Should the FTC Investigate Google's Location Data Collection?

An anonymous reader quotes a report from Engadget: In December of 2017, the office of U.S. Senator Richard Blumenthal sent Google's CEO a letter asking for a detailed explanation of the company's privacy practices around location services. Based on a report at Quartz, the senator's letter had 12 specific questions about how Google deals with location data. In January, Google responded to all of the issues in a lengthy letter signed by Google's VP of public policy, Susan Molinari. Now, apparently unsatisfied with the response, Senators Blumenthal and Edward J. Markey have sent a written request to the FTC to investigate Google's location services, along with "any deceptive acts and practices associated with the product."

While Google's initial response refuted many of the claims made by Quartz, and explained again and again how Google and Android handles sensitive location data, the letter to the FTC again uses the report as its main basis. The crux of the new letter appears to be this: "Google has an intimate understanding or personal lives as they watch their users seek the support of reproductive health services, engage in civic activities or attend places of religious worship," wrote the senators. All it takes to expose users to data collection, say the letter's authors, is to allow an "ambiguously described feature" once and then it is silently enabled across all signed-in devices without an expiration date.

This needs to happen NOW

[SkyLeach]

As a long-time supporter of FOSS, EFF, Copyleft and essentially open access this has gone beyond mere 'best practices' and humanitarianism

Nobody, not a government or a private enterprise, can be trusted with private proprietorship of this much data at this level of detail.

The problem is neural networks, turning subjectivity into objectivity, and the unreliability of the source data. Whoever controls the data can use it for any purpose, and there is such a massive capability and potential for misuse, especially of human trust networks, that there simply is no acceptable level of trust.

All human governments and economic systems rely on trust. Before social media, social trust networks were the foundation of all government. Who do you know? Who knows you? When the answer is whoever has the data plus a few (maybe a couple of dozen) close family and associates, then the system is broken.

Most people can't possibly cover anywhere near the number of social connections that a single-process home computer can cover. My lab can millions of processes with petabytes of data and more than a TB of network pipe. That's a fairly good lab, but there are far better out there. With the right kinds of data, I can manipulate society like it's my own personal sandbox.

Without protections on the data, there is no way to detect, verify or validate who is doing what with it. One good person might be fine, but what happens when they die and someone else gets it? There just isn't any reliable assurance that it won't be misused, while history teaches us that it invariably will be misused by someone given opportunity.

Some kind of national infrastructure and protection must be placed around this level of power. It's not like nukes, you can't guarantee it won't fall into the wrong hands with traditional protection measures. Security has limitations... There is no other choice.

Re:This needs to happen NOW

[e3m4n]

maybe society needs to spawn a anarchist hacking group. Instead of taking down these places, as they always have backups for their backups, maybe it should pollute it with so much false data that the entire data itself is no longer considered reliable. Make it appear you were in 3 places at once and take trips 50x more per day than you actually do. Make the data so unreliable and untrustworthy that advertisers stop spending money on what they perceive as 'snake oil' once word spreads on how unreliable it is. Why pay for a targeted ad when your likely to be sending some 80yr old man an advertisement on tampons when its cheaper and easier to just blast the tampon commercial to everyone and hope someone who needs them is watching.

Re:This needs to happen NOW

[SkyLeach]

Research doesn't agree with anything you said here. Google and Amazon weren't doing politics in 2016, just marketing and research. The few people calling out astroturfing were effectively powerless. Facebook wasn't even really fully aware of what CA was doing, they were focused on earnings alone. They took the money without really asking questions. That was their clearly documented corporate policy handed down from the execs, and there is a mountain of evidence that ignorance and incompetence, not malice, are the problem with Facebook.

The problem is largely that nobody *with the power to effect change* took the threats seriously if they were even aware of them at all.

Re:This needs to happen NOW

[SkyLeach]

one more thing... saying that Google wasn't storing the data is provably untrue. Mobile games like Pokemon Go and Ingress are based on cellular tracking data. Google maps stores location history and you can see it in your review recommendations and account history. The two data sets can be merged to recreate the data Google claims not to store.

Re:This needs to happen NOW

[SkyLeach]

Since this is getting modded up, I should point out the flaws:

The move by FCC Chairman Ajit Pai was mostly in order to control *validation* not information source. Those with the wealth, infrastructure and motivation to control opinion aren't blind to disinformation, they are masters of it. By channeling sourcing to a small subset of the internet and then giving these sanctioned-sources the official blessing from controlled interests they hope to be able to regulate *social trust*. This is a key point in my original comment. As long as they control the data and the majority of the distribution they cannot be challenged, no matter how blatantly they lie or misrepresent the evidence.

Nobody was completely blind to media manipulation even before it became the modern social-psychology wonderland for special-interest we have today. Mr Smith Goes to Washington hit theaters in 1939. That was fear of newspaper control and monopolization by the politico-bosses (the biggest problem during the Truman era) and it was before the word psychology was a part of household vocabulary.

Hacker groups run into the following problems: IPv6 is being pushed: while it has good arguments and valid, necessary reasoning behind it; IPv6 also allows personal identification and sourcing tied to identity. ISP/Tellco routing: (redirection of the traffic and packet tagging). Data patterning (neural networks) are great at sorting out even tiny flaws in massive volumes of information, so unless the smoke screen is nearly flawless it can be wiped away with ease. Hacking groups do not have the same data, which means their trends are off, which means that they leave a footprint in high volumes of data. They are also unable to verify, prove, or even detect much of what they would need to combat.

Those are all technical reasons why it wouldn't work, or at the very least work well.

Next there is the philosophical reason: technology isn't bad, it is merely a tool. The tool can be used for great public good, or great public harm. Imagine a world where sophistry and lying (on mass for manipulation) are no longer possible. That's the promise of NNs used properly. Unfortunately it depends on open data for oversight and validation. Attempting to stop the tech is not only technically unlikely to work, it's philosophically killing the golden goose for fear of the golden egg's value. It's just another form of neo-conservatism that is horribly short-sighted.

Finally, not all countries are created equal. Canvasing one country may be possible due to civil liberty and restrictions on government, canvasing them all is just not socially possible. The internet is global, the politics cover regional, national and international and all of civil, criminal and regulatory law. There just isn't any way for judicial systems to keep up, even if they were effectively educated enough to make proper judgements (which they assuredly are not).

Wait till autonomous cars

[e3m4n]

My biggest concerns over companies like Facebook, Google, and Apple developing autonomous cars is not whether they can make them safe. Eventually I know that they will be safe. One concern is that these people will collect data non-stop about where I am going and how long I stay. I considered this picking up my daughter from school to take her to her pediatrician, specifically that its really none of their damn business that I did such a thing. That led me to my second concern for these 3 companies developing autonomous vehicles. Imagine every damn time you drive past a BugerKing or Wendy's having to suffer a damn commercial or have the car offer to stop because a Whopper is only $3 this week. Non-stop, never-ending barrage of advertisements. Think back to the scene in Minority Report when Tom Cruise's character had eye replacement surgery, replacing his eyes with a japanese businessman. It was more noticeable the second he walked near any store, how every single ad started addressing him by his stolen identity. The two technologies that ad-based companies should be forbidden from developing based on privacy concerns should be

1) any location based technology that requires knowing where you are to function (maps, gps, autonomous cars, etc)
2) any technology that specializes in identification (facial recognition, biometrics, retina identity, etc.)

Re:Why single out Google?

[kelemvor4]

They sort of have to. How else do you expect calls to be routed to you? Magic?

Yes, obviously. Didn't you know modern cell phones operate almost exclusively on magic?

Absolutely

[kelemvor4]

Investgate != regulate. An investigation will allow the FTC to determine if there is a problem and if so then they can regulate. If there is no problem then no harm was done. Other than the cost of the investigation, it seems like a no brainier. Investigate away and make a decision. Maybe investigate again later if something changes. It's simple, and should be common enough that it doesn't register as news.

What if WANT Google to have my location?

[itsme1234]

I am aware of all (or at least countless) risks involved. Even if I don't and didn't have anything to hide I've been sending PGP encrypted emails since more than 20 years. And I stopped doing so for more than 20 years. I lived for half my life in a dictatorship where you could "go away" and never been heard of for less than 5 words said to the wrong person. I am in no way naive or uninformed, I've been following up on security (not only computing security), privacy, heavy handed governments and so on; this is not something you can turn off.

BUT I'm happy with Google having my location. All the time, the more precise the better (well, preferably without killing my battery). I tried to do it myself and keep a GPS log since 2006 or so. I was having a GPS with me with multiple batteries that I would replace over the day but of course I couldn't do it very often, it had to be only on special occasions.
It was very painful to melt tons and tons of files (I still have them) and in the end rather pointless. I managed (barely) to find a perl script that would at least tag my pictures with their location but there is no good software to manage the pics (if you have a lot of them, not only a small folder), even if they have proper GPS tags. Google Photos (yes, I give them my pictures too) finds places where I've been instantly. It even finds them if the pics are coming from non-GPS cameras, by correlating the location from the phone (the same thing I've been doing very painfully back in 2006-2007). Google Timeline (including the decent mobile version from Google Maps) helped me find again places I didn't know in advance I had to bookmark and once even answered the question "I know what you did last night" - because I DIDN'T (no joke, years ago I remember an article, most likely on slashdot too, that was half-jokingly saying google can tell where you've been last night if you can't remember - and that came in hand this Christmas...).

Funny thing is EU used to (for more than one decade if I remember correctly) force mobile providers to keep your metadata (including the location, albeit not as precise as Google does it now, but those were other times) for at least 6-24 months (at least, without any obligation to age it off). And make it available to the state when needed of course. Everything at your expense of course (as part of your mobile contract). And -here's the kicker- YOU COULDN'T GET THIS DATA. Even if you went to Vodafone and said: ok, I pay you already to store all my shit for at least 24 months, what about letting me have it too? I can pay extra for your trouble, how about that? Nope, no option. At least with Google you can download it via Takeout and use it how you like it and you can use it in the built-in Google Maps/Timeline and Photos too.

YES, I wouldn't give my mother or my significant other access to my timeline. But I'm happy with Google having it. Yes, I understand the risks and I understand there are meta-risks I can't even imagine now. But this is a risk I'm willing to take. And I'll be really, really pissed if the government comes and says I can't just tick a box and agree that Google tracks me, as much and as accurately as technically feasible.

Re:An app to disable GPS location

[e3m4n]

not just once, as someone pointed out that trying to avoid detection directly will make you stick out. Instead how about other devices that feed false information simultaneously and more regularly than reality. Say that at any given time you appear to be taking 3 trips to and from 3 different locations and with such frequency that it dwarfs reality significantly. Perhaps even randomize the number of simultaneous feeds to prevent basic process of elimination. But this would need to happen on a scale that at least 70% of the population did this, or, at least, had their data altered, in order to make the entire database of information substantially worthless.

Re:Why single out Google?

[jellomizer]

However traditional telecom systems are more regulated then tech companies. Which is part the reason why your Cell phone bill is so high. Not to be complaining about it, as some of the regulations are for our own protection. However it does raise the cost.
That is why VoiP is often cheaper. It isn't because of the technology (Which often can be scaled up for cheaper), but the amount of regulations involved to stay in business.

Tech Companies move faster then the law can adapt. Big ones like Google and Apple, will often lead the charge on these changes. Hence why Google is often targets because it is seen as the source of the problem, and they are big enough to fix it. However by the time the law gets to them, Google has moved on to newer and better things.

Re: Shame on Prince Harry

[Reverend+Green]

Why do you care who a living tourist attraction / inbred upper class twit marries?