Tag: privacy

Geofence Warrants Found Unconstitutional by One U.S. Federal Court

Published on by Jonathan Crowe

A U.S. federal court has held that geofence warrants are unconstitutional under the Fourth Amendment, finding that they fit the definition of general warrants that are “categorically prohibited” by that Amendment. EFF, TechCrunch. Geofence warrants, you may recall, require a data provider (usually Google) to identify all users in a given area during a given time period. While ruling them unconstitutional, the U.S. Fifth Circuit Court of Appeal nonetheless allowed evidence collected under a geofence warrant in the case under consideration, citing the good-faith exception, given the novelty of such warrants at the time and the lack of legal guidance available to law enforcement: see the court’s decision.

Geofence warrants are now in something of a grey area: the Fourth Circuit upheld geofence warrants’ legality, at least under certain circumstances, only last month. The two cases may not be an apples-to-apples comparison, but even so the constitutionality of location data searches may take a while (and the Supreme Court, eventually) to sort out.

Google Timeline: Location History Moves to On-Device Storage

Published on by Jonathan Crowe

More details emerged this week on how Google Maps is changing how it stores users’ location data—which is that as of December 2024 it basically won’t: Location History has been rebranded Google Timeline and will be stored on-device, where you can set it to auto-delete after a specified period of time, rather than on Google’s servers. Not having your location data in the cloud is better for your personal security (Google can’t respond to geofence warrants if it doesn’t collect and store location data), but it also means that Timeline won’t be available via the web. This is a bit more definitive than what I understood it to be last December. See news coverage from 9to5Google, The Guardian and The Verge.

Google Maps Updates Will Make It Impossible for Google to Respond to Geofence Warrants

Published on by Jonathan Crowe

Last week I mentioned forthcoming changes to how Google Maps stores users’ location data. According to the Electronic Frontier Foundation, those changes could spell the end of what are known as geofence warrants, which “require a provider—almost always Google—to search its entire reserve of user location data to identify all users or devices located within a geographic area during a time period specified by law enforcement.” The EFF believes geofence warrants are unconstitutional in the United States. Defaulting to on-device storage, deletion after three months, and encrypted cloud backups means Google can’t access that data: there’s nothing for them to turn over.

“All of this is fantastic news for users, and we are cautiously optimistic that this will effectively mean the end of geofence warrants,” says the EFF. “However, we are not yet prepared to declare total victory. Google’s collection of users’ location data isn’t limited to just the ‘Location History’ data searched in response to geofence warrants; Google collects additional location information as well. It remains to be seen whether law enforcement will find a way to access these other stores of location data on a mass basis in the future.”

Via Daring Fireball (where Gruber notes that Apple has never collected location data, i.e. there’s a reason it’s “almost always Google”).

Google Maps Updates Offer Users More Control Over Their Data

Published on by Jonathan Crowe

Forthcoming updates to Google Maps will give users a bit more control over their location data. Location History—off by default—will have the option of being stored on-device rather than on Google’s servers, and auto-delete will default to three months instead of 18. Meanwhile, users will be able to delete activity (“searches, directions, visits, and shares”) related to a specific location—the online maps equivalent of clearing your browser history, I guess. (I can’t help but notice that announcing greater user control over this information highlights the fact that this information is being collected in the first place.)

The Privacy Implications of a Slight URL Change

Published on by Jonathan Crowe

Garrit Franke thinks a change in Google Maps’s web address—it now redirects from a subdirectory, maps.google.com, to a folder on Google’s root directory, google.com/maps1—means that location permission given to Google Maps (a normal thing to do when using maps) could be applied across all of Google’s services without asking for additional permissions. [Daring Fireball/Lat × Long]

Apple and Google Ban Location Tracking SDK from Apps

Published on by Jonathan Crowe

Last month it was reported that the X-Mode software development kit, used by many apps, was collecting and selling user location data, with the U.S. military among the buyers. In response, earlier this month both Apple and Google gave developers a deadline to remove X-Mode from their apps: seven days in Google’s case, fourteen in Apple’s. Apple found 100 apps that contained the code; X-Code claims 400 apps on all platforms, tracking 25 million devices in the U.S. and 40 million elsewhere. The Wall Street Journal story is behind a paywall; see The Verge and MacRumors for summaries.

How the U.S. Military Buys Location Data from Mobile Apps

Published on by Jonathan Crowe

Motherboard reported last week that the U.S. military was buying location data that originated, among other places, from Muslim prayer and dating apps. The Motherboard exposé details how it happened: how the location data supply chain works, and, for example, how data brokers pay app developers to incorporate their frameworks into apps so that user data can be harvested and sold to buyers like law enforcement and military contractors. Developers may not necessarily be aware of what they’re agreeing to when they accept those frameworks, but they don’t have to embed data harvesting algorithms in their apps either. [Daring Fireball, MetaFilter]

Previously: New York Times: How Location Data Is Gathered, Shared and Sold.

The Atlas of Surveillance

Published on by Jonathan Crowe

The Atlas of Surveillance (screenshot)

The Electronic Freedom Foundation’s Atlas of Surveillance is an interactive map and searchable database of surveillance technologies used by law enforcement across the United States. “We specifically focused on the most pervasive technologies, including drones, body-worn cameras, face recognition, cell-site simulators, automated license plate readers, predictive policing, camera registries, and gunshot detection. Although we have amassed more than 5,000 datapoints in 3,000 jurisdictions, our research only reveals the tip of the iceberg and underlines the need for journalists and members of the public to continue demanding transparency from criminal justice agencies.” [Maps Mania]

Google Maps and Privacy

Published on by Jonathan Crowe

Incognito mode for Google Maps, announced last May, is currently in testing. With the mode enabled, user activity isn’t saved to the user’s Google account. It was made available last week to beta testers using the preview version of the Google Maps Android app.

Meanwhile, Strange Maps looks at the curious lack of Google Street View in Germany and Austria, where privacy concerns are paramount.

DuckDuckGo Now Uses Apple Maps in Search Results

Published on by Jonathan Crowe

Google integrates its maps into its search results: synergy! What, then, is scrappy upstart search engine DuckDuckGo, which makes a point of not tracking its users,1 to do in response? Answer: use Apple Maps. “We’re excited to announce that map and address-related searches on DuckDuckGo for mobile and desktop are now powered by Apple’s MapKit JS framework, giving you a valuable combination of mapping and privacy.”

New York Times: How Location Data Is Gathered, Shared and Sold

Published on by Jonathan Crowe

A long exposé from the New York Times explores just how much location data is collected from mobile apps, to the point where the identity of an anonymous user can be reconstructed from where they’ve been. The key point: whatever purpose the app is collecting your location for (for example, to give you your local weather), that location data may be shared with and sold to other parties.

Where Apple Maps and Google Street View Will Be Driving (or Walking) Next

Published on by Jonathan Crowe

Apple now has a fleet of cars collecting data for Apple Maps. Since they’ve been making a point about consumer privacy lately, this page lists where their cars are going to be in the coming weeks. (AppleInsider notes that some of that data collection is pedestrian-based.) It turns out Google has a page for Street View data collection that includes similar information, though it’s far less granular: windows of several months, whereas Apple tells you where it’ll be within a two-week timeframe.

AP: Google Tracks Your Location, Even When You Tell It Not To

Published on by Jonathan Crowe

“Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to,” the Associated Press reports. Their exclusive investigation discovered that “many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.” Basically, turning the “Location History” feature off doesn’t stop Google apps from recording your location at various junctures: your location data may still be found in places like “My Activity” or “Web and App Activity,” for example. Google insists its descriptions are clear; critics are calling Google’s hairsplitting disingenuous, disturbing and wrong.

Pentagon Tells Personnel to Turn Off Geolocation in Sensitive Areas

Published on by Jonathan Crowe

In the wake of reports that fitness apps’ user data was exposed and could be used to identify military and intelligence personnel in sensitive areas like bases and deployment zones, U.S. military and defense employees can no longer use geolocation features in devices and apps in operational areas. The new policy was announced last Friday. Also see coverage at Stars and Stripes. [Gizmodo]

Previously: Strava Heat Map Reveals Soldiers’ LocationsNon-Anonymized Strava User Data Is AccessibleStrava, Responding to Security Concerns, Disables FeaturesPolar Flow User Data Can Be Used to Identify Military and Intelligence Personnel.

Polar Flow User Data Can Be Used to Identify Military and Intelligence Personnel

Published on by Jonathan Crowe

Remember how in January the mobile fitness app Strava was found to reveal the training routes and user data of military and security personnel? It wasn’t just Strava. A joint investigation by Bellingcat and De Correspondent found that the data for users of the Polar Flow app is even more exposed: even the names and home addresses of military and intelligence personnel working at embassies, bases, intelligence agencies and other sensitive locations could be figured out from the user data. De Correspondent shows how.

Polar, the Finnish company behind the app and service, announced that they were suspending the Explore feature that made the data accessible. They also note, and it’s worth remembering, that Polar data is private by default. If you’re military or intelligence and using a fitness app, what the hell are you doing exposing your location data—especially if you’re in a sensitive location?

The report also contains one hell of a buried lede. They tested other apps, namely Strava, Endomondo and Runkeeper, and, well: “Though it’s harder to identify people and find their home addresses than it is through Polar, we were ultimately able to do so using these apps. In contrast to Polar’s app, there is no indication that people whose profiles are set to private can also be identified in these apps. We informed them of our findings last week.” In other words, this is an industry-wide problem, not just a problem with one or two services. [The Verge]