Technology
Subscriber Only

Ireland on the front line of Google location tracking scandal

A GDPR experts says giant may be punished for opaque location tracking controls

Another week, another story demonstrating that big tech companies really don’t think you need to know how they surveil you – even as they deceptively allow you the illusion that you are in control.

Yes, Google, that's you, back in the headlines thanks to investigative work by the Associated Press, which revealed that even when millions of users of Android handsets or Google Maps on iPhones turned off location tracking, Google was still tracking their location.

Google defended this practice, noting that while you could turn off location tracking when you descend into the Dantean circles of hell known as your Google Account settings, it still gathered and stored location data for web and app services such as Maps. Unless you told it not to track that location data, managed in the Web & App Activity section, separate to the Location History section.

So, thanks to this befuddling arrangement and the opaque semantics of Google-ese, “do not track location” means “do not track except when we want to track you and haven’t told you clearly that we still track when you almost certainly have assumed your choice to toggle off location tracking meant we no longer tracked and stored your location. But we do.”

Let’s be clear here: there is absolutely no reason why this should be a camouflaged, two-tiered process, and every reason – including some compelling legal ones – it should not.

Don’t even countenance that favourite big tech slippery slope argument that such data gathering is a fair trade for a “free service” and that if you have nothing to hide, you have nothing to worry about (supposedly) benign data gathering anyway.

First off, an operating system on a phone or tablet is not a “free service” – it is the necessary code needed for the device to function at all. To have an obscure default setting allowing data gathering by the device itself as it operates, and making that data gathering a necessary part of Android’s functioning, is outrageous.

Second, Google already has the (lucrative) ability to serve you ads when you use its services. Grabbing location data is not a required part of this process. But location data allows far more targeted and therefore even more lucrative (for Google) ads and promotions.

Creepy timeline

That’s good for Google, but is it good for you? Location data generates a rich and revealing – and creepy – timeline of an individual’s location, activities and interactions with apps and services. History has repeatedly shown such data troves can be exploited and misused, are always vulnerable to hackers, and – as a stored permanent record – may be sold on or used in the future in ways we cannot foresee now.

Google's carelessness about location tracking is a breach of GDPR pure and simple

Many people, once aware of the extent of such detailed tracking, wish to turn it off. Not because they have anything to hide, but because they have an innate sense of, and internationally recognised human right to, privacy.

But there are far wider implications to what Google has been doing here. In the US, such tracking may well constitute deceptive privacy practices under the Federal Trade Commission's consumer protection regulations. Facebook fell afoul of those and had to come to a settlement in 2011 with the commission, which is now investigating if the Cambridge Analytica scandal violated that agreement.

In response to the AP report, the commission’s former chief technologist Ashkan Soltani tweeted that this  “confusing privacy dialogue” from Google “may land another @FTC inquiry”.

GDPR compliance

It’s particularly hard to see how Google’s practices are allowable under the EU’s new General Data Protection Regulation.

"Google's carelessness about location tracking is a breach of GDPR pure and simple," says Daragh O Brien, a GDPR expert and managing director of Dublin information management consultants Castlebridge.

Google's activities will place the Irish office of the Data Protection Commissioner under international scrutiny

He believes Google may be exposed to punishments under the legislation.

“[Google] ignored individual’s explicit choices. Given the scale of individuals affected, the overriding of opt-outs and the potential sensitivity of data, this would be at the upper end of the GDPR fines scale,” he says.

"The Irish Data Protection Commissioner [Helen Dixon] should act on behalf of Irish Android users – which would include civil servants, government ministers and gardaí with 'official' phones – and they will be the lead regulator in any EU enforcement action given Ireland is Google's EU headquarters."

As O Brien suggests, Google’s activities will place the Irish office of the Data Protection Commissioner under international scrutiny as it steps into its critical, daunting role as the principal regulator for these massive and too often impenetrable and imperious multinationals.

In the face of Google’s size and its armies of lawyers, can Ireland fulfil this role? Put it this way: the commissioner has far greater resources from the Government now, and therefore has potential, but so far not enough form.

Says O Brien: “We are waiting six months for the telegraphed release of their investigation into the Public Services Card and no action has been taken regarding unlawful roll-outs of CCTV schemes in rural areas. This investigation would be joining a queue.”