Feeds

Google sued over – yes – Android location tracking

Like Apple. But not like Apple

Providing a secure and efficient Helpdesk

Google has been sued over its Android location tracking practices, days after a similar suit was brought against Apple.

According to The Detroit News, two Michigan women have filled a $50 million class-action suit against the web giant, demanding that the company stop offering Android phones that can track a user's location.

Google is using Android phones to build a database of cell towers and Wi-Fi networks that can then be tapped by phone applications to pinpoint the location of a given device. The company also makes use of GPS, but in pairing cell tower and WiFi data in tandem with GPS, it can better pinpoint your location – and possibly pinpoint it faster.

At one point, Google was using its fleet of photo-snapping Street View cars to collect cell tower and WiFi information, but after admitting that the cars were also grabbing payload data sent across Wi-Fi networks, the company said it would build the database using Android phones only.

If Android location services are turned on, the OS sends Google a MAC addresses, network signal strength, and GPS coordinates for each Wi-Fi network, as well as a unique identifier for the phone that grabs the information and the time of day, independent security researcher Samy Kamkar tells The Register. Google says that Android location services use an "opt-in" setup and that location data sent back to the company is "anonymized". But Kamkar has shown that the company does indeed grab a unique identifier for each phone.

By combining the identifier with the location data, Kamkar said, Google could easily determine where you work and where you live. If this location information and unique IDs remain on Google's servers, it could potentially be extracted via subpoena or national security letter.

Skyhook, the Boston-based company that pioneered this sort of location tracking, does not capture a unique phone ID in the way Google does, according to Skyhook CEO Ted Morgan. And there's no evidence that Apple's locations services grab such an identifier either, though Apple has not specifically discussed this. Kamkar tells us that Apple only collects cell tower and WiFi information.

To quickly determine a user's location, Apple and Skyhook cache a portion of their location databases on phones. "A small localized cache on the device is very helpful for speed," Morgan tells The Register. "Rather than having to keep going back to the server, you keep a small subset of the reference data locally so that while you are within a 10 block area it just uses the local file until you move farther away...[This is] for speed and for not having to rely on a flakey cellphone network connection."

Apple says something similar. "The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone," the company explains. "The location data...on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location."

Presumably, Google is doing the same thing. Researchers have shown that Google keeps a similar database on Android phones, but this has a limited number of entries.

Skyhook sets a limit on the size of its cache and will replace cache data as you move from place to place. But Apple's cache may save data related to places you visited more than a year ago or more, according to the company. Apple has said, however, that this is a bug, and that in future versions of iOS, it will only retain data on the iPhone related to your whereabouts within the past seven days or so. "The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly," Apple says. "We don’t think the iPhone needs to store more than seven days of this data."

Apple continues to keep this cache file on the phone even when iPhone location services are turned off, but the company says this too is a bug that will be changed. According to Kamkar, Apple also continues to send cell tower and Wifi data back to its servers when location services are turned off. This is not the case with Google. When Android location services are turned off, Google stops sending data back to its servers.

Last week, independent researchers publicly discussed Apple's cache file, and this led to a firestorm of media coverage. Then Kamkar discussed his experiences with Google's location tracking services. Apple was sued on Monday, and now, inevitably, Google has been sued as well.

Yesterday, Apple responded to the firestorm with an FAQ on its website, saying it intends to change the way its cache works. The cache has long been used by law enforcement to determine the past whereabouts of phone owners. Skyhook says that its cache is encrypted so that it can't be read.

Skyhook once provided location services for the iPhone, and it was slated to provide services for Android. But both Apple and Google decided to handle the technology themselves. Skyhook is suing Google, claiming the web giant strong-armed its Android partners into dropping Skyhook in favor of Google location services.

According to one suit filed by Skyhook, Andy Rubin – the man who oversees Google's Android project – told Motorola co-CEO Sanjay Jha that if the handset manufacturer didn't drop Skyhook, Google would remove official Android support from the devices. This would mean that Motorola could not use proprietary Google services such as the Android Market or even the Android name. ®

Update: This story has been updated to show that Skyhook does not deleted its database cache on phones, but that it puts a limit on the size of this cache. The company originally told us it deleted the cache. We have also pointed out that Skyhook encrypts its cache.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.