Tech companies like Google and Facebook provide services in exchange for your data. We’ve known this. But they’ve always stood by the reasoning that it’s nothing to worry about because you’re given a choice. Sometimes the choice is agreeing to a terms of service. With location tracking, Google has always made it possible to opt out, but according to a new report, Android has been forcing location tracking on you whether you like it or not.
An investigation by Quartz discovered that smartphones and tablets running the Android operating system continued to track a user’s general location even when location services were turned off, the phone didn’t have a SIM card, and no apps were installed. As long as the device was connected to the internet, it transmitted the address of nearby cellphone towers back to Google’s system that’s used for push notifications and messages.
When you give apps like Google Maps permission to track your movements, the resulting data can be pretty darn accurate. GPS tracking can pinpoint which restaurant you’re in and that data can be used to figure out things like wait times the popularity of a destination. But we’re not talking about that kind of accuracy in this case. According to Quartz:
While information about a single cell tower can only offer an approximation of where a mobile device actually is, multiple towers can be used to triangulate its location to within about a quarter-mile radius, or to a more exact pinpoint in urban areas, where cell towers are closer together...
Although the data sent to Google is encrypted, it could potentially be sent to a third party if the phone had been compromised with spyware or other methods of hacking. Each phone has a unique ID number, with which the location data can be associated.
So, a bad actor could potentially use the data that a person didn’t even know was being transmitted to discover a person’s general location. Imagine if someone who’s in witness protection just got a new Galaxy S8 and they do all the right things to protect their privacy. A hacker with the proper know-how and determination could potentially get within a quarter mile of them. But that’s almost beside the point. Sure, it’s an extreme situation in which someone’s life could be in danger, but no matter how unimportant your location data is, it belongs to you. As a consumer with some proper background on how things work, you had a reasonable expectation you weren’t being tracked. What Quartz found is that Google’s betraying the public’s trust.
Gizmodo contacted Google about these claims and a spokesperson told us:
To ensure messages and notifications are received quickly, modern Android phones use a network sync system that requires the use of Mobile Country Codes (MCC) and Mobile Network Codes (MNC). In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery. However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID. MCC and MNC provide necessary network information for message and notification delivery and are distinctly separate from Location Services, which provide a device’s location to apps.
Google claims that it never got around to implementing this feature, and the team has decided to scrap it altogether. A Google spokesperson assured us that the update roll out will be complete by the end of November.
As far as Google’s terms of service go, the language is, of course, a bit confusing. One section reads:
When you use Google services, we may collect and process information about your actual location. We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points and cell towers.
Regardless of whether it improves the experience or not, Google has access to mountains of personal data and it’s apparently still not enough. If they want to implement this kind of tweak to their messaging, they still need to provide users with some sort of an option to turn it off.