Google is closing a loophole that allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, hailed by privacy campaigners in the wake of the US Supreme Court’s decision to end the constitutional right to abortion An effort.
The Silicon Valley company’s move comes amid growing fears that new abortion restrictions in the country will be weaponized by US states to police mobile apps.
Companies have previously harvested and sold information on the open market, including lists of Android users using apps related to period tracking, pregnancy and family planning, such as Planned Parenthood Direct.
Over the past week, privacy researchers and advocates have called on women to remove period-tracking apps from their phones to avoid being tracked or penalized for considering abortions.
The US tech giant announced last March that it would be restricting the feature, allowing developers to see what other apps have been installed and removed on individuals’ phones. That change was supposed to be implemented last summer, but the company failed to meet that deadline, citing the pandemic among other reasons.
The new July 12 deadline will come just weeks after the overturning of Roe v. Wade, a decision that has shed light on how smartphone apps can be used for surveillance by US states with new anti-abortion laws. .
“It’s long overdue. Data brokers have long been banned from using data under Google’s terms, but Google hasn’t built safeguards into the app approval process to catch this behavior.” . They ignored it,” said Zach Edwards, an independent cybersecurity researcher who has been investigating the flaws since 2020.
“So now anyone with a credit card can buy this data online,” he said.
Google said: “In March 2021, we announced that we plan to restrict access to this permission, so that only utility apps, such as device search, antivirus and file manager apps, can see that other apps are installed on the phone.” have been done.”
It added: “Never permitted on Google Play to sell App Inventory data or share it for analytics or ad monetization purposes.”
Despite widespread use by app developers, users remain unaware of this feature in Android software – a Google-designed programming interface, or API, known as a “query all package”. This allows apps, or snippets of third-party code inside them, to query the inventory of all other apps on a person’s phone. Google itself has referred to this type of data as high-risk and “sensitive”, and has found that it is being sold to third parties.
Researchers have found that App Inventory can be used to “accurately extract end users’ interests and personal traits”, including gender, race and marital status, among other things.
AdWords has found that a data marketplace, Narrative.io, was openly selling data obtained in this manner by intermediaries, including smartphones using Planned Parenthood and various period tracking apps.
Narrative said it removed pregnancy tracking and menstruation app data from its platform in May in response to a leaked draft outlining the upcoming Supreme Court ruling.
Another research company, Pixalet, found that consumer apps, like a simple weather app, were running bits of code that exploited similar Android features and were collecting data for a Panamanian company with US defense contractors.
Google said it “never sells user data, and strictly prohibits the sale of user data by Google Play developers. We take action when we discover breaches,” adding that it has provided user data to several companies. was allowed to sell.
Google said that it will restrict the Query All Packages feature from July 12 to only those who need it. App developers must fill out a declaration explaining why they need access, and notify Google before the deadline so it can be investigated.
“Deceptive and undeclared use of these permissions may result in the suspension of your app and/or termination of your developer account,” the company warned.