On Friday, an Arizona judge ordered internal emails from Google unsealed as part of an ongoing lawsuit by the state’s attorney general on alleged consumer fraud and location data. Google had fought to keep these documents secret, saying the investigation was “improperly publicized.”
The released documents show internal discussions among Google engineers and communications staff that highlighted frustrations over the company’s collection of location data and the lack of meaningful controls for its billions of users.
“Location off should mean location off, not ‘except for this case or that case,'” a Google engineer wrote in an email thread on Aug. 13, 2018. “The current UI feels like it is designed to make things possible, yet difficult enough that people won’t figure it out.”
The discussions also included worries about geofence warrants — requests for location data in which law enforcement provides a time and a place, and Google responds with information on all devices that were in that area.
Alphabet-owned Google isn’t the only company that has location data, but it does receive the majority of geofence warrants because of its Sensorvault database, which stores location history for millions of people, and its vast amount of users.
“Privacy controls have long been built into our services and our teams work continuously to discuss and improve them. In the case of location information, we’ve heard feedback, and have worked hard to improve our privacy controls,” said Jose Castaneda, a Google spokesperson. “In fact, even these cherry picked published extracts state clearly that the team’s goal was to ‘Reduce confusion around Location History Settings.'”
Geofence warrants face constitutional challenges in Virginia, and lawmakers in New York have proposed a bill to make them illegal. In Illinois, a federal judge on Monday struck down the practice, finding that the warrants violated the Fourth Amendment.
Police have increasingly used geofence warrants, with a 1,500 percent rise from 2017 to 2018, and a subsequent 500 percent increase from 2018 to 2019. The surge in geofence warrant requests, coupled with confusion among Google staff about location data, rang privacy alarms within the search giant, the court documents show.
After a Google staffer explained there were three different settings for location data — Location Services, which uses your GPS, Location History, which logs where you’ve been, and Timeline, which makes an itinerary from your logs — a software engineer expressed frustration in internal emails.
“I’d want to know which of these options (some? All? none?) enter me into the wrongful-arrest lottery,” the engineer wrote. “And I’d want that to be very clear to even the least technical people.”
While other Google staffers on the email thread looked to downplay concerns over geofence warrants, the engineer called the practice scary, pointed out that police were randomly searching for people, and argued the company had a responsibility to protect people’s data from government requests.
“I feel like erring on the side of validating people’s expectations for keeping their information away from potentially unreasonable uses by the government is anyone’s job who works here,” the engineer said in an email on April 5, 2019.
The internal emails offer a glimpse at how some Google staffers view geofence warrants, a subject the company has been careful in discussing. In recent testimony, CEO Sundar Pichai told Congress the warrants were an important area for lawmakers to have oversight on.
Privacy advocates are asking for Google to do more against geofence warrants.
“These emails describe a Google where employees know enough about geofence warrants to be scared, without knowing enough to actually fix the problem,” said Surveillance Technology Oversight Project Executive Director Albert Fox Cahn. “The internal fight over geofence warrants is particularly alarming. It highlights just how dependent we are on giant tech firms to push back when police try to weaponize our devices against the public.”
‘Trying to rein in the overall mess’
Internal emails from Google going as far back as October 2014 show the company knew that its privacy settings were confusing.
A presentation titled “Simplifying Location History Settings (On Android)” noted that “most users don’t understand the difference between location reporting and location history.”
Location History, which people need to opt in to on Google Maps, is a log of where you’ve been. Location Reporting is which devices are the ones providing that data.
That confusion carried on, with emails from 2016 noting that even Google’s own staffers didn’t know there were switches to turn off location reporting for each device. An email from 2017 described a project to “rein in the overall mess that we have with regards to data collection, consent and storage.”
The same staffer pointed out Location History specifically, calling it “super messy.”
It appeared to still be a mess by 2018, when the Associated Press published an investigation of Google location tracking that revealed the company still tracked people even after they’d turned the function off.
In internal emails from April 2019, a Google staffer pointed out that he thought he’d turned off tracking. It turned out he’d only turned off location history and that the tracking function was still active.
“Our messaging around this is enough to confuse a privacy-focused Google [software engineer]. That’s not good,” the engineer said. “*I* should be able to get *my* location on *my* phone without sharing that information with Google. This may be how Apple is eating our lunch.”
The engineer wasn’t alone in this criticism, with multiple emails saying the company wasn’t doing a good job at explaining how it tracks location data, confusing its own engineers.
“The real failure is that we shipped a [user interface] that confuses users and requires explanation,” a Google staffer said.