Google’s Location Data Policy Update: Why Users Need More Than Pinkie Promises to Protect Their Most Sensitive Information
January 31, 2024 |
In December 2023, Google announced an update to its location data policy to provide users with more control over their sensitive location information. While this seems like a promising step in the right direction, we should be mindful of Google’s long history of failing to uphold its privacy obligations and vigilant in monitoring Google’s follow-through on its commitments.
Google’s Unfulfilled Promises to Protect Users’ Location Data
In July 2022, shortly after the U.S. Supreme Court invalidated the constitutional right to an abortion in Dobbs v. Jackson’s Women’s Health Organization, Google publicly promised to take new steps to protect users’ location data. In particular, Google said that it would delete location records that revealed whether a user had visited certain types of medical facilities soon after each visit. These facilities include counseling centers, addiction treatment facilities, domestic violence shelters, fertility centers, weight loss clinics, surgery clinics, and abortion clinics. Google promised that the change would go into effect in “the coming weeks” after the announcement.
But in November 2022, research by Accountable Tech showed that Google had failed to follow through on its policy change. In May 2023, follow-up reporting confirmed that failure. And nearly a year and a half after its initial promise to protect users’ location data, further research and reporting confirmed that Google had retained location data revealing visits to abortion clinics in about 50% of experiments conducted by Accountable Tech. The disconnect between Google’s public promises and its actual handling of users’ location data prompted EPIC and Accountable Tech to file a complaint with the Federal Trade Commission in January 2024. The groups urged the Commission to investigate Google, impose civil penalties, order the company to disgorge wrongfully retained location data, and enjoin Google’s unlawful location data practices.
Despite the failure to fulfill its 2022 location data promises, Google announced another update to its location data practices in December 2023. Once the changes take effect, the announcement promises that a user’s Location History timeline will be stored on the user’s device and that the default auto-delete control period for location data will shrink to three months from the previous period of 18 months. Google also promises to give users the option to delete activity related to specific places from Maps. As with the July 2022 announcement, Google provided no date certain for when the updates will take effect.
Location Data Reveals Highly Sensitive Details About Us
Location data can reveal a lot about us. Records of a person’s physical movements through the world can divulge sensitive information: a health condition inferred from a person’s visits to a dialysis clinic, someone’s religious affiliation inferred from their attendance at a mosque, or an individual’s sexuality inferred from his attendance at a gay speed dating event. Some location information may seem innocuous in isolation, but when these data points are collected over time, they can form a detailed profile of a person. Apps, phone providers, mobile ad companies, and other platforms collect our location data and often sell it to data aggregators and data brokers. These profiles can be used in harmful ways, including to target advertisements at us. Even worse, location data may be retained indefinitely, opening it to increased risk of access by law enforcement.
While location data can reveal the most intimate details of our lives, it is far from the only type of information that can leave us vulnerable to privacy harms. For example, search query histories—records of terms entered into a search engine by a person—can be deeply revealing, even more so when taken together with location data. If a person searches “HIV treatment near me,” finds an address, and routes himself to that address, the resulting records will enable a clear and reliable inference about his HIV status. This information together may offer a more certain profile of a person than either search query history or location information alone.
Because of this, it is important that Google—like any company—limit its collection of such sensitive information to what is strictly necessary to provide the product or service requested by a user. In the wake of Dobbs, Google’s excessive retention of personal information—including location history and search query history—can cause grave harms to its users. Location data may reveal whether someone visited an abortion clinic, how long they stayed at the clinic, and where they obtained follow-up care. Location data may reveal whether a person drove someone across state lines to receive abortion care. Google’s retention of this information can leave people vulnerable to undue criminal punishment because it means that the records are subject to law enforcement access. Indeed, the harms of location data retention can manifest in many ways: a pregnant person who refuses to seek care because they are afraid of criminalization; a physician forced to practice under the constant thread of legal sanction; a mother who nervously drives her child to receive abortion care; a person wrongfully jailed for having a miscarriage; or a citizen who refrains from researching the current state of abortion laws in their state before an election out of fear.
Google Should Not Be the Only Backstop Against Law Enforcement Access to Users’ Location Data
Law enforcement agencies can obtain this location data from Google by executing a warrant or subpoena that requests such information. There are several types of warrants that may seek information from Google, and as a practical matter Google has a large amount of discretion as to whether and to what extent the company will comply with the warrant. Technically Google must comply with any search warrant it receives. In practice, however, Google’s legal team has often pushed back against warrants it deems to be unconstitutionally overbroad or lacking in specificity. For example, Google may be served a warrant that requests all search query records for a specific address. Google may resist complying with this warrant as too broad but may comply if the warrant had temporal parameters, such as all relevant searches within one month.
One way for Google to protect its users from these harmful scenarios would be for the company to delete sensitive data promptly. Law enforcement cannot access data that was never collected or that Google no longer retains.
There are two relevant warrants that are especially harmful given Google’s troves of sensitive information: geofence warrants and reverse keyword warrants. Geofence warrants, also known as reverse-location warrants, require tech companies like Google to disclose information about each individual person whose phone placed them near a specific location at a specific time. When Google receives a geofence warrant, it searches through its databases of every user’s location history to determine who was present in the geofence and it then produces an anonymized list of the users’ accounts and other related information to send to the police. The police review this information and select accounts for Google to deanonymize, which Google then does and reveals the users’ accounts to police. These warrants are troubling for many reasons: police receive information about countless accounts that are wholly unrelated to a crime; they are general warrants that are inherently overbroad; and they contradict general police practices in which law enforcement gather facts to investigate people and use warrants to obtain further information about a specific suspect. With respect to reproductive privacy, these types of warrants are downright harmful because they can provide police with the location history of any person who attended an abortion clinic or reproductive health facility.
Reverse keyword search warrants are another type of invasive, likely unconstitutional, search warrant that Google often receives from law enforcement. These warrants require that Google search its databases for users who searched for certain keywords, phrases, or addresses online. These reverse key searches also contradict general police procedures and practices. Instead of gathering evidence about a specific person and seeking a warrant to investigate that person further, these general warrants involve combing through millions of users’ search histories in the hopes of finding a suspect. In the reproductive privacy context, these warrants are disastrous. Millions of users may be afraid to search for accurate information related to abortion, regardless of their pregnancy status, if it could be captured by law enforcement.
The Implications of Google’s 2023 Location Data Policy Update
The 2023 update appears to be a step in the right direction. But Google has a history of making privacy-protective promises to its users and failing to uphold them. This illustrates why we need comprehensive privacy rules that limit the collection, use, and retention of our personal information like location data. We cannot rely on promises from companies like Google to protect us.
With respect to geofence warrants, if Google does implement the policy as promised—again, Google has a history of failing to uphold these types of privacy protective promises—this may effectively limit the use of many geofence warrants. A user’s location history would not be stored in Google’s database, which means it could not be accessed by law enforcement even if law enforcement had a geofence warrant that it served upon Google. As EPIC has often emphasized: law enforcement cannot access personal information that was never collected. If Google does not collect this information, and it remains solely on a user’s device, it cannot be accessed by police by serving a warrant or subpoena on Google.
It is important to note, however, that geofence warrants are not the only problem. Reverse keyword warrants can also reveal sensitive information about a person, especially if that person searched for a specific address. Further, there may be some cases where Google can still obtain location data about a user, as when a non-cellular device connects to wi-fi at a certain location. And Google is not the only entity that collects location information. Cell phone carriers collect vast amounts of user location information—although usually less granular than Google’s location information—that can be subject to tower dump warrants.
This means that while Google’s new policy update may be a major step forward, it’s no panacea. First, Google has periodically failed to uphold its privacy promises; it remains to be seen when and to what extent Google follows through on its latest announcement. Second, geofence warrants are not the only invasive and harmful warrant that can criminalize people seeking abortion care. For this reason, we need meaningful comprehensive limits on the collection, use, and retention of our personal information to protect against criminalization and harmful commercial profiling.
EPIC’s Ongoing Actions to Safeguard the Personal Data of Google Users
In addition to the FTC complaint EPIC co-filed with Accountable Tech against Google, EPIC has taken several recent actions to safeguard the personal data of Google users.
In 2023, EPIC filed an amicus brief in the Colorado Supreme Court urging the court to find law enforcement’s use of reverse keyword search warrants unconstitutional, citing concerns that such invasive warrants threaten access to abortion.
EPIC also filed an amicus brief in the Ninth Circuit last year alleging that Google had failed to limit the collection of certain users’ personal information after promising to do so.
EPIC has highlighted how commercial surveillance and targeted advertising threatens access to abortion and invades reproductive privacy.
As it has shown time and again, Google needs meaningful oversight and enforcement to ensure compliance with its privacy obligations. The devil is in the details of Google’s latest location data announcement. EPIC—and we hope the FTC—will continue to monitor whether Google follows through on the privacy promises it has made.