The Mostly-Seeing Eye

the things that it sees

You are being lied to about Android tracking users.

by · Published · Updated

Stamp of Approval!

No, Google was not secretly tracking user location data.  This is nothing but a lie being told by news outlets who want to attract attention by sensationalism and stirring up controversy.  Apparently accurate reporting on complex topics is too hard.

There’s no “nice” way to put this.  You are simply being lied to on a regular basis by “respectable” news outlets.  This is just one example.  Since you’ve probably already read snippets on your Facebook and were directed to this page by someone who pays closer attention, let’s walk this problem all the way through…

The first way you’re being lied to is by misrepresentative URLs, or rather, URLs where the visible text in the link (that people reasonably assume an English-readable URL happens to be) is completely misrepresentative.  Normally, I would simply refuse to link to sites that do this (because their ad units don’t care why you came to the page, just that they had a chance to shove ads into your eyeballs).  Today I’ll skip it because the site that was really irking me appears to have realized they’re flirting with being sued and has changed their long URL.

Although it’s a little odd… For this to be truly understandable, I’ll need to explain what’s really been going on and cite the one group of people who had actual, correct information, and still apparently chose to materially misrepresent things for the purposes of sensationalism.  I’m sure that if pressed, all these other sites will merely point to the original news article in order to shift the blame.

Google collects Android users’ locations even when location services are disabled
https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/

However, the Verge is still merrily willing to have a story title which is unsupported by the story in any way.  Behold…

Google admits it tracked user location data even when the setting was turned off
https://www.theverge.com/2017/11/21/16684818/google-location-tracking-cell-tower-data-android-os-firebase-privacy
“Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.”

Now… this is their story, so you’d think they’d have some facts to back up these claims, right?  That doesn’t seem to bother reporters nowadays.  If the issue is one of technology, well, technology is very confusing so everything somehow becomes open to interpretation and “feels”–despite the fact that technology is based on science which does not care one whit for your “feels” or interpretive skills.  To science, something is clearly one thing or it is another thing, and anything less means your analysis is not yet complete.  Here’s the statements that one might generally expect to support the rather nasty accusations being made.

“Since January, all kinds of Android phones and tablets have been collecting the addresses of nearby cellular towers and sending the encrypted data to Google’s push notifications and messaging management system when connected to the internet.”

[…]

“Quartz observed the data collection occur and contacted Google, which confirmed the practice.”
[…]
“The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months, according to a Google spokesperson. They were never used or stored, the spokesperson said, and the company is now taking steps to end the practice after being contacted by Quartz.”

[…]
“’In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,’ the Google spokesperson said in an email. ‘However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.’

So, in the first quote they state quite plainly that the information that was being gathered was that of cell towers, not the users.  Unless you are currently climbing a cell tower, that’s almost certainly not your location.  Most importantly, unlike using AGPS the intent isn’t even to figure out where the user is.  You may be within a few miles of what was reported, but that is really stretching things.  The only way it would be usable to identify someone’s general area and travel habits is if you stored who submitted which towers, and then went back and studied it.  Now, there is a reason to store the information about who reported what–and that’s because companies can be real jerks sometimes and this is part of why we can’t have nice things.  If some nasty company wanted to thwart Google’s efforts (or pretend they had more towers than they did and we don’t know of any cell phone carrier who would do that), they’d just start sending fake information to Google about cell tower locations.  In short order, this particular set of submissions would stick out as obviously not being kosher, and could easily be discarded as long as you could figure out which submissions belonged to the same user.  Now, this is the point at which many paranoids will shout “AHA!  They ARE tracking users and you just admitted it!” to which I would calmly reply “not which user–the same user”.

This is what’s called “anonymizing data” and while some companies fail at it, in this case it’s really easy to make it functionally impossible to de-anonymize it without making it useless for the purposes of spotting bogus entries.  Each user has a unique ID which can be passed through what’s called a one-way hash function quite easily (because the ID is a very large, very completely random number) to produce another unique and virtually random number which people familiar with password cracking will tell you could possibly be converted back to the first number by about the time we’ve finished covering the Moon’s entire surface with fidget spinners. All the analysis that is needed can be done with that second anonymized number, and for anyone to ever figure out those locations belong to user X will require them to start with knowing about user X in the first place. It would also require them to care about what all these users are specifically doing, as well as be comfortable with the idea that law enforcement agencies would be hitting them up with subpoenas for the locations of each Android user several thousands of times a year (which clearly, Google is not).  As an added bonus, if you throw out the last couple of bits from the anonymized number, it stops being possible to prove a forward relationship between the user’s ID and the anonymized ID and things keep working for our genuinely innocent purposes.

That last quote cited is from someone at Google, explaining what it was Google was actually doing.  Apparently this counts as an “admission” to the professional tin-foil hat wearer.  Remember how Google is notable for experiments that sometimes pan out and sometimes don’t pan out?  This was one of them, except it barely made it past the initial examination phase before they decided it wasn’t going to work.  This isn’t much different from the histrionic claims of “GOOGLES STREET VIEW CARS HAVE BEEN SNIFFING EVERYONE’S WIFIS” which, while it does use some nouns matching some things Google was involved with, does not properly represent what Google was actually doing.

The Street View wifi-sniffing was an experiment to determine if what nearby wireless access points were seen could be used to more accurately determine the user’s location in the absence of a good GPS signal.  Doing this requires creation a database of SSIDs and MAC addresses, and these are broadcast constantly.  Did the experiment pan out?  Go the basement of a parking garage that has wifi sometime and watch your phone not freak out and tell you that you’re miles away.  …or reboot your phone and see if it knows where it is within the first thirty seconds of running (which is basically impossible for consumer GPS for entirely technical reasons that are part of how GPS works).  In both these cases (and in the case where it may take several minutes to get a GPS lock because of poor signal reception) what can be gathered by looking at nearby APs is much more accurate than AGPS (tower-assisted triangulation), and certainly more helpful than telling the user that Google Maps can’t tell them how to get to the mall because it’s still somehow “warming up”.  Google “admitted” to that as well.  They even coughed up money to some government oversight agencies just to calm the rabble, because the same silly arguments kept being recirculated in the press no matter how many times calm and reasonable heads corrected what these articles were saying.  So, while technically Google was sniffing everyone’s traffic so long ago, what they were getting was as usable from a snooping-busybody standpoint as taking a tiny pinch of finely shredded documents from people’s wastebaskets.  Good luck getting useful information about what people are doing from that, but it’s that complexity that allowed a PR firm (paid by Facebook) to spin a lurid tale that made it sound like Google was the new NSA.  A tale that was obviously untrue to anyone working with this technology at this level, but shop it around to news agencies long enough and eventually someone will be desperate enough to publish it, and then everyone else picks up the story so they won’t look like they missed it.

Skip to a few years later and then we find out that all those news articles were in fact written by a PR firm, who was being instructed to do so and paid for doing so by Facebook.  This is why we can’t have nice things, people.

Now we’re seeing the weekly news cycle pick up some steam as they start seeing the story “trend” (which means more clicked links and more ad revenue) because slightly less desperate people are repeating the story, and in the absence of accurate information, it appears to lend the story legitimacy.  (“They wouldn’t all be saying it if it weren’t true!”)

By this point the Verge is the least misrepresentative article of many, but at least their URL doesn’t quote the misrepresentative headline.

Quartz’s report details a practice in which Google was able to track user locations by triangulating which cell towers were currently servicing a specific device.”
[…]
“The findings are surprising, given that cell tower data is usually held by carrier networks and only shared with outside companies under extreme circumstances.”

So, they linked to the Quartz report… and quoted the Quartz report… but the Quartz report does not say what The Verge claims it does, because the mention of “triangulation” was a description of how AGPS works that had nothing to do with what Google was doing.  Still, they’re not one to let facts get in the way of a good story.  Triangulation wasn’t involved because cell towers tell you where they are when you’re within range of them.  Triangulation would be involved if you wanted to know the location of a user and had the locations (and relative signal strengths) of three or more cell towers, but again, that’s literally not what Google was looking for.

Also, the second quote is patently silly for an even more profound reason… that being that the carriers are required to report the locations of many of their towers to the FCC who maintain a publicly accessible database of the locations of their towers.  Cellular service providers cannot be particularly secretive about it.

Now, since we’ve established that a number of claims being made are entirely incorrect I can speed things along by simply citing (but not linking to, because sensationalist linkbait should not be rewarded) all these other articles which make the same false claims and in several cases take things a step further with the same sort of daft “deductions” made by The Verge.

“Google Got Caught Secretly Recording Android Users’ Location Data. But Who Blew the Whistle?”
http://fortune.com/2017/11/22/google-oracle-location-data-privacy/
“Google has been secretly recording Android users’ location information even if they had turned off location services on their phones,”
[…]
“This is a very bad look for Google, which admitted seven years ago that its Street View mapping-data cars were also registering details of people’s Wi-Fi networks as they drove around. If people turn off location services, they would rightly expect that Google wouldn’t be tracking their location—which, given enough cell tower information, is entirely possible.”

Note the complete non-sequitir in the second quote.  This is just a more elegant form of a lie than some of the others being told.  Fortune at least has the sense to hint at the smoking gun… because they go on to say these things which indicate that in today’s performance, Oracle will be standing in for the role of Facebook.  (Fortune gets to keep their link intact because it was at least reasonably honest.)

“All of which would make the practice’s exposure very good news for a Google competitor. According to a tweet from Ashkan Soltani, a respected security researcher and the former chief technologist for the Federal Trade Commission (and advisor to the White House), that competitor was Oracle (ORCL, +1.10%).”

“Soltani claimed Oracle had been trying for more than five months to get someone to cover the story.”

…because it apparently took awhile to find someone desperate enough to actually put their reputation on the line with a smear campaign like this.  Next up we have Fast Company, who really aren’t into smoking guns.  They’re usually just into spreading fear and/or hype about things that happened without worrying too much about root causes (which is slightly lame, but at least it’s not dishonest).

Google has been secretly tracking Android phone locations
https://www.fastcompany.com/40499354/android-phones-have-been-secretly-tracking-users-locations
“This is a pretty frightening thing to do. While the address of one cell tower may not seem like much, users’ locations can be determined by triangulating the data.”

We don’t even have to quote (much of) the article, since the first lie is right there in the title.  The only real difference is that these people say it’s the location of the Android phone that’s being tracked, instead of the user.  The boldface part is a particularly fancy fallacy which is very sneaky.  You say one thing which you want people to believe, and then you say another thing which is actually true but unrelated so it sounds like you’re proving the correctness of whatever crazy thing you just said.  Additionally, “triangulation” requires three points of reference, oh and signal strength information which isn’t even needed because if you look at the Quartz article, you can see that the cell tower reports its precise latitude and longitude.  Lacking an attempt at triangulation, the best one can know is that the user was probably within a few miles of the location.  At this point you should begin to see how not knowing or not understanding a few key details of technology makes these lies believable.

Finally we’ll move on to the Independent, who are doing their level best to keep yellow journalism alive and well in the way only England knows how…

“Google Secretly Tracks People Even After They’ve Explicitly Told It To Stop”
http://www.independent.co.uk/life-style/gadgets-and-tech/news/google-secret-tracking-location-services-disable-privacy-apps-a8068961.html
“The company can pinpoint exactly where you are even when you go out of your way to hide this information”
[…]

“Google has been secretly tracking people against their wishes.”
[…]

“The company has been collecting Android users’ location data, even when they’ve actively disabled location services.”
[…]
“However, Google also decided against allowing Android users to opt out of the system.”

The Independent’s article is probably the most shameful and downright pernicious of the articles I’ve seen.  That last quote is particularly pernicious because it’s clear they made it up on the spot.  For it to be true, people at Google would have literally had to had a meeting about it where someone would ask “Do we want users to be able to opt out of helping us identify tower locations?” and someone would have had to say “No, we don’t want them to be able to opt out”.  They make no effort to substantiate this claim, and a much more reasonable deduction would be that since they’re just logging the tower information and simply don’t care about the user’s location at all, it’s not even relevant for the user to worry about it whether or not any opt-in or opt-out is required.

Remember kids… Use your critical thinking skills, and when you get confused about something you read on the internet, ask a hacker what it means because if they’re fine with it, it’s probably pretty darned safe.