TTP Investigation: Google ‘Stalkerware’ Loophole Puts User Location Data at Risk
FOR IMMEDIATE RELEASE: July 21, 2022
Contact: Michael Clauw, mclauw@campaignforaccountability.org, 202.780.5750
WASHINGTON, D.C. – Today, Campaign for Accountability (CfA), a nonprofit watchdog group that runs the Tech Transparency Project (TTP), released a report that shows how Google allows unwanted surveillance that can expose a user’s location, creating risks for abortion seekers, victims of domestic abuse or stalking, and others who want to protect their privacy. Through a series of experiments, TTP found that an Android phone associated with one Google account can easily access and view the location history of another account, tracking physical movements like a visit to an abortion clinic, even when the second user’s location history is turned off.
Campaign for Accountability Executive Director Michelle Kuppersmith said, “Google’s PR team would like you to believe that it is on your side when it comes to the protection of your most vulnerable data. Unfortunately, the company’s desire to maximize the amount of data available to advertisers creates loopholes like this that may put that same data into the hands of people intent on causing harm.”
The loophole, described in a September 2021 post on the Malwarebytes blog, allows one person to log into the Google Play store on another individual’s device and receive continuous updates sent to their own device about the victim’s location. The only visible indicator that Google gives a device owner that another account is logged into the Play Store is a small icon with the first letter of the account holder’s name in the upper right-hand corner of the screen.
TTP tested this loophole by setting up separate Google accounts on two new and previously unopened Android smartphones. One phone was designated as the “victim” and the other as the “perpetrator.” TTP turned on the location history on the perpetrator’s phone, but not on the victim’s phone. TTP logged into the perpetrator’s Google Play account on the victim’s phone and, over the next few weeks, took that phone to several locations to see if the perpetrator was able to view its whereabouts and movements. Indeed, the perpetrator was able to see the location of the victim’s phone during and after travel to a variety of locations, including a Washington, D.C., Planned Parenthood clinic that provides abortions.
TTP’s findings on this dangerous loophole raise questions about Google’s promise to protect abortion-related user data following the Supreme Court’s Dobbs decision. Google has pledged to remove the location histories of users after they visit places like an abortion clinic or domestic violence shelter, but our experiment found no evidence yet of the company doing so.
Ms. Kuppersmith continued, “Even if Google eventually follows through on its promise to protect and remove user data which signals that a person may be seeking abortion-related care, this loophole still allows a person’s location data to be weaponized against them in a variety of ways. It’s not enough for Google to selectively delete bits of user data when the devices that collect that data are fundamentally unsafe.”
Campaign for Accountability is a nonpartisan, nonprofit watchdog organization that uses research, litigation, and aggressive communications to expose misconduct and malfeasance in public life and hold those who act at the expense of the public good accountable for their actions.