Google is closing a loophole that allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy campaigners following the Supreme Court’s decision. The United States ended women’s constitutional right to abortion.
It also went a step further on Friday to limit the risk that smartphone data could be used to police new abortion restrictions, which will automatically delete location history on nearby phones. a sensitive medical site such as an abortion clinic.
The Silicon Valley company’s moves come amid growing concern that mobile apps will be weaponized by US states to police new abortion restrictions in the country.
Companies that have previously collected and sold information on the open market include lists of Android users using apps related to cycle tracking, pregnancy, and family planning, such as Planned Parenthood Direct.
Over the past week, researchers and privacy advocates have urged women to remove menstrual-tracking apps from their phones to avoid being tracked or penalized for considering abortion.
The US tech giant announced last March that it would restrict the feature, allowing developers to see what other apps were installed and removed on an individual’s phone. That change was expected to be implemented last summer, but the company failed to meet that deadline citing the pandemic among other reasons.
The new July 12 deadline will come just weeks after Roe vs Wade was ousted, a ruling that has brought attention to how smartphone apps can be used for surveillance by states’ United States with new anti-abortion laws.
“It is long overdue. Data brokers have been banned from using data under Google’s terms for a long time, but Google hasn’t built in protections in the app approval process to catch this behavior. They just ignore it,” said Zach Edwards, an independent cybersecurity researcher who has been investigating the vulnerability since 2020.
“So now anyone with a credit card can buy this data online,” he added.
“In March 2021, we announced that we intend to restrict access to this permission, to utility apps, such as device finder, anti-virus apps,” Google said. -withdraw and file manager, can see what other apps are installed on the phone.”
It added: “The collection of app inventory data to sell or share it for the purposes of analytics or ad monetization has never been allowed on Google Play.”
Although widely used by app developers, users are still unaware of this feature in Android software — a Google-designed programming interface or API, called “Query All Packages” . It allows third-party apps, or snippets within them, to query the inventory of all other apps on one’s phone. Google itself has called this data high-risk and “sensitive” and it has been found to be being sold to third parties.
The researchers found that the app store “can be used to accurately infer end-user preferences and personal characteristics,” including gender, race, and marital status, along with different things.
Edwards discovered that one data marketplace, Narrative.io, was openly selling data obtained by middlemen in this way, including smartphones using Planned Parenthood and cycle-tracking apps. difference.
Narrative said it removed pregnancy and menstrual-tracking app data from its platform in May, in response to a leaked draft outlining an upcoming Supreme Court decision.
Another research firm, Pixalate, has found that consumer apps, like a simple weather app, are running code that exploits the same Android feature and are collecting data. data for a Panamanian company with ties to US defense contractors.
Google says it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover a breach, we will take action,” adding that it sanctioned multiple companies that were allegedly selling user data.
Google says it will limit the All Plans Query feature to only those who request it from July 12. App developers will be asked to fill out a statement explaining why they need access and notify Google of this ahead of time so it can be checked.
“Deceptive and undeclared use of these permissions may result in the suspension of your app and/or termination of your developer account,” the company warned.
Additional reporting by Richard Waters.