December 5, 2020

Arizona AG Sues Google For Location Data Failures, After Telecom Got A Wrist Slap For Far Worse Behavior

By Karl Bode
Two years ago, an investigation by the Associated Press and Princeton computer scientists found that Google services on both Android and Apple routinely continued to track user location data, even when users opted out of such tracking. Even if users paused “Location History,” the researchers found that some Google apps still automatically stored time-stamped location data without asking the consumer’s consent.

Fast forward two years later, and Arizona Attorney General Mark Brnovich has sued Google for violating the Arizona Consumer Fraud Act over the practice. The lawsuit (pdf), filed in Maricopa County Superior Court, is based off of an investigation begun by Brnovich’s office back in 2018. Like the aforementioned AP report, the AG found that Google’s settings didn’t actually do what they claimed they did in regards to ceasing location data tracking:

“Google told users that “with Location History off, the places you go are no longer stored.” But as the AP article revealed, this statement was blatantly false — even with Location History off, Google surreptitiously collects location information through other settings such as Web & App Activity and uses that information to sell ads. At the same time, Google’s disclosures regarding Web & App Activity misled users into believing that setting had nothing to do with tracking user location. Google’s account set-up disclosures made no mention of the fact that location information is collected though Web and App Activity, which is defaulted to “on,” until early-to mid-2018.”

To be very clear, that’s bad. Companies (especially companies that have spent years under fire for privacy abuses) should be transparent about what they’re collecting, clearly communicate that to end users, and not try to hide opting out under layers of confusing menus. This is, of course, the kind of stuff that would be thwarted by a very simple privacy law that required transparency, working opt out tools, and included penalties for companies that misled users. You know, the kind of basic rules that were passed by the FCC back in 2016, then immediately demolished by telecom lobbyists thanks to the GOP-controlled Senate one year later, just as they were about to take effect.

In an interview with the Washington Post, Brnovich insists he was eager to send a message that companies aren’t “above the law”:

“At some point, people or companies that have a lot of money think they can do whatever the hell they want to do, and feel like they are above the law,” Brnovich said. “I wanted Google to get the message that Arizona has a state consumer fraud act. They may be the most innovative company in the world, but that doesn’t mean they’re above the law.”

While this is all well and good, and Google certainly deserves penalties for not being transparent about how basic privacy settings work, the lawsuit continues to highlight a bizarre asymmetry in policymakers’ concerns about privacy. While Google’s failure here was bad, it’s a far cry from the location data scandals that recently rocked the telecom sector. There, carriers were found to have been selling access to huge swaths of location data to pretty much any nitwit with a nickel. This data was then repeatedly, aggressively abused, by everybody from law enforcement to folks pretending to be law enforcement, to stalkers.

The scope of those scandals were utterly monumental, yet the punishment was virtually nonexistent. The worst that happened was a performative FCC fine that will likely be litigated down to next to nothing over the next year, then forgotten entirely. Many AGs were utterly absent from that particular dance of dysfunction, despite claims to be eagerly cracking down on companies that are “above the law.” There were no lawsuits filed against AT&T, Verizon, or T-Mobile. And while the FCC did finally act, it wound up being little more than a belated wrist slap.

We’ve noted this bizarre tech and privacy policy asymmetry more than a few times, yet it doesn’t seem to really change, with “big tech” getting the lion’s share of heat and attention, while adtech, telecom, and other equally problematic sectors routinely engage in the same or worse behaviors yet see far less scrutiny. If we are ever going to craft a meaningful privacy law in the United States (and I remain skeptical that’s happening without first seeing an historic scandal well beyond what we’ve seen already), policymakers are going to need to take a far broader, bird’s eye view of the modern privacy problem.