Google is closing a loophole that would allow thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy activists in the wake of the US Supreme Court’s decision to end women’s constitutional right to abortion.
It also took a further step on Friday to mitigate the risk that smartphone data could be used to monitor new abortion restrictions, by announcing that it would automatically delete location history on phones located near a sensitive medical location such as an abortion clinic. found.
The Silicon Valley company’s moves stem from growing fears that mobile apps will be used as a weapon by US states to control new abortion restrictions in the country.
Companies have previously collected and sold information on the open market, including lists of Android users using apps related to period tracking, pregnancy, and family planning, such as Planned Parenthood Direct.
For the past week, privacy researchers and advocates have urged women to remove period-tracking apps from their phones to avoid being tracked or penalized for considering abortion.
The US tech giant announced last March that it would restrict the feature, allowing developers to see what other apps have been installed and removed on individuals’ phones. That change was supposed to be implemented last summer, but the company did not meet that deadline, partly because of the pandemic.
The new July 12 deadline comes just weeks after the nullification of Roe vs Wade, a ruling that has thrown a spotlight on how smartphone apps can be used for surveillance by US states with new anti-abortion laws.
“It’s been a while. Data brokers are not allowed to use the data for a long time under Google’s terms, but Google has not built safeguards into the app approval process to accommodate this behavior. They just ignored it,” said Zach Edwards, an independent cybersecurity researcher who has been investigating the loophole since 2020.
“So now anyone with a credit card can buy this data online,” he added.
Google said: “In March 2021, we announced that we planned to restrict access to this permission so that only utility apps, such as device search, antivirus, and file manager apps, can see what other apps are installed on a phone. .”
It added: “Collecting app inventory data to sell or share it for analysis or monetization is never allowed on Google Play.”
Despite its widespread use by app developers, users are still unaware of this feature in Android software – a Google-designed programming interface or API, known as the “Query All Packages”. It allows apps, or snippets of third-party code in them, to query the inventory of all other apps on a person’s phone. Google itself has referred to this type of data as risky and “sensitive” and has been discovered to be resold to third parties.
Researchers have found that app inventories “can be used to accurately infer the interests and personal characteristics of end users,” including gender, race, and marital status, among others.
Edwards has discovered that one data marketplace, Narrative.io, openly sold data obtained in this way by intermediaries, including smartphones using Planned Parenthood, and various time-tracking apps.
Narrative said it removed pregnancy and menstrual tracking app data from its platform in May, in response to the leaked draft outlining the pending Supreme Court decision.
Another research firm, Pixalate, found that consumer apps, such as a simple weather app, used bits of code that exploited the same Android feature and collected data for a Panamanian company associated with US defense contractors.
Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover violations, we take action,” the company added that several companies had been sanctioned that allegedly sold user data.
Google said it would limit the Query All Packages feature to only those who need it from July 12. App developers must complete a statement explaining why they need access and notify Google before the deadline for review.
“Misleading and undeclared use of these permissions may result in your app being suspended and/or your developer account terminated,” the company warned.
Additional reporting by Richard Waters.