“Google policy is to get right up to the creepy line and not cross it.” –Eric Schmidt, Executive Chairman of Google
When I got my first Android phone, one of the first apps I used was Google Navigation. I don’t have a very good sense of direction, and business trips were often frustrating for me—I’d get lost trying to find the hotel. So when I first used Google Navigation, I thought, “I will never be lost again.”
It was a profound moment for me. I never had to worry about being lost again. My telephone took a source of stress and anxiety completely out of my life. For just that one feature, I never wanted to be without a smartphone again.
I became an enthusiastic user of Google Navigation. I even started using it around my hometown, and I discovered it knew about little-used streets with few lights and no traffic—it would sometimes take me on surprising routes, but they were faster than the way I’d been going for years. Cool!
And when I traveled during rush hour, it would sometimes have me exit the interstate at some point, travel on the grid, and then get back on the interstate, routing me around congestion. At different times of day, different days, it would take me on different routes. Clearly Google Navigation was optimizing my travel time!
Google uses several sources of information to figure out where you are. GPS is one, Wi-Fi networks are another, and finally cell tower data are used for positioning as well.
When you enable location access, Android says “Allow Google’s location service to collect anonymous location data. Some data may be stored on your device. Collection may occur even when no apps are running.” This seems both fair and harmless, so I didn’t think too much about it.
In the prior version of Android, you could turn off location service, turn on GPS, and use Google Navigation supposedly without sending the data to Google. With the latest version, though, you have to turn location service on or Google Navigation won’t function.
I’m not really a member of the tinfoil hat crowd, but if it’s possible to not constantly broadcast my location to Google just so I can drive somewhere quickly, that’s my preference.
It got me thinking, how does Google Navigation know about traffic jams? It highlights portions of your route in yellow and red to indicate heavy traffic. I figured Google must be using the data from everyone’s phones to figure out the traffic flow. What a great source of data—Google would be foolish not to use it.
Still, my phone assured me my data is anonymous, so I wasn’t concerned.
Recently I read this security paper, which discusses the sources of traffic information that Google Navigation and another app (Waze) use to figure out traffic flow. The authors reverse-engineered the protocol used by Android phones to report position information to the cloud. The data is encrypted, but there is no authentication in the protocol. Your phone transmits your position information constantly along with a Platform Key—a unique identifier for your phone.
Sending a unique phone identifier, which is tied to my Google account, is something I cannot accept as being “anonymous location data.” It’s not what I had agreed to. Sure, the packet doesn’t have my name in it, but it has my phone’s identifier, my phone is associated with my Google account, and my Google account has all my personal information associated with it.
In the security paper, they describe forging packets and causing Google to display a traffic jam in a location where there is no actual traffic. A neat hack to be sure—and one with real world implications. Google better fix this.
But I’m still hung up on the privacy point. Let’s say Google keeps their promise to never do “SELECT full_name FROM google_accounts WHERE platform_key = ‘bens phone’ ”. Heck, let’s say they fix their protocol in response to the security paper and don’t transmit the Platform Key at all. It’s still not good enough.
Check out this paper. It turns out your cell phone position information is a more accurate identifier of you than your own fingerprints!
It has dawned on me that we are paying for this convenience of never being lost by allowing others to track and identify us at all times.
Like I said, I don’t wear a tinfoil hat. I don’t keep a watch out for black helicopters. But given that Google has some kind of relationship with the intelligence community, and that the intelligence community isn’t making the same promises about anonymity (the government wants to collect all human generated data, and store it forever), I think we’ve crossed the line into creepy.
Maybe our children will happily accept businesses and government knowing everything about them—who they are, where they are, who they talk to, everything they say—but to me it is disturbing.
There’s the old boiling frog story, which turns out to be false. But I am starting to wonder if we are doing this. Every time we agree to a 25 page End User License Agreement. Every time we click “I agree” on our phones or on a website. For a bit of convenience we give, and give, and give our personal information away and allow others to monetize us. Eventually, I worry, we will give away our civil liberties.
I’m not at a point in my life where I’m ready or willing to give up all the conveniences, and to try to live off the grid. I’ll just say this: As a technologist, when I design technological systems, I will attempt to take a principled approach and not collect any data unnecessary to the functioning of the application.