> The Court ruled that when consumers created a new Google Account during the initial set-up process of their Android device, Google misrepresented that the ‘Location History’ setting was the only Google Account setting that affected whether Google collected, kept or used personally identifiable data about their location. In fact, another Google Account setting titled ‘Web & App Activity’ also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.
>
The Court also found that when consumers later accessed the ‘Location History’ setting on their Android device during the same time period to turn that setting off, they were also misled because Google did not inform them that by leaving the ‘Web & App Activity’ setting switched on, Google would continue to collect, store and use their personally identifiable location data.
the Guardian coverage is less editorialized. Here's the judge's actual words:
“Google’s conduct would not have misled all reasonable users in the classes identified; but Google’s conduct misled or was likely to mislead some reasonable users within the particular classes identified.
“The number or proportion of reasonable users who were misled, or were likely to have been misled, does not matter for the purposes of establishing contravention.”
> To use home and work when you search or use directions, you must turn on Web & App Activity. If can't find home and work in Maps, learn how to turn on Web & App Activity.
Another fun limitation - apparently for my Pixel phone to remember I prefer my temperature in Celsius, Google also needs "Web & App Activity" tracking. In other words Google wants my whole location history when using Google apps just to remember my preferred units.
I have worked for some insanely political companies and this just made me laugh. That’s a genius application of a dark pattern/malicious compliance “nudge.”
I hate that companies that work this way are some of the biggest and most powerful on the planet, but it’s also darkly funny if your humor runs to Kafka or Dante...
Indded it feels like that. It's like you are paying with your data and here is where you choose the plan you want. Oh, you don't want the pro plan but would rather the free plan? It has less features.
Are you sure you want Google to have definitive answers for “Work” and “Home”? I know they already infer it by tracking overnight location; but
- When I type “Ho” in GMaps it will first suggest all businesses — “Ho... Home Depot? House Garden? Horror House (375km)?” then cities (“Ho... Chi Minh City, Vietnam?”) and, after many tries, “Home”, the real.
- I had Web Activity and Location History registered, in France but English with a address for “Home”,
- I was using it for every return trip; They could have suggested by default without typing anything; Clearly they optimize to promote businesses or other usecases first, not convenience.
- I ended up putting a Label “XKDJF” on my home, which is more convenient (until a city starts with “XK” – hoping Elon Musk will not name a city on Mars this year).
> Are you sure you want Google to have definitive answers for “Work” and “Home”? I know they already infer it by tracking overnight location; but
I would say the root problem is that supplying any information to a Google app is by default assumed to mean "This should be uploaded to a persistent profile of user data."
They could just let me set a Home and Work location on my phone and leave that data on my phone (regardless of tracking preferences), or they could store it in a more private mechanism with a key that lives on your device (see Chrome bookmark sync), but they choose to not do any of that.
Yeah, I really hate that. One workaround is to temporarily turn on the setting, set your home and work locations, then immediately turn it back off again. It will keep the locations and allow you to use them, you just can't change them unless you turn the Web & App activity setting back on again.
Which is why I wish Microsoft would release an updated Windows Phone 10. I know it never captured "mind share", but find someone that actually used Windows Phone for over a year as their main phone, and ask them how it was. My son and I each had Nokia phones running Windows phone, as "insiders" updated to Windows Phone 10. The UI was actually quite nice. The lack of apps is what hurt it, though Here maps was pretty good.
Windows Mobile was the pinnacle of the smartphone experience.
The release of the iPhone imo was the Eternal September of the mobile experience in so far as it was the tipping point wherein a demographic of users who didn't even need to be convinced that yielding full and openly adversarial control over the hardware to the network operators and advertisers became an uncontested majority.
They came with a text editor, a calculator, and a file browser out of the box -- can this generation even imagine not having to run the app store gauntlet of monetization and fraud to Open Files, I wonder?
What use cases does "opening files" have which isn't addressed by iPhone's built-in apps and at the same time doesn't involve any risk of using a random third party app that has to be sourced from somewhere like an app store?
A file system isn't the greatest design from a security standpoint, but the Apple model is particularly limiting if, for instance, you want a library of data to be available to one app, and then later available to another app. You'll notice the iPhone cheats in this regard, by providing generic system libraries for photos and contacts, but if you say, have an ebook library, and want to switch reader apps, you'll have a bad time.
It would probably be better to have a system of secure file buckets, where you could create them arbitrarily and choose to allow access to any bucket to any app, rather than permit open access to the file system as Android traditionally has done.
It would be nice if directories would allow you (via metadata?) to add an App to allowed "apps" on a per app basis, or at least let you create such a folder so that you would have to interact and opt in apps. Most users would never need it but power users certainly could use something like that.
The Cartesian product of the set of all use cases of file storage excluding those for which the iPhone does include an app; and the set of all methods that distribute the content of an app with verifiable authenticity and authorship excluding all methods which are "like an app store"
You can get a good app from an original developer using an appstore. The problem you described is not that genuine developers cannot share their apps, it's that users are taken in by fake apps pretending to be genuine.
If it was the norm to download a signed binary from a random website, random websites looking genuine and offering genuine fake signed binaries would be the norm. "Are you sure you want to install Adobee PhotoShop? (Signature verified!)"
"No mom, Adobe PhotoShop!"
"I have Abobe PhotoShop, Adode PhotoShop, Ádobe PhotoShop, PhotoStop by Adobe"
I second this. The apps that were missing for me are the ones I don't use anyway. I want navigation, a phone, text messaging, and a browser without having to disable preinstalled facebook services and other stuff I have been "gifted" by purchasing.
I share the love of Windows Phone 10, but as someone who (used to, before Covid) travel around Europe, the lack of apps really hurt access to public transport and even some cultural experiences (museum companion apps). HERE Maps was also way behind on public transport data for anything outside major capitals.
Nothing comes close to Windows Phone usability. Not even today. Just turning Do Not Disturb on Android on or off is more frustrating than threading a needle. I wish they'd bring it back.
Hmm, on my iPhone, I swipe down from the top right corner and tap on the moon icon to turn do not disturb on or off. Maybe it's not that Windows Phone was so great but that Android is not so good?
Many people are fighting phone addiction. Rich people want their kids off the grid. Lacking apps could be a feature in a more mature market.
Rich people could display wealth (better the children not be seen with a crappy phone) with a great UX, while at the same time being exempt from the dopamine addiction. Now that we know what we pretty much do on a phone, we could create a phone with all main apps hard-coded and it would fulfill the necessary needs.
I loved my Windows Phone. What MS lacked was _persistence_. They should have waited another 2-3 years and folks fed up of Apple/Google would have moved to them.
The same Microsoft that hides the option to set up a computer with a local user account (instead of an online Microsoft account) unless you turn off networking during setup?
The google agreement seems to break the "reasonable person" aspect of laws that I learned in college. It's not reasonable to have more than one place to shut off geolocation/tracking and the court decided this in the obvious way. Google should be fined heavily for such evil bait-and-switch tactics. Not only are they not avoiding "evil" they're embracing it the past decade or so.
I assume it would be whatever you gave the specific app. If you search for "weather in [your city]", they might get either that or ip data. If you share your GPS to get your weather, then they get that.
Unlike Location History, which is a specific feature that keeps a history of your location, Web & Apps activity is just that, activity from Google websites and apps. Said activity may include location data depending on the app or website.
This is a gross mischaracterization of what occurred, of the level of falsehood that Google itself is being punished for:
"That isn't true. Even with “location history” paused, some Google apps automatically store time-stamped location data without asking.
For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, such as “chocolate chip cookies” or “kids science kits”, pinpoint your precise latitude and longitude accurate to the square foot and save it to your Google account."
Yes, Web and App Activity both includes location data still collected despite Maps being told not to, or when obviously-location-specific information like Weather is being retrieved, but also when unrelated searches are made for ad targeting purposes. Basically, every unrelated bloody app would collect your location, and since your Google phone is running 20 some-odd Google services, they still had a pretty good location history, even when your location history was completely off.
> For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, such as “chocolate chip cookies” or “kids science kits”, pinpoint your precise latitude and longitude accurate to the square foot and save it to your Google account.
Obviously, if you open Maps and you've given the app location permission, it'll get your location. Similarly, if you have weather enabled, it'll regularly update to not become stale. Searches for products is a bit more subtle, I agree, but your browser also asks for location access per site, so you simply can refuse to give it for Google search.
Each of these is connected to a specific feature you're using, it's not just constantly pinging your location for the sake of your location. Each ping is specifically for a service you're using.
The real issue here is the fact that "Web & Apps activity" didn't explicitly mention location, and it happened to be next to this other feature named "Location History", and this juxtaposition implied that the former didn't collect location. That's it, that's the only issue here, and since 2018 thye've fixed it by adding "this might include location data" to Web & Apps activity.
GETTING my location for a map is one thing STORING my location is quite another. Also, I might want to use map to search for where OTHER things are - I don't need to display my current location to search for "a map of Topeka Kansas".
Also, for the weather app specifically, there was a weather app that retrieved your location every 30 seconds (to give you up to date info) - and then promptly sold that data to advertisers. Just because the weather app "needs to poll my location", doesn't mean it should get fine-grained access every 4 hours.
Oh, also, something I learned when I wrote an app for android.
In order for me to use the GPS chip on the cell phone, I needed to: use Google's API, send the phone information (you know, so they could log who was looking at the GPS and where they were); this MANDATED an updated version of the play store.
So if there is some 3rd party app that "you totally trust with your location" - Google is getting that data, too.
What you wrote is highly misleading - the Location API does not need Play Services on Android to work.
You explicitly decided to choose the Google cloud driven API that's hosted in Play Services and thus requires Play Services (and not Play Store!) updates. You didn't have to.
People say this frequently. Is this true? I always assume the fine establishes the illegal behavior and awareness of it for both parties and Google would be forced to correct the behavior regardless of the fine's size.
Were they to do it again or resume the behavior after the fine I assume the charges would escalate and eventually become criminal, hence companies curb their behaviors.
While this does create a 'get fined first' mentality, it does mean that good regulating could curb bad behavior. Am I wrong?
I'm still in favor of throwing the CEO, CFO, Board of Directors and highly invested members of the Board of Investors in jail for grossly unethical business practices & gross privacy invasions.
That would annoy consumers more than it would hurt the business. Do you think people would stop buying the Apple iPhone if tomorrow it was called the Pear jPhone?
The name part of a brand is valuable, but it doesn't really define the brand, especially for huge brands like Google.
A bigger punishment perhaps would be if they allowed competitors to use the brand instead - if you could have Apple "Google Maps" and Bing "Google Maps" and OSM "Google Maps" for one of these cases, but that is even less realistic as a possible option.
How about: if a judge found that Google screwed their users then their trademark/logo is extended with a dagger symbol, which warns users about the company's behavior:
Google†
And the next time they break the law, another dagger is added:
Don't have to look too far to see regulatory capture in action. Facebook pulled all news in Australia [0] to fight a (bad) link-tax legislation and "won". It was politically untenable.
They've been breaking the law for over a decade, has abyonw gone to jail?
And before someone says: "those instances were different law/etc", please remember that you will bot avoid jailtime if you rob the bank three different ways. Commiting crimes one after another makes sentences more aevere for an individual even if you broke totally different laws.
Haven't companies like Google been fined enough in the past alerady and despite that they have made little effort to conform to the data privacy measures? Instead they have enabled alternative ways for tracking (eg. recent FLOC debate). Once the right to privacy (online or otherwise) becomes fundamental, such violations of privacy, consciously or otherwise, by the private companies will fall into illegal activities prosecutable with imprisonment like it is done atm for insider trading and so on. This will create a substantial sense of responsibility in everyone working on any aspects of user data.
The lack of a direct way to measure how much profit in $$ a company made in the past decade because of a single privacy violation makes it an arduous task for prosecuting agencies to decide the amount of fines and/or prison time.
A multivariate regression using do-calculus might help, could be an interesting graduate project.
Penalties have not yet been decided. Lets hope the Judge is brave and sticks it to them as an example to all slimy companies who trade on PII and lie about it.
Being found guilty of misleading cinduct hurts trust in their brand.
Because it's easy to switch search engines, public relations are a key economic moat.
Although now, Android being so entrenched makes a deeper moat.
However, as google can't help itself from increasingly screwing users, it creates space for new entrants.
If you manage domains and force this stuff off your users will def complain.
My worry is we end up w a situation such as cookie notices - users have gotten so used to clicking through content screens they don’t pay attention anymore because a lot of it is meaningless
I had a funny situation in person recently. This place had consent forms - lady checking folks in would offer to sign on your behalf. A few folks asked what it was - a consent form - oh sure, please sign for me.
In gsuite I guess there are some settings that can impact things like location - people want recent locations to pop up etc I learned. So anytime you make 95 percent of users click through stuff they don’t care about - you start losing the battle here
Consent forms force people into legally binding agreements, with massive power disparity, under duress.
The consumer bears all the risk and the provider absolves themselves of any - unless one afford a lengthy court battle or join a class action. I suppose even more rarely a consumer can get, often fractional, relief through a government or consumer rights agency.
EULAs, consent forms, and similar are a wholesale miscarriage of justice that causes incalculable irreparable harm to a staggering number of people every day. Think about it this way, a liability waiver at a doctors office is not dissimilar, in terms of bargaining ability, to an entry level employee's boss demanding sexual favors to keep their job. I have a broken arm, fix it, if the doctor screws up pay for all resulting costs forever.
Justice, equality, and equity should never be limited to those with the most means.
One last point to hopefully drive my point out of the park. Say I don't want to consent to gmails EULA, so I go and look into hosting my own webserver. Bad news, windows has a eula, okay I'll learn how to use Linux and FOSS software. But wait to need to connect my pc to the internet. I can't escape an internet providers take it or leave it eula. But I need email, I will get fired (lose everything in life) without it. So in effect I am forced, under duress, to 'consent' to a non-negotiable agreement that I reject with every fiber of my being so that I do not lose my home, family, and everything else.
Which is why these govt type of interventions, which are all centered around getting more and more permissions from users are annoying. We will get more click through screens that 99.99% of users will say yes to. Seriously, how many users read the google ToS clickthroughs and make a decision based on that to not sign up with a google account?
I turned this stuff off at policy level, and instead of praising me, users were pissed at me. They wanted google to track them. Most didn't understand why stuff didn't work (things like saving locations in maps break at least in past, and most use gmaps for work / home commute checks). Seriously - if you run a larger gsuite deploy, put all the privacy features on and watch how folks start trying to work around / do the shadow IT thing.
the cookie debacle really illustrated how toothless and futile current regulatory attemps are, the industry simply side-stepped the intent of the legislation and that was the end of it. It seems the cookie notices are annoying by design to guide public opinion against future regulatory attempts. "See what they made us do? Don't regulations stink?!"
>It seems the cookie notices are annoying by design to guide public opinion against future regulatory attempts. "See what they made us do? Don't regulations stink?!"
I get that impression also, and doubly so for the FUD-packed GDPR messages. "Oh sorry, we can't legally serve this webpage to you, EU resident, because of the atrocious GDPR! (because it's full of spyware which the GDPR forbids but we won't say that part out loud)"
For what it's worth, I do think the GDPR messages are raising awareness in a way the cookie warnings were not, in part because some websites use dark patterns to get you to "agree" and others do not, and people are starting to smell the bullshit. If nothing else, the laundry list of trackers the websites are required to tell you about is a real eye-opener to the layperson who doesn't run uMatrix.
If think the regulation wasn't a point of this work, but the main reason this was worked on in my opinion, was to fleece the tax payer. Imagine how many dinners, conferences, experts, lawyers, contractors, researchers had to be paid over the years. They eventually had to come up with something and that's the half bottomed result. If it doesn't work? Well, everyone already got paid and probably now work on something completely different.
If there is too much noise about this, they'll have a reason to fleece the tax payer again and go through years of "fixing" the legislation.
This is when you have unaccountable organisation (EC) without any bodies that would and could investigate corruptions and scams like these.
That and an attempt by companies to continue a business model that is expressly illegal under the GDPR. If a company relies on user-tracking with assumed consent, being required to get affirmative and freely given consent tanks their income. And that's perfectly okay and reasonable for laws to do. Business models are not a right.
But, those companies then have a choice. Option A: Accept that their business model relied on widespread stalking of their users which was never acceptable and is now illegal, and significantly change the business. Option B: Pretend they didn't notice, throw up a pop-up ignore the "freely given" requirement for consent, and hope nobody calls them out on it.
Option B is a lot easier for scummy companies to do, and the prevalence of opt-out banners with assumed consent and dark patterns shows how many companies went that route.
Google, Facebook and other companies, in my opinion, are allowed to continue ignoring the law, because they provide valuable information to various services. They are essentially an enormous network of unwilling spies / informants. If the data they (in my opinion) provide wasn't useful, they would have been shut down long time ago.
Other thing is why even publish materials like this and what's the point of such commissions if they are toothless?
Isn't that a massive waste of tax payer money?
In many countries government creates various commissions to be able to give family members and associates well paid bogus jobs or pay for favours (if you vote for X, we will give a job to your wife's sister) and so on. Other reason is also to tick boxes - when asked by unscripted journalist about something, they can say look we care about this, we setup a commission...
It's definitely an artifact of my personality but I don't get the sense they are unwilling, though I imagine they would be coerced anyway and you could certainly start a discussion about how meaningful their consent would be in that context.
I'm a broken record but the profit motive is what will always always always enable this: people depend on this machine for their livelihoods and are only personally responsible for a negligible, ignore-able portion of its activities. Path of least resistance in a world of friction is these companies will continue to act with an agenda even its employees might disagree with (if that isn't fault tolerance though idk what is!)
Does anyone have a source for additional information on the mechanism by which Google is collecting location data when "Web & App Activity" is turned on? Is that permission giving access to the location API in the browser?
this article from 2018 has a bit more detail. What it boils down to seems to be that if you use search or maps to look for something local, say a restaurant, Google will remember that in your search history, which connects you and your location.
There's no way this is what this is about, no? This seems totally fine, whereas the article makes it seem like they were actively tracking your location while telling you they weren't.
If this is it then I disagree completely with the ruling.
Google isn't just making an educated guess about where you are based on what you searched for... It's making an educated guess based upon what its servers are allowed to know about your query. It's unclear to me whether all the data Google collates is published anywhere public, but this includes things like originating IP address and headers sent in the request that can be inferred to be locale-relevant.
For example, looking at my own search history, Google's real certain it knows when I'm doing queries from "home" (perhaps because I told it my home location in Maps and it's correlated requests from a specific IP address with that location, perhaps because Google's fabric is huge and it can disambiguate origin of request based on where the request enters the network, perhaps because I registered Google appliances at "home" that are on the same network). Key idea is: none of those are technically "Ask the device for its GPS state and cache it," so none of them are controlled by disabling Location History.
If the Court is arguing "you can't claim you aren't tracking location by making 'location' a technical term and then combining several other pieces of state to estimate someone's geographic point of origin for a web request," I can see that argument.
The problem is that this wasn't the only way they were gathering this info, and that they misled consumers by allowing them to turn off a setting that supposedly stopped this kind of tracking, while still continuing to track due to a different setting defaulting to "on".
I worked for the ACCC from 2008 and 2011. I'd like to share some more context on the ACCC and Australian legal system that may be of interest to HN readers.
The ACCC is an independent authority empowered to enforce Australian Consumer Law (ACL) which contains consumer protection, completion product safety, anti-trust (competition) and other adjacent laws. It is most similar to the Federal Trade Commission in the US.
The ACCC leadership are commissioners who are appointed based on input of federal and state governments. The appointments tend to be "non-partisan" with the current chair leading the organization for 10 years (with 3 term renewals under multiple governments).
The ACCC has been taking action against Google since mid 2000s. The last case against Google that they won was in relation to consumers being misled about what were advertisements vs native results. [1]
The main provision of law protecting Australian consumers that is invoked in these cases is s18 of Australian consumer law that states: "A person [or entity] must not, in trade or commerce, engage in conduct that is misleading or deceptive or is likely to mislead or deceive."
Laws with this wording have existed in Australia since the the 1970s.
This law is enforced widely and there are also state agencies that enforce similar laws. All kinds of industries have received enforcement action ranging from retailers to supplement providers. As far as i know it's one of the but most broadly enforced consumer protection laws in any country.
The ACCC won a case against Apple under this same law in 2018 for misleading consumers about their warranty rights after third party repairs were done. Apple was fined $9 million dollars.
The action against Apple included 254 complaints from customers impacted. You can literally call or email the ACCC to log a complaint about any business and it will use this complaints to identify patterns of misconduct thst then enforce enforcement priorities.
The ACL currently limits penalties to $10 million per contravention for corporations. Only parliament can increase thst limit amending legislation. Individuals can also be fiend up to $5million.
Litigation is typically the last resort, and businesses have many oppurtunities to resolve or settle the matter. I am not in any way privy to this case, but typically a remediation action the ACCC seeks is notifying and posting notices that it engaged in misleading conduct, sometimes with a way for the consumer to seek a remedy. It's likely Google was not willing to do this without a fight.
Individuals and businesses can also privately take action if they were misled or deceived.
The Australian Court system that enforced this law is also relatively non-partisan. The australian government and judicial system was formed relatively recently - in the late 1800s and there was a strong intention to prevent political patronage in tbe public service and court system. [2]
Australian Consumer law also has other specific protections that i like such as requiring businesses to make the price the consumer has to pay most prominent (as opposed to making the price exclusive of taxes and fees most prominent).
The ACCC has just under 1000 employees and a small team would have worked on this case with support from outside lawyers. Congrats to them and hopefully this will encourage Google and other vendors to be more thoughtful about their data collection opt-ins.
ACCC is utterly toothless. They issue these pathetic fines but the behaviour continues. Yes you may have issued Apple a $9 million fine but it is commonly known that Apple stores in Australia openly flout Australian consumer laws. I would be embarrassed to admit I had ever worked for ACCC in any capacity.
Hi there!
1) I think you may have missed this from my post?
> "The ACL currently limits penalties to $10 million per contravention for corporations. Only parliament can increase that limit by amending legislation."
The ACCC can't give itself more teeth, your elected representatives can.
2) Also, as far as I know Australia is the only country that has a regulator that has gone to court and won against Apple (A few foreign regulators have fined them or made decisions without going to court).
Would you rather an agency with "no teeth" or one that doesn't bite at all? :)
3) I want to highlight that "I would be embarrassed to admit I had ever worked for ACCC in any capacity." felt condescending. I see that tone in comments you've made towards others on HN. I'd kindly challenge you to think about how that contributes the community, and what draws you to making dismissive comments rather than kind ones. It personally had the opposite affect for me - reminding me how much I enjoyed that job and the work I did there.
I'm personally more annoyed that even with GPS disabled and denied to all applications Google Play Services enables it and samples the location randomly.
It even brags on the status screen that it's doing it, like Google grabbing your lunch money and asking what you're going to do about it, punk?
> The Court ruled that when consumers created a new Google Account during the initial set-up process of their Android device, Google misrepresented that the ‘Location History’ setting was the only Google Account setting that affected whether Google collected, kept or used personally identifiable data about their location. In fact, another Google Account setting titled ‘Web & App Activity’ also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.
> The Court also found that when consumers later accessed the ‘Location History’ setting on their Android device during the same time period to turn that setting off, they were also misled because Google did not inform them that by leaving the ‘Web & App Activity’ setting switched on, Google would continue to collect, store and use their personally identifiable location data.