[WASHINGTON, DC] – After an investigation by technology publication Quartz revealed Google collects Android users’ location data – even when location services are disabled – U.S. Senators Richard Blumenthal (D-CT), and Edward J. Markey (D-MA) wrote to Google CEO Sundar Pichai to demand answers.
According to the Quartz investigation, Android devices are continually and covertly collecting users’ location information and sending this information to Google – including when location services are disabled, the phone has been reset to factory condition, no apps are running, or the SIM card is removed. These practices, which Google confirmed in the article, are alarming – and possibly in violation of Americans’ privacy rights.
Google’s response to the November 21 Quartz investigation was a pledge to no longer send “cell-tower location data to Google” by the end of November. It is not clear if the company has upheld its promise. In addition, Google has not indicated whether it would also commit to not sending back location data derived from other kinds of technologies used to determine location.
“These practices…are alarming, and the public deserves a full explanation from the company’s CEO of the reason behind this data collection. To date, Google’s explanation for this location tracking behavior has been inadequate,” Blumenthal and Markey wrote to Pichai. “The American public is growing increasingly uneasy about the amount of data collected on them. It is important that they are fully aware of exactly when, how, and why their location information is being collected by the companies that they have put their trust in.”
Blumenthal is Ranking Member of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, and a member of the Senate Judiciary Committee. Senator Markey is a member of the Commerce, Science and Transportation Committee.
The full text of the Senators’ letter to Google is available for download here, and copied below.
Dear Mr. Pichai:
According to a concerning new investigation by the publication Quartz, Android devices are continually and covertly collecting users’ location information and sending this information to Google – even when location services are disabled, the phone has been reset to factory condition, no apps are running or the SIM card is removed. These practices, which Google confirmed in the article, are alarming, and the public deserves a full explanation from the company of the reason behind this data collection.
To date, Google’s explanation for this location tracking behavior has been inadequate. As you know, the Federal Trade Commission has long considered it necessary to get affirmative opt-in consent before gathering consumer geolocation data due to the sensitive nature of that data. That’s why, as longtime advocates for consumer privacy protections, we respectfully request responses on the following questions:
1) Google’s privacy policy asserts, “When you use Google services, we may [emphasis added] collect and process information about your actual location. We use various technologies to determine location, including IP address, GPS, and other sensors that may [emphasis added], for example, provide Google with information on nearby devices, Wi-Fi access points and cell towers.” Under what circumstances “may” Google collect this data? Under what circumstances does Google always collect this data? Under what circumstances does Google never collect this data? What do you mean by “when you use Google services?” Is all of Android’s operating system a Google service? What do you specifically mean by “nearby devices?”
2) If a user goes “offline” and disconnects their mobile phone from the Internet for a period of time, or even places the device in so-called “airplane mode,” does Google receive location data, Wi-Fi data, cell tower data, during this “offline” time period, even if location services is still on?
3) What location data does Google specifically collect from Android users and under what circumstances? Is the location data associated with a specific device ID? Is it associated with a specific user ID? Are there any other specific user or device identifiers involved? Can you please attach to your response examples of any relevant files or server logs transmitted by an Android device to Google so we can see for ourselves what location information is being compiled and transmitted?
4) Is a user's specific location data combined with other information Google collects about users’ Internet activities? Is it combined with search data? DoubleClick cookie data? YouTube data, etc.?
5) Regarding “Wi-Fi access points,” per your privacy policy, can you describe exactly what information is being collected and for what purpose? Are you collecting just known Wi-Fi access points a device has previously connected to or all Wi-Fi access points in range of the device? Are you collecting just network names or more information like a MAC ID, network address, signal strength or any other information? Are you collecting information about so-called “hot spots,” other devices transmitting Wi-Fi signals? Are these Wi-Fi access points stored in a Google database and are they used for identifying a users’ specific location?
6) Are there other network signals you are collecting, such as Bluetooth beacons? Again, all Bluetooth signals or only known or paired Bluetooth beacons? Specific device identifiers? Signal strengths?
7) As you know, today’s mobile devices contain a range of sensors and consumers may or may not be fully informed about the purpose of those sensors. For example, consumers believe accelerometers are primarily for tracking a users’ “steps” within a health app. Do you collect accelerometer data to assist in location tracking? How often and under what circumstances? Consumers believe barometer information is primarily used for “weather” within a weather app. Do you collect barometer information to assist in location tracking? How often and under what circumstances?
8) The Google spokesperson cited in the Quartz article stated that “we never incorporated Cell ID into our network sync system.” Can you describe exactly what your network sync system is and what information is “incorporated” into it and for what purpose? Does the network sync system include other location-related information?
9) As you know, Google provides metrics on “store visit conversions” – meaning when a targeted ad translates into a retail store visit. These metrics are “calculated based on aggregated anonymized data from hundreds of millions of Google users who opt-in to share Location History, click on a search or display ad, then visit a business location.” How is Google able to obtain this data if, as was claimed by a Google spokesperson, location data was never used or stored? Specifically, how does Google know when a user visits a business location with “99% accuracy”? Has this location data ever been used to determine if consumers visited a retailer or was influenced by an online/mobile advertisement? If not location, has any other data been used to determine consumer behavior? How exactly are consumers “opting in” to this kind of tracking and use of their data to inform Google store visits conversions?
10) While you commit in the article to cease sending “cell-tower” location data to Google by the end of November, it is not clear if you are also committed to refraining from sending other forms of user location information – whether determined by GPS, Wi-Fi access points, nearby devices, sensors, or any other kind of technology? Can you clarify?
11) Does Google collect user data from Apple iOS devices through Google apps? If so, what data is collected from iOS devices? How is that data collected? Does Google recognize and respect all of the privacy choices made by iOS users? Is Google confident that it is not inadvertently collecting data from consumers who have affirmatively opted out of data collection or location sharing? For example, if a consumer is using Google maps on an Apple device, does Google receive and store that location information?
12) Does anyone pay for location-related data transmission when a consumer is not using a specific app or not using the Internet? If yes, please identify the parties. Is this location data transmitted over the cell network, where a consumer is paying for the data? Or just when a user is connected to Wi-Fi? How much information is being transmitted that is not related to a users’ specific app or Internet usage and is not for the purposes of diagnostics?
Thank you for your attention to these important questions. The American public is growing increasingly uneasy about the amount of data collected on them. It is important that they are fully aware of exactly when, how, and why their location information is being collected by the companies that they have put their trust in. We respectfully request a response by January 12, 2018.