The introduction of GDPR has thrown a spotlight on the data companies hold on individuals. One area in particular, tracking, has existed as an issue for some time. Users rightly become concerned when the subject of tracking arises. They want to know why tracking occurs and what data they ‘provide’.
The reality is tracking is part of what makes the Internet accessible to everyone.
Virtual Private Networking review site, thebestvpn, has examined all the data Google captures on users. It can be considerable.
This is not just a privacy issue for individuals. Whether it be Bring Your Own Device (BYOD) or a company machine, users take advantage of browsers and other technology all the time. It means Google has data it can process to gain insights into businesses.
What data does Google grab?
Different apps record different types of data. The data taken by different Google apps includes:
Google app, product, or service | Data tracked |
Google Chrome | Browser history |
Websites visited | |
Google Search | Queries searched |
Gmail | Contacts |
Emails sent | |
Emails received | |
Email content/conversations | |
Ads | Ads clicked |
Topics interested in | |
Google Photos | People tagged |
Places tagged | |
Google Fit | Fitness level |
Fitness goals | |
Maps | Locations visited |
Places searched | |
Methods of transportation | |
Dates of travel | |
Google Calendar | Upcoming plans |
Upcoming appointments | |
Google Hangouts | Contacts |
Conversations | |
YouTube | Videos watched |
Videos liked | |
Videos uploaded | |
Comments made | |
Google News | News sites visited |
Stories clicked on | |
Google Books | Books read |
Books searched | |
Google Shopping | Products searched |
Products clicked on | |
Waze | Directions searched |
Places searched | |
Places visited |
From both a business and personal perspective this encompasses much data. Employees use browsers for work and personal use. They plan trips to customers and suppliers using Google Maps (which they used to provide directions). The same is true of Waze.
Calendar and email data is particularly sensitive. Google admits third-party app developers can read emails. This does require users to grant permission.Most don’t read the small print when they install apps. In addition, users often blend business and personal email addresses, more so if they work across multiple devices.
People take photos and selfies especially at social events. These includes work gatherings. Given the state of facial recognition, itis relatively easy to process those images to track who works at a company.
Google stores voice data from Google Home as well as mobile data from Android and its apps. The latter includes GPS data. Health and fitness data gathered from wearable devices add a different dimension, ‘highly personal data’.
Why is this a risk?
There are many reasons why this is an issue for organisations:
- third-party access to calendar, email and map data delivers insights into what is happening inside a business
- images and tagging deliver the ability to identify who people work with (and can assemble a corporate employee list)
- social media and tagging data provides a wealth of personal information on individuals
- combining two or more of these may offer unexpected associations or insights.
The upshot is a hacker, not even a very skilled hacker, can create spear phishing emails. Take this for a malevolent example. Let us assume tags show you link to George in Accounts. George’s health data reveals he is suffering from a long term serious illness and is off work for an extended period.
A spear phishing email might pretend to raise money to support George. Such an email would obtain a positive response from colleagues. They would log on to the website listed in the email. While they thought they were funding George, they would be funding the hackers and, most likely, assisting malware infections on their computer.
Spear phishing is just one attack. Social media attacks are more effective if they have a wide set of data from which to create attacks.
The challenge is the variety of ways bad actors can exploit such data to attack individuals and businesses. What needs to happen is for IT security to put together ways to help users understand the risks, and in so doing protect themselves and their employers.
Is this all Google’s fault?
No. It’s always easy to go Google bashing. In this case Google is just one of many large companies gathering large amounts of data from individuals which becomes a risk to businesses.
It is time individuals took responsibility for their part. Yes, providers offer poorly written End User Licence Agreements (EULAs). That doesn’t mean one should ignore them. Check the privacy pages of apps. Untick as many boxes as possible. Read the security advice.
The other dimension not to forget is most tracking is not about hackers creating attacks on individuals and businesses. This is the way the Internet works. People want free content from websites but don’t want to pay and don’t care what it costs to provide what they want.
The majority of the Internet relies on advertising, which comes with its own malvertising attacks. Revenues from advertising keep the vast majority of sites online. Few paywalls succeed, due to this user reluctance to pay.
What does this mean
Unsurprisingly, thebestvpn would like you to download and use a VPN. This is best practice especially when accessing free public WiFi. Thebestvpn recommends regularly reviewing privacy options and monitoring cookies.
Another safety feature is to use private browsing mode. Most browsers provide this. Users should make sure it really is private (in more than just name).
Turning off location reporting on mobile devices, apps and maps is essential. Users should only turn on location services when apps are in use, and not otherwise. This doesn’t mean there is no location data gathering; it does reduce the amount and frequency.
At the end of the day, data leaks. Websites, apps, browser owners and a whole raft of people including hackers desire your data. It has value to them even if only to deliver ads to your device.
In this context, the most important considerations are to:
- limit the opportunities to gather data
- regularly check privacy and security settings.
IT security departments must also do more to help users help themselves, especially those who are not sure if they have the correct settings and habits. In so doing they will, in parallel, contribute to enterprise protection.