primary election in California’s 45th Congressional District, discovered the extent of the attack after Min's team sought assistance from software developers who were based in the same rented workspace facility, Reuters's Joel Schectman and Christopher Bing reported. The facility manager informed Min's team in late March that the Internet provider for the facility found signs that campaign computers could have been hacked.
“The software developers discovered that hackers had placed software into the computers of Min’s campaign manager and finance director that recorded and transmitted keystrokes,” Schectman and Bing wrote. “The hackers had also infected the computers with software that made it undiscoverable by the off-the-shelf anti-virus software used by the campaign staff.” Min's four-person staff informed the Democratic Congressional Campaign Committee about the cyberattack, and the DCCC informed the FBI.
The attack against Min's team highlights the hurdles that smaller campaigns encounter in trying to defend themselves against hacking, according to Reuters. “Ultimately, the campaign’s defense was limited to replacing the infected machines and a future commitment to using encrypted messaging apps,” Schectman and Bing wrote. Earlier last week, Rolling Stone's Andy Kroll reported that the FBI investigated cyberattacks against the campaign of Democrat Hans Keirstead, who also lost in a primary in June. Keirstead unsuccessfully ran in California for the U.S. House seat of Rep. Dana Rohrabacher, a Republican who has repeatedly expressed support for Russia.
PATCHED: National security adviser John Bolton on Sunday said the Trump administration's concerns about foreign interference in U.S. elections don't focus solely on Russia but also extend to China, Iran and North Korea, The Washington Post's Carol Morello reported. When asked by Martha Raddatz on ABC News's “This Week” whether he had “seen any credible evidence” of Chinese interference in American elections following a tweet by President Trump on Saturday about China, Bolton replied: “Well, I can say definitively that it's a sufficient national security concern about Chinese meddling, Iranian meddling and North Korean meddling that we're taking steps to try and prevent it. So, it's all four of those countries, really.”
All of the fools that are so focused on looking only at Russia should start also looking in another direction, China. But in the end, if we are smart, tough and well prepared, we will get along with everyone!— Donald J. Trump (@realDonaldTrump) August 18, 2018
Bolton said one of is priorities is to use “the full range of our capabilities” to defend elections and other “vulnerable systems” in the government and in the private sector against cyberattacks, adding that the Trump administration supports “peace in cyberspace.”
“And to do that, I think you need to establish structures of deterrence so that our adversaries who have conducted cyber-operations against us or who are contemplating it come to understand they will pay a much higher price if they do that than if they simply refrain,” Bolton said. “That's why offensive cyber-operations are potentially so important. If you're simply always on the defensive, you're not going to create structures of deterrence, which is what we aim to do.”
PWNED: Law enforcement agencies in eight countries earlier this year took part in a coordinated operation to hinder the Islamic State's propaganda capacities but the reemergence of extremist content online since then illustrates the difficulties of fighting the “virtual caliphate”, The Washington Post's Joby Warrick reported on Sunday. “In the two-day operation in April, police seized computers and network servers across Europe and North America and blocked Internet portals used by the terrorist group’s radio broadcaster, al-Bayan, and its official news agency, Amaq,” my colleague wrote. “Yet, less than a week later, Amaq suddenly reappeared at a different Web address, forcing the governments to pounce again. Then it surfaced a third time. And a fourth.”
Additionally, the group has increasingly moved its online efforts to the encrypted messaging app Telegram in order to continue posting propaganda. “Shifting from a website to an encrypted app arguably makes it harder for the Islamic State to connect with its followers, especially newcomers who might normally look for Amaq’s latest offerings by visiting a website or using a search engine,” according to Joby. “But among the group’s core supporters, Amaq postings on Telegram are often shared hundreds or even thousands of times, ensuring wide circulation.”
— The government has opened a new front in its struggle against tech companies over encryption. “The U.S. government is trying to force Facebook Inc to break the encryption in its popular Messenger app so law enforcement may listen to a suspect’s voice conversations in a criminal probe, three people briefed on the case said, resurrecting the issue of whether companies can be compelled to alter their products to enable surveillance,” Reuters's Dan Levine and Joseph Menn reported Friday.
The case originated in Fresno, Calif., and is linked to an investigation into the MS-13 gang. “The judge in the Messenger case heard arguments on Tuesday on a government motion to hold Facebook in contempt of court for refusing to carry out the surveillance request, according to the sources, who spoke on condition of anonymity,” Reuters reported. Should the federal judge rule in favor of the government, public authorities might later set their sights on other applications. “If the government prevails in the Facebook Messenger case, it could make similar arguments to force companies to rewrite other popular encrypted services such as Signal and Facebook’s billion-user WhatsApp, which include both voice and text functions, some legal experts said,” Levine and Menn wrote.
— “Housing Secretary Ben Carson accused Facebook on Friday of enabling illegal housing discrimination by giving landlords and developers advertising tools that made it easy to exclude people based on race, gender, Zip code or religion — or whether a potential renter has young children at home or a personal disability,” my colleagues Craig Timberg and Tracy Jan reported. “The action, which comes after nearly two years of preliminary investigation, amounts to a formal legal complaint against the company and starts a process that could culminate in a federal lawsuit against Facebook. It stands accused of creating advertising targeting tools — which classified people according to interests such as “English as Second Language” or “Disabled Parking Permit” — that resulted in violations of the Fair Housing Act.”
— “New Jersey is poised to use some $10 million in federal and state funds to beef up election security ahead of this year’s midterm and going through 2023, Secretary of State Tahesha Way said Friday,” the Associated Press's Mike Catalini reported. “Way, who runs the agency that oversees New Jersey’s elections, unveiled the Democratic administration’s plans for spending the more than $10 million that Congress and the state set aside this year. She said her ‘one priority’ has been making sure the right to vote is secure.”
— More cybersecurity news from the public sector:
- Senate Foreign Relations Committee hearing on the relationship between the United States and Russia tomorrow.
- Senate Judiciary subcommittee hearing on cyberthreats to U.S. critical infrastructure tomorrow.
- Senate Energy Committee hearing on the “energy efficiency of blockchain and similar technologies” tomorrow.
- Senate Rules and Administration Committee business meeting about the Secure Elections Act on Aug. 22.
Waltzing with Putin: Russian president attends Austrian foreign minister’s wedding
Taiwan restaurant dishes up ice cream treats almost too real to eat:
Man faces possible charges after selfie with bear: