What does Google know about your employees?The introduction of GDPR has thrown a spotlight on the data companies hold on individuals. One area in particular, tracking, has existed as an issue for some time. Users rightly become concerned when the subject of tracking arises. They want to know why tracking occurs and what data they ‘provide’.

The reality is tracking is part of what makes the Internet accessible to everyone.

Virtual Private Networking review site, thebestvpn, has examined all the data Google captures on users. It can be considerable.

This is not just a privacy issue for individuals. Whether it be Bring Your Own Device (BYOD) or a company machine, users take advantage of browsers and other technology all the time. It means Google has data it can process to gain insights into businesses.

What data does Google grab?

Different apps record different types of data. The data taken by different Google apps includes:

Google app, product, or service  Data tracked
Google Chrome Browser history
Websites visited
Google Search Queries searched
Gmail Contacts
Emails sent
Emails received
Email content/conversations
Ads Ads clicked
Topics interested in
Google Photos People tagged
Places tagged
Google Fit Fitness level
Fitness goals
Maps Locations visited
Places searched
Methods of transportation
Dates of travel
Google Calendar Upcoming plans
Upcoming appointments
Google Hangouts Contacts
YouTube Videos watched
Videos liked
Videos uploaded
Comments made
Google News News sites visited
Stories clicked on
Google Books Books read
Books searched
Google Shopping Products searched
Products clicked on
Waze Directions searched
Places searched
Places visited


From both a business and personal perspective this encompasses much data. Employees use browsers for work and personal use. They plan trips to customers and suppliers using Google Maps (which they used to provide directions). The same is true of Waze.

Calendar and email data is particularly sensitive. Google admits third-party app developers can read emails. This does require users to grant permission.Most don’t read the small print when they install apps. In addition, users often blend business and personal email addresses, more so if they work across multiple devices.

People take photos and selfies especially at social events. These includes work gatherings. Given the state of facial recognition, itis relatively easy to process those images to track who works at a company.

Google stores voice data from Google Home as well as mobile data from Android and its apps. The latter includes GPS data. Health and fitness data gathered from wearable devices add a different dimension, ‘highly personal data’.

Why is this a risk?

There are many reasons why this is an issue for organisations:

  • third-party access to calendar, email and map data delivers insights into what is happening inside a business
  • images and tagging deliver the ability to identify who people work with (and can assemble a corporate employee list)
  • social media and tagging data provides a wealth of personal information on individuals
  • combining two or more of these may offer unexpected associations or insights.

The upshot is a hacker, not even a very skilled hacker, can create spear phishing emails. Take this for a malevolent example. Let us assume tags show you link to George in Accounts. George’s health data reveals he is suffering from a long term serious illness and is off work for an extended period.

A spear phishing email might pretend to raise money to support George. Such an email  would obtain a positive response from colleagues. They would log on to the website listed in the email. While they thought they were funding George, they would be funding the hackers and, most likely, assisting malware infections on their computer.

Spear phishing is just one attack. Social media attacks are more effective if they have a wide set of data from which to create attacks.

The challenge is the variety of ways bad actors can exploit such data to attack individuals and businesses. What needs to happen is for IT security to put together ways to help users understand the risks, and in so doing protect themselves and their employers.

Is this all Google’s fault?

No. It’s always easy to go Google bashing. In this case Google is just one of many large companies gathering large amounts of data from individuals which becomes a risk to businesses.

It is time individuals took responsibility for their part. Yes, providers offer poorly written End User Licence Agreements (EULAs). That doesn’t mean one should ignore them. Check the privacy pages of apps. Untick as many boxes as possible. Read the security advice.

The other dimension not to forget is most tracking is not about hackers creating attacks on individuals and businesses. This is the way the Internet works. People want free content from websites but don’t want to pay and don’t care what it costs to provide what they want.

The majority of the Internet relies on advertising, which comes with its own malvertising attacks. Revenues from advertising keep the vast majority of sites online. Few paywalls succeed, due to this user reluctance to pay.

What does this mean

Unsurprisingly, thebestvpn would like you to download and use a VPN. This is best practice especially when accessing free public WiFi. Thebestvpn recommends regularly reviewing privacy options and monitoring cookies.

Another safety feature is to use private browsing mode. Most browsers provide this. Users should make sure it really is private (in more than just name).

Turning off location reporting on mobile devices, apps and maps is essential. Users should only turn on location services when apps are in use, and not otherwise. This doesn’t mean there is no location data gathering; it does reduce the amount and frequency.

At the end of the day, data leaks. Websites, apps, browser owners and a whole raft of people including hackers desire your data. It has value to them even if only to deliver ads to your device.

In this context, the most important considerations are to:

  • limit the opportunities to gather data
  • regularly check privacy and security settings.

IT security departments must also do more to help users help themselves, especially those who are not sure if they have the correct settings and habits. In so doing they will, in parallel, contribute to enterprise protection.

Previous articleRene Bader talks cyber security
Next articleExtravagant blockchain claims for eHarvestHub
Ian Murphy
Ian has been a journalist, editor and analyst for over 35 years. While technology remains the core focus of Ian's writings he also covers science fiction, children toys, field hockey and progressive rock. As an analyst, Ian is the Cyber Security and Infrastructure Practice Leader for Synonym Advisory. A keen hockey goalkeeper, Ian coaches and plays for a number of clubs including Guildford Hockey Club, Alton Hockey Club, Royal Navy, Combined Services, UK Armed Forces and several touring sides. His ambition is to one day represent England. Ian has also been selected to be the goalkeeping coach for Hockey for Heroes, a UK charity supporting the UK Armed Forces.


Please enter your comment!
Please enter your name here