Say hello to 2025—you will be tracked.
Updated on January 11 with further information on Google’s new mobile privacy challenge in the U.S. courts, and parallels to its controversial digital fingerprinting now making a return.
An ironic spat this week in the world of big tech. Google attacked Microsoft for “its long history of tricks to confuse users and limit choice,” less than than three weeks after it was accused of “reducing people’s choice and control over how their information is collected,” in response to its new plan to digitally fingerprint users’ devices, not just Android and Chrome — the usual targets of such criticism. That tracking is now just six weeks away.
Two unrelated stories barely a fortnight apart—and yet not really unrelated at all. The common theme is users as pawns, subject to the whims of the staggeringly expansive ecosystems they rely on each and every day.
Google slammed Microsoft after the Windows maker was caught “spoofing” the Google homepage when users searched for Google on Bing.com. Windows Latest was first to spot the spoof and described it as a “a genius move to keep you from Google search.” Bing has featured before in the Microsoft versus Google stakes playing out across Windows PCs, but it has mostly been Chrome versus Edge. Search is the prize, as should have been pretty clear when Apple went to court to help Google defend its default search spot on a billion iPhones. It’s not too many months ago that the iMaker released a video inspired by Hitchcock’s The Birds that essentially warned those iPhone users to steer clear of Chrome.
This was “a clear attempt from Microsoft to make Bing look like Google for this specific search query,” reported The Verge. “The Google result includes a search bar, an image that looks a lot like a Google Doodle, and even some small text under the search bar just like Google does. Microsoft even automatically scrolls down the page slightly to mask its own Bing search bar that appears at the top of search results.”
Chrome and Google Search are not one and the same, albeit both carry privacy risks. And that’s why those iPhone users are better using Google Search within Safari than Chrome, albeit that becomes much less the case if you’re logged into a Google account as you do so. But Chrome doesn’t play a leading role in the latest Google tracking warning that hit the headlines just before the holidays. Notwithstanding that Chrome has hogged the bulk of Google’s tracking headlines in recent years, with cookies and incognito mode and its privacy sandbox playing recurring roles.
The latest issue started when Google pushed out an update to its advertising ecosystem. The changes, it said, have been prompted by “the broader range of surfaces on which ads are served (such as connected TVs and gaming consoles),” and mean they will be “less prescriptive with partners in how they target and measure ads.”
Fingerprinting is not just a browser issue anymore.
“This is digital fingerprinting across connected devices,” the UK’s information regulator was quick to point out. “Fingerprinting involves the collection of pieces of information about a device’s software or hardware, which, when combined, can uniquely identify a particular device and user… The ICO’s view is that fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected. The change to Google’s policy means that fingerprinting could now replace the functions of third-party cookies.”
And given the nature of these other devices and that users won’t realize what’s taking place, there are serious implications. Identity Week warns that “organizations using Google’s advertising tech can implement fingerprinting without violating Google’s policies and complying with the requirements of data protection law… Fingerprinting is so hindering to privacy expectations because it relies on signals that are not easy to wipe. Even if data is ‘permanently’ deleted, fingerprinting biometrics could detect and recognize your identity.”
Interesting parallels between the return of digital fingerprinting — which is infamously difficult for a user to detect — and an unprecedented new leak of user location data, which also exposes a vast array of apps collecting data from users’ devices. The Gravy Analytics leak highlights the sheer scale of the location data industry, another user tracking ecosystem that takes place behind the scenes, is difficult to detect, and which most users would likely disable if they could.
As 404Media neatly puts it, “the [Gravy Analytics] news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government… But collecting that data presents an attractive target to hackers.”
What I suspect will prompt users to sit up and take notice more than the scale of the leak is the number of popular apps contributing the data in the first place. “Candy Crush, Tinder [and] MyFitnessPal,” Wired reports, are amongst “the thousands of apps hijacked to spy on your location… Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale.”
There are various lists of these apps now doing the rounds — suffice to say it’s extensive. Per Wired, it includes “dating sites Tinder and Grindr; massive games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24…. religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.”
Users don’t like being tracked behind the scenes. That’s why the Gravy leak has made headlines and it’s why digital fingerprinting is doing the same. And there’s another new twist as reported by Reuters: “Google has failed to persuade a federal judge to dismiss a privacy class action claiming it collected personal data from people’s cellphones after they switched off a button to stop the tracking.” This may lead to a trial in the summer. It follows Google’s destruction of billions of data records last year, in the wake of a similar lawsuit relating to data collection while using Chrome’s incognito mode.
As ArsTechnica explains, Google “purports to treat user data as pseudonymous by creating a randomly generated identifier that ‘permits Google to recognize the particular device and its later ad-related behavior… Google insists that it has created technical barriers to ensure, for (s)WAA-off users, that pseudonymous data is delinked to a user’s identity by first performing a ‘consent check’ to determine a user’s (s)WAA settings.’ Whether this counts as personal information under the law is a question for a jury, the judge wrote.”
Per CNBC, “in a 20-page decision on Tuesday, [Chief Judge Richard Seeborg of the federal court in San Francisco] said reasonable users could view Google’s conduct as ‘highly offensive,’ because the company collected data despite fielding concerns from several employees and knowing its disclosures were ambiguous. He cited internal communications suggesting that Google, a unit of Alphabet, was intentionally vague in distinguishing between data collected inside and outside Google accounts because users might find the truth ‘alarming’.”
And so it comes down to reasonable expectations and what’s reasonably understood or not, on which there are some fairly clear parallels to digital fingerprinting. Google says that “advances in privacy-enhancing technologies (PETs) such as on-device processing, trusted execution environments, and secure multi-party computation, are unlocking new ways for brands to manage and activate their data safely and securely. PETs also give people the privacy protections they expect… We see an opportunity to set a high privacy bar on the use of data like IP. We can do this by applying privacy-preserving protections that help businesses reach their customers across these new platforms without the need to re-identify them.”
But as EFF says of this type of tracking, “as an individual uses their device, a specific third-party tracker may be loaded on multiple apps installed or sites visited. This allows that company to track an individual across their usage of multiple sites they visit or apps they have installed. These trackers get unprecedented insight into the daily activities of the user, including information that is often specific enough to know what a user is doing at any moment and even where they are using their device… Fingerprinting can use all sorts of seemingly mundane details about your device or browser, such as screen resolution, your time zone, operating system version, remaining battery life, and more. The reason why fingerprinting exists is to circumvent the normal controls users have that enable them to control their own browsers. In order to take control of our browsers and devices back, we have to use special tools that resist fingerprinting.”
And so, given such fingerprinting is notoriously difficult to detect, what do users really understand? And what can they be reasonably expected to understand? As the UK information regulator noted in its response, “we think this change is irresponsible. Google itself has previously said that fingerprinting does not meet users’ expectations for privacy, as users cannot easily consent to it as they would cookies. This in turn means they cannot control how their information is collected. To quote Google’s own position on fingerprinting from 2019: ‘We think this subverts user choice and is wrong’.”
For its part, Google says “even as technologies change, our privacy principles remain the same. We continue to give users choice over personalized ads. And we continue to require advertisers and publishers to be fully transparent with users about the data they collect and how it is used. Policies need to meet the speed of technological advancements, with privacy at the core. With this update, we can help businesses, large and small, meet the opportunities of the evolving digital landscape, while meeting user expectations for privacy.”
Interesting timing nonetheless, two warnings, a legal ruling and a privacy-invasive data leak all within a couple of weeks. The risks, of course, fall to all those millions and millions of users — whether on Chrome or Edge or Android or Windows or all of the above. I approached Google and Microsoft for any comments on the various angles to all this — nothing yet.
Digital fingerprinting begins Feb. 16; in the meantime, just keep all this in mind.