Feeds

Google sued over – yes – Android location tracking

Like Apple. But not like Apple

Security for virtualized datacentres

Google has been sued over its Android location tracking practices, days after a similar suit was brought against Apple.

According to The Detroit News, two Michigan women have filled a $50 million class-action suit against the web giant, demanding that the company stop offering Android phones that can track a user's location.

Google is using Android phones to build a database of cell towers and Wi-Fi networks that can then be tapped by phone applications to pinpoint the location of a given device. The company also makes use of GPS, but in pairing cell tower and WiFi data in tandem with GPS, it can better pinpoint your location – and possibly pinpoint it faster.

At one point, Google was using its fleet of photo-snapping Street View cars to collect cell tower and WiFi information, but after admitting that the cars were also grabbing payload data sent across Wi-Fi networks, the company said it would build the database using Android phones only.

If Android location services are turned on, the OS sends Google a MAC addresses, network signal strength, and GPS coordinates for each Wi-Fi network, as well as a unique identifier for the phone that grabs the information and the time of day, independent security researcher Samy Kamkar tells The Register. Google says that Android location services use an "opt-in" setup and that location data sent back to the company is "anonymized". But Kamkar has shown that the company does indeed grab a unique identifier for each phone.

By combining the identifier with the location data, Kamkar said, Google could easily determine where you work and where you live. If this location information and unique IDs remain on Google's servers, it could potentially be extracted via subpoena or national security letter.

Skyhook, the Boston-based company that pioneered this sort of location tracking, does not capture a unique phone ID in the way Google does, according to Skyhook CEO Ted Morgan. And there's no evidence that Apple's locations services grab such an identifier either, though Apple has not specifically discussed this. Kamkar tells us that Apple only collects cell tower and WiFi information.

To quickly determine a user's location, Apple and Skyhook cache a portion of their location databases on phones. "A small localized cache on the device is very helpful for speed," Morgan tells The Register. "Rather than having to keep going back to the server, you keep a small subset of the reference data locally so that while you are within a 10 block area it just uses the local file until you move farther away...[This is] for speed and for not having to rely on a flakey cellphone network connection."

Apple says something similar. "The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone," the company explains. "The location data...on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location."

Presumably, Google is doing the same thing. Researchers have shown that Google keeps a similar database on Android phones, but this has a limited number of entries.

Skyhook sets a limit on the size of its cache and will replace cache data as you move from place to place. But Apple's cache may save data related to places you visited more than a year ago or more, according to the company. Apple has said, however, that this is a bug, and that in future versions of iOS, it will only retain data on the iPhone related to your whereabouts within the past seven days or so. "The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly," Apple says. "We don’t think the iPhone needs to store more than seven days of this data."

Apple continues to keep this cache file on the phone even when iPhone location services are turned off, but the company says this too is a bug that will be changed. According to Kamkar, Apple also continues to send cell tower and Wifi data back to its servers when location services are turned off. This is not the case with Google. When Android location services are turned off, Google stops sending data back to its servers.

Last week, independent researchers publicly discussed Apple's cache file, and this led to a firestorm of media coverage. Then Kamkar discussed his experiences with Google's location tracking services. Apple was sued on Monday, and now, inevitably, Google has been sued as well.

Yesterday, Apple responded to the firestorm with an FAQ on its website, saying it intends to change the way its cache works. The cache has long been used by law enforcement to determine the past whereabouts of phone owners. Skyhook says that its cache is encrypted so that it can't be read.

Skyhook once provided location services for the iPhone, and it was slated to provide services for Android. But both Apple and Google decided to handle the technology themselves. Skyhook is suing Google, claiming the web giant strong-armed its Android partners into dropping Skyhook in favor of Google location services.

According to one suit filed by Skyhook, Andy Rubin – the man who oversees Google's Android project – told Motorola co-CEO Sanjay Jha that if the handset manufacturer didn't drop Skyhook, Google would remove official Android support from the devices. This would mean that Motorola could not use proprietary Google services such as the Android Market or even the Android name. ®

Update: This story has been updated to show that Skyhook does not deleted its database cache on phones, but that it puts a limit on the size of this cache. The company originally told us it deleted the cache. We have also pointed out that Skyhook encrypts its cache.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.