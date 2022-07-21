



Google has banned some stalkerware apps. However, the company has made it surprisingly easy to track other users’ locations using tools and apps, creating new risks in the post-low era.

The Supreme Court’s ruling, which overturned the Roe v. Wade case, is that tech companies use user data when the abortion is intended to track a criminal state law enforcement officer, or someone else looking for it. We are looking at how to collect huge amounts of data about. abortion.

A new study by the Tech Transparency Project (TTP) shows that Google’s unique technology enables unnecessary surveillance to uncover the location of users, protecting abortion seekers, victims of domestic violence and stalking, and privacy. It has been shown to pose a risk to those who want to. This loophole can expose highly sensitive personal information to abusive partners, parents, or employers.

Through a series of experiments, TTP found that an Android smartphone associated with one Google account could easily access and view the location history of another account. This allows you to track physical activity, such as visits to an abortion clinic, even if the location history of the second user is turned off. ..

The findings raise new questions about Google’s approach to user privacy. Despite banning so-called stalkerware apps used to spy on others without consent, Google incorporates technology that provides the same monitoring capabilities.

Following a June 2022 Supreme Court ruling that overturned constitutional rights to abortion, Google announced on July 1 that places such as abortion clinics and domestic violence shelters were visited by users shortly after. Announced that it will be deleted from the location history. Google didn’t disclose a specific schedule for this change, but said it would happen in the coming weeks.

It’s unclear how Google plans to implement these policies and how long a sensitive location will remain on the user’s location timeline before the tech giant removes them. When TTP took the phone to the abortion clinic, the exact location of the clinic was in Google’s location history for over two weeks. This suggests that Google hasn’t implemented these changes yet, or that the company’s system for detecting and removing sensitive locations is flawed. What is clear, however, is that user safety and security are threatened by Google tools that allow others to track their location without their consent.

Google’s privacy test after Roe

After the Dobbs v. Jackson women’s health decision overturned the Roe v. Wade case, many Americans are concerned that abortion could be used to prosecute in states that are illegal or subject to strict restrictions. I was in a hurry to remove the Physiology Tracking app because of this. However, as many experts have pointed out, ubiquitous technologies like Google Maps and Search pose a much greater risk to privacy.

Location data will be a particularly controversial issue in the coming months, given that some states are considering legislation that makes it illegal for women to leave the state for abortion proceedings. There is a possibility.

Google Play Store

Stories and posts about how to track people using Google’s tools are widely available online. To test Google’s approach to location privacy, TTP turned to one example for inspiration. In a September 2021 post on the Malwarebytes blog, a researcher explained how to log in to his account on the Google Play Store from his wife’s phone and install the app. At that time, he had enabled the Google Maps timeline feature. After downloading the app, he forgot to log out of the Google Play store. Shortly thereafter, he began receiving location updates from his wife’s phone, but her own phone location history was turned off.

The researchers said they had contacted Google on this issue. After 10 months, Google was unable to close this dangerous loophole, according to TTP experiments.

It’s easy to think of a scenario where a spouse, parent, or employer could log in to the Play Store on someone else’s phone. Anyone who provides technical assistance to others, buys apps, or manages something on their device may have a reason to log in to Google Play. Malicious people can easily log in to the Play Store by pretending to be looking at a photo or website on someone else’s phone.

Google makes it difficult to identify the account that is logged in to the Play Store. The app displays a small icon in the upper right corner with the first letter of the account owner’s name. This icon is often overlooked, and especially determined stalkers may change their account name to match the target of their initial initials. Google doesn’t seem to send a notification to the user when another account logs in to the Play Store on the device.

Even if the user notices that someone else is logged in, he understands that having another account logged in to his phone means that the account owner can track them. May not be. They may reasonably think that turning off their location history protects their privacy.

Using the Malwarebytes scenario as a model, I set up separate Google accounts on two new unopened Android smartphones. One phone was designated as the victim and the other was designated as the perpetrator. TTP turned on location history on the perpetrator’s phone, but not on the victim’s phone. On the victim’s phone, TTP logged in to the perpetrator’s Google Play account and downloaded several apps. Over the next few weeks, TTP took the victim’s phone to several locations to see if the perpetrator could see its whereabouts and movements.

These were the settings for the victim’s and perpetrator’s phone locations, respectively.

Google-backed surveillance

The TTP has found that perpetrators can locate victims’ phones during and after trips to various locations, including a planned parent-child relationship clinic in Washington, DC, which provides abortion. As you can see in the screenshot below, the perpetrator can view the route and location in his location history. (During the day, the perpetrator’s phone tended to sit completely elsewhere.) The J in the upper right corner of the screenshot shows the perpetrator’s account. The exact address has been removed from the screenshot to protect the privacy of the researcher.

This route could also be viewed from the Google Maps app on the perpetrator’s phone. Immediately after the victim visited the clinic, the timeline function displayed the route and pinpointed the victim’s location. It even correctly recorded how much time the victim spent in the clinic. More than two weeks later, the clinic location remained in Google’s location history when viewed on the perpetrator’s phone and desktop browser.

TTP conducted another experiment based on a Reddit post by an individual who discovered that they could track the location of their girlfriend at the time after logging into their Gmail account on their mobile phone. Using the same two Android phones and a Google account, TTP found that the victim’s phone could log in to the perpetrator’s Gmail and then the perpetrator could view the victim’s location and route on his phone. did.

Victims are more likely to notice if someone else is logged in to the email on their phone, but they may not be aware of the result. Users who have their location history turned off may believe for good reason that this means that Google doesn’t store their movements anywhere. Instead, companies that confuse the array of account settings make it easy to inadvertently allow oversight that could replace intentionally selected privacy controls. As shown in these experiments, users who turn off location history on their mobile phones can inadvertently broadcast location information even if another Google account with more forgiving location settings later logs in to the device. There is sex.

Potential Exploitation by Domestic Violents

In 2019, Google cracked down on a third-party surveillance app that relays information from someone’s phone to a third party without easily detecting it. The company removed seven such apps after being flagged by antivirus company Avast. As CNET pointed out at the time, such apps often masquerade as software designed to find a child’s safety or stolen phone, but stalk people primarily in personal relationships. Used by abusers.

A year later, Google updated its policy to ban stalkerware apps that send personal or sensitive user data from their devices without proper notification or consent, without permanent notification.

However, TTP findings show that Google does not impose these requirements on itself. At any point during the experiment, the victim’s device or account did not warn the user that their location was accessible to another Google account.

Given the established links between domestic violence and spyware tools, the lack of Google notifications is worrisome. Back in 2014, NPR reported that cyber stalking was a standard part of domestic violence in the United States. TTP has found more than 12 posts on its online forums that describe people who are using the Google app to monitor romantic partners, exes, and crash movements.

Conclusion

Experiments with TTP have shown that Google apps can be easily weaponized to track someone’s body movements. This has a nasty effect given the potential for cyber stalking of victims of domestic violence. State legislation empowering citizens to inform dobbs decisions and abortion seekers raises stakes and creates new risks of sharing users’ locations with the wrong people.

Google has promised to delete the user’s location history after the user visits a place such as an abortion clinic or a domestic violence shelter, but our experiments have found evidence that the company does. did not. More than two weeks later, the victim’s visit to the abortion clinic was still visible on the perpetrator’s phone. It’s unclear if Google will effectively implement this new policy, but it does not protect victims of domestic violence or stalking.

Even if the company limits the location data it displays to the general public, it continues to collect a large amount of information that may be subpocketed by law enforcement agencies. Google has omitted all data it collects and stores except for location history search activity, nearby Wi-Fi networks, and sensor readings, for example, in its efforts to remove sensitive user information.

Google says it’s essentially user interest, but this study shows that the company wants user data The driving force behind its $ 257 billion advertising business is that of users We promise security and privacy.

