Aug 22, 2018

How Should We Track Location Trackers?

It has been a rough regulatory year for technology companies, who find themselves subject to opaque new privacy regulations in Europe, and soon California. Commentators regularly call for the government to break up the tech firms on antitrust grounds, and EU regulators are pummeling Google with fine after record fine. A recent report that Google tracks user location data even if they believe they have turned off tracking from the Associated Press seems to only add fuel to the retributive fire, with some lawmakers calling for prohibitory regulatory oversight on such activities.

The report first reads as a shocking and lurid exposé. Titled “Google tracks your movements, like it or not,” the article describes how computer scientists at Princeton were able to glean location data from Google services even after they had seemingly turned off such tracking.

The service being put under the microscope is called “Location History.” If this setting is disabled, then Google location tracking would purportedly cease, at least according to the original description on the company’s help page, archived here. The text read: “With Location History off, the places you go are no longer stored,” and “it’s off for all devices associated with [your] Google Account.” Sounds pretty straightforward. Yet according to the AP investigation, location data is indeed still stored with a Google Account even if Location History is turned off. What is going on?

Much of the coverage of this story has been framed to suggest that Google willingly lied to its users to collect and profit from more user data. Indeed, the first sentence of the AP story reads: “Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.” Given the current climate that associates big technology companies with the invasion of privacy, “fake news,” and influence campaigns, this is an easy story to tell.

Google makes money by selling ads tailored to your personal traits. One can see the appeal, if not the boneheaded liability risk, of sneakily accumulating more location data.

But is Google really a mustachioed villain here, or more of an absentminded professor?

The report goes on to discuss how other Google pop-ups and help pages provide a more accurate view of how data is collected and handled. Specifically, the location data that Google collects after “Location History” is turned off is enabled by another setting called “Web and App Activity.” Turn that off, and the excess collection should cease. This is explained elsewhere on Google’s website, which is confusing and not exactly user-friendly. By the time I wrote this, Google updated its Location History help page with more specific information on how the setting works.

This leads me to believe that Google may be guiltier of poor communication than a deliberate covert campaign to illicitly harvest location data. Either way, you’d expect that a major company like Google would be more careful about how it describes its data policies.

So what is to be done?

Unsurprisingly, some have seized on this event to argue for new legislation. Representative Frank Pallone (D-NJ), for example, told the AP that we need “comprehensive consumer privacy and data security legislation” to sort out the issue. While he did not provide specifics, Pallone has proposed legislation in the past that would dictate privacy and security standards to the private sector. This approach is in line with the European Union’s recently-passed General Data Protection Regulation (GDPR). While the GDPR resulted in a lot more red tape, confusion, and market consolidation, it did not do much to meaningfully improve user privacy.

But this approach ignores the fact that we already have an agency in place to investigate these kinds of incidents: the Federal Trade Commission. As I and other Mercatus scholars describe in “Informational Injury in FTC Privacy and Data Security Cases,” the country’s top commerce cop has developed a significant role in rooting out problematic data handling cases.

Specifically, the agency has authority to protect consumers from “deceptive or unfair acts or practices,” which certainly includes mismatches between companies’ stated privacy policies and actual practices.

There is precedent: The FTC’s 2016 decision against the mobile advertising network InMobi. The Singapore-based company was found guilty of deceptively tracking the location data of hundreds of millions of customers without permission or notice. Notably, the company tracked this data whether or not the user had expressly selected to opt out of such tracking. InMobi had to cease its activities, delete illicitly collected data, pay a hefty fine, and subject itself to decades of audits following the FTC action. If Google’s situation is as bad as some believe, the FTC has a clear model from which to work.

The FTC has not yet confirmed whether it is investigating Google’s unclear policies about location data. These settings have been under fire from legislators before, and two Senators urged the FTC to act earlier this year. Given Google’s size and visibility, it would be very surprising if this incident was not on the FTC’s radar. Politico has reported that “former officials say it could draw the agency’s attention.” It has already shown interest in similar contemporary cases, such as its investigation into Facebook’s privacy policies.

Whether or not Google was engaged in any untoward data collection remains to be seen. In the meantime, the FTC’s oversight and investigatory role strikes an appropriate balance between laissez faire dynamism and consumer protection. This posture of permissionless innovation allows companies to experiment and grow without any precautionary prohibitions, but still provides a check on dishonest activities.

Photo credit: FACUNDO ARRIZABALAGA/EPA/Shutterstock

Support Mercatus

Your support allows us to continue bridging the gap between academic ideas and real-world policy solutions.Donate