Google closes data loophole amid privacy fears over abortion ruling
Google is closing a loophole that has allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort hailed by privacy activists following the court ruling Supreme Court of the United States to end women’s constitutional right to abortion.
It also took another step on Friday to limit the risk that smartphone data could be used to police new abortion restrictions, announcing that it would automatically delete the location history of phones that were near it. a sensitive medical location such as an abortion clinic.
The Silicon Valley company’s decisions come amid growing concerns in US states that mobile apps will be weaponized to police new abortion restrictions in the country.
The companies have already harvested and sold information on the open market, including lists of Android users using apps related to period tracking, pregnancy and family planning, such as Planned Parenthood Direct.
Over the past week, researchers and privacy advocates have called on women to remove period-tracking apps from their phones to avoid being tracked or penalized for considering abortions.
The US tech giant announced last March that it would restrict the feature, which allows developers to see what other apps are installed and removed on individuals’ phones. That change was supposed to be implemented last summer, but the company missed that deadline, citing the pandemic among other reasons.
The new July 12 deadline will come just weeks after Roe vs. Wade was canceled, a decision that shed light on how smartphone apps could be used for surveillance by US states with new anti-terrorism laws. abortion.
“It is long overdue. Data brokers have been banned from using data under Google’s terms for a long time, but Google hasn’t built protections into the app approval process to detect this behavior. They just ignored it,” said Zach Edwards, an independent cybersecurity researcher who has been investigating the flaw since 2020.
“So now anyone with a credit card can buy that data online,” he added.
Google said: “In March 2021, we announced that we planned to restrict access to this permission, so that only utility apps, such as device finder, antivirus, and file manager apps, can see what other apps are installed on a phone”.
He added: “The collection of app inventory data to sell or share for analytics or ad monetization purposes has never been permitted on Google Play.”
Despite widespread use by app developers, users are still unaware of this feature of Android software – a Google-designed programming interface, or API, known as “Query All Packages”. It allows apps, or the third-party code snippets they contain, to query the inventory of all other apps on a person’s phone. Google itself labeled this type of data as high-risk and “sensitive” data, and it was found to be resold to third parties.
The researchers found that app inventories “can be used to accurately infer end users’ personal interests and traits,” including gender, race, and marital status, among others.
Edwards discovered that a data marketplace, Narrative.io, was openly selling data obtained through intermediaries in this way, including smartphones using Planned Parenthood and various period-tracking apps.
Narrative said it removed data from the pregnancy and menstruation tracking app from its platform in May, in response to the leaked draft outlining the upcoming Supreme Court ruling.
Another research company, Pixalate, found that consumer apps, like a simple weather app, were running bits of code that exploited the same Android functionality and harvested data for a Panamanian company with ties to contractors. American defense.
Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover violations, we take action,” adding that it had sanctioned several companies suspected of sell user data.
Google said it will restrict the Query All Packages feature to only those who need it starting July 12. App developers will need to complete a statement explaining why they need access and notify Google before the deadline so it can be verified.
“Misleading and unreported uses of these permissions may result in your app being suspended and/or your developer account being terminated,” the company warned.
Additional reporting by Richard Waters