Yesterday evening, the Associated Press revealed the results of an investigation, which shows Google services on Android devices and iPhone store location data and tracks the user, even if you’ve used a privacy setting that says it will prevent Google from doing so. IT security experts commented below.
Tim Mackey, Senior Technical Eevangelist at Black Duck by Synopsys:
In looking through the lens of GDPR Article 6 at the test data presented in the AP article, some obvious questions are raised.
- Has the user given consent to the collection of location information as a result of performing a search query?
- Is persistent storage of location information required to present search results?
- Processing of location information is clearly required to return local weather information when a user doesn’t supply their location, but if persisted for future weather reports was this persistence part of the users’ expectations for the service?
- Does Google have a legal obligation, or public duty, to collect location information for their services when the user has otherwise indicated they wish privacy over?
Since we’re talking about consumer level services, the expectation of the consumer for an “off switch” is what matters most. Users wishing their location be kept private indicate this preference through the “Location history” setting. That any given application might have independent settings for location related data is how an application developer or vendor approaches the problem. If vendors placed themselves in the shoes of a consumer and respected the setting, managing consent under regulations like GDPR would be simpler and the user’s expectations would be met.
When we recognise that our digital footprint is effectively a personally identifying attribute, access to that attribute becomes more valuable. This is true for marketers wishing to learn when we’re in the mood to buy their product, and in a location where it’s available. This is true for malicious actors who can use location information to determine not only patterns of behaviour for their targets, but know when to best commit their crime. This is also true for law enforcement seeking to identify suspects following the commission of a crime. In each of these examples, the same location and identity data can be used for good or for ill to identify an individual.”
Jesse Victors, Software Security Consultant at Synopsys:
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.