Google has been hit by a lawsuit alleging that it violates user privacy by collecting location data via various means – and claiming that Google makes it nearly “impossible” for users to opt out of such data tracking.
The lawsuit, filed by Arizona Attorney General Mark Brnovich, alleges that Google uses “deceptive and unfair conduct” to obtain Android users’ location data via various applications, services and technologies, which is then used for advertising purposes. The alleged data collection would violate the Arizona Consumer Fraud Act, a set of laws that give protections to consumers in various transactions related to the sale or advertisement of merchandise.
“Google has engaged in these deceptive and unfair acts and practices with the purpose of enhancing its ability to collect and profit from user-location information,” according to the 50-page complaint, which was filed Wednesday in the Maricopa County Superior Court. “And profited it has, to the tune of over $134 billion in advertising revenue in 2019 alone. On information and belief, hundreds of millions of dollars of these advertising revenues were generated from ads presented to millions of users in the State of Arizona.”
Public consternation around Google’s data-collection policies was first set off by a 2018 Associated Press report, which claimed that Google services that are prevalent on both Android and iOS phones all store location data. The report alleged that Google would track users’ data even when they opt out of Google’s Location History feature, which collects data in order to personalize Google Maps.
This most recent lawsuit claims that Google’s alleged deceptive tactics extend beyond the issues with Location History highlighted by AP’s report. The redacted, public complaint claims that Google uses other means to bring in location data – including via Wi-Fi scanning and connectivity, diagnostic data and information from Google apps in “recent versions of Android.” This makes it impractical – and even impossible – for users to opt out of location tracking, the lawsuit alleges.
“Given the lucrative nature of Google’s advertising business, the company goes to great lengths to collect users’ location, including through presenting users with a misleading mess of settings, some of which seemingly have nothing to do with the collection of location information,” said the lawsuit.
According to Brnovich, these claims are based on both testimony from Google employees “given under oath” and from internal documents that were obtained from Google over the course of a nearly two-year investigation.
Google, for its part, argued against the claims and told Threatpost that it looks forward “to setting the record straight.”
“The Attorney General and the contingency-fee lawyers filing this lawsuit appear to have mischaracterized our services,” Google spokesperson Jose Castaneda told Threatpost. “We have always built privacy features into our products and provided robust controls for location data.”
It’s far from the first time Google has found itself in hot water for its data-collection policies. The AP’s 2018 report led to a firestorm of complaints from both legal teams and activists – including a lawsuit filed in the federal court of California, alleging that Google violates both California’s Constitutional Right to Privacy as well as California’s Invasion of Privacy Act.
In 2019, Google was slapped with a $57 million (€50 million) fine for violations of the General Data Protection Regulation (GDPR) by France’s National Data Protection Commission (CNIL), for lacking transparency when it comes to how it collects and handles user data in the name of serving up personalized ads. And most recently, the tech giant was hit with a lawsuit in February that alleges that it has been covertly collecting data of students via its G Suite for Education program, which offers its productivity services to students for free.
“This is a complicated and ongoing issue,” Thomas Hatch, CTO and co-founder at SaltStack, told Threatpost. “Large companies like Google have and will continue to push legal limits. That is to be expected. However, the technical nuance of this case makes it difficult to ascertain exactly how valid the arguments are. On one hand, it is good that governments are always pushing back on companies like Google in an ongoing effort to keep them in check. On the other hand, we must always question the motivations and viability of these cases.”
The Arizona Attorney General lawsuit did not clarify how much in damages it is seeking from Google, only saying: “Arizona brings this action to put a stop to Google’s deceptive and unfair acts and practices; force Google to disgorge all profits, gains, gross receipts, and other benefits obtained for the period of time when it engaged in any unlawful practice; recover restitution for Arizona consumers; and impose civil penalties for Google’s willful violations of the Arizona Consumer Fraud Act.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.