Curious to get HN's take on this. I was pretty surprised at Google a few days ago. A family member had recently passed away, and so I Googled ("funeral homes <location>") in incognito on Google Chrome (I suppose it felt a bit sensitive and I didn't want my Google account associated with it). A few minutes later I opened up Google Maps on my phone (different device, but logged into my Google account) and there were a few ads for funeral homes (they looked like squares and were highlighted).
Obviously, this is technically feasible: I was on my home internet (both computer & phone), and presumably there are <5 accounts that share this IP address. So when I search, they ~know who I am, and so therefore could serve me ads when I'm logged in. But I was still surprised that Google would do it — I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting. (Since, well... it is quite trust destructive.)
Does anybody know if Google is doing this intentionally? It seems like this is pretty value destructive for them long-term? Or... am I just being paranoid and this is just a frequency illusion?
Actually — while I'm here: does anybody have recommendations for per-app or per-site VPNs, especially on iOS? That's basically what I would want here: a different IP address when I open an incognito window, or for each app on my phone (e.g. Brave should have a different IP address than Gmail). I ask because while system-wide VPNs help somewhat... if I ever open anything identifying, I can effectively be fingerprinted anyways.
For example, if I start a Mullvad VPN, and open up an incognito window, but am still signed into Google (on my non-incognito window), Google now knows who I am (in both windows). Then if I browse a website that has GA (within incognito), theoretically Google could figure out who I am. This would be avoided if I shared nothing (not IP address, not browser fingerprinting) between my two windows. Is there any way to do that at scale besides just... closing everything before I go into incognito?
It has been obvious that we were supposed to be sandboxing these browser sessions in the OS and sandboxing these Google Accounts in basic internet opsec. Being able to create and discard these identities at will is the only sensible, resilient way to function.
Google has actively fought against this, and many people haven't noticed. Things like requiring 2FA for new Google account activation are ridiculously destructive to the ability to maintain any privacy or security. My workplace started demanding 2FA phone/email activation and their response to "So give us a workplace email account then, I'm not using my personal phone" was literally "Just go create a free GMail", which isn't a thing any more without a personal phone.
And it goes beyond new accounts.
I have a 2006-vintage, realname, first.last@gmail.com forwarding account for formal uses that I can't access any more DESPITE HAVING THE PASSWORD AND CONTROL OF THE RECOVERY EMAIL because I refused to hook up 2FA, and moved from the old PC to the new PC which Google doesn't recognize session cookies on. Give Google the keys to the castle or fuck you, we're walling up the doors.
These are dark patterns that, if Google is going to fight us on, demand regulation. Consistent access to specific email & phone numbers were never supposed to be this important to a functioning life, and not supposed to provide a shady for-profit private entity with a permanent panopticon dossier on your activities either. We would flip the table and replace governments if they tried to do this to us. We have, in some cases.
Burn it all down and create some kind of nonprofit NGO to run email or to run the Google Empire, which needs to be simultaneously secure and feasibly pseudonymous in order for people to continue having the basic human rights they enjoyed in the 2010's and 2000's when Google was still in the "Be Less Evil" phase.
Highly recommend iCloud Private Relay plus Safari. Sites often think I'm in New England, or Montreal, or a bunch of places I'm not, seemingly at random.
From Incognito window's note
> Others who use this device won’t see your activity, so you can browse more privately. This won't change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks and reading list items will be saved
Incognito does not hide your activity from Google. Especially when you googled in incognito and they likely use IP addresses as part of their targeting. I am also assuming it's different for different kinds of ads given you wont see ads if you look at something personal. They infact allow IP address targeting somehow. [1] Their privacy stance is more about 3rd party not having access to the data google has collected.
I don't think there is consensus on HN regarding privacy issues.
I'm with the author. I view Google as a mass surveillance operation that has grown so large and invasive that I no longer want anything to do with them. I avoid their services as much as I can, and try to minimize and isolate cases where I can't.
My assumption (I no longer work at Google, and I didn't have anything to do with this part of the infra) is that Google uses IP addresses for ad targeting (and other targeting). In fact I think they announced this recently, but I believe they were doing it before. It is also possible it was coincidence in your case, but I doubt it.
Google fully understands that users are reaching for incognito because they want their session to be 100% ephemeral they just don't care because they're paid to not care. Technical distinction between local and remote data is unrelated, Google could offer privacy if they wanted to.
Google has specifically created an entire page telling users exactly what to expect from incognito browsing: it's the first page that opens when you go incognito mode, every time
Do you think browsers should send to the server that it is in incognito mode? Because that is what you are asking for, that would just reduce privacy not increase it.
But sure, sending that extra tidbit of information specifically to servers that they can verify won't track you would be a good tradeoff.
Even worse is that they probably do try to detect if you're in an incognito session, but only for their benefit.
Edit: Here's an easy thing they could do. Even if we accept or pretend to desire cross-browser correlation at all, new-seeming browser profiles could have their information siloed for a few days and if they disappear in that time it all gets treated as an incognito session.
It used to be worse. I operate a vpn for my extended family, some of whom are deployed overseas at any time.
They would google for things and suddenly my ads would show nightclubs near them (thousands of miles from me) and google’s default language would even change to the country they currently reside in. Just because the outgoing ip is shared across both users.
It’s actually gotten “better” but one could argue maybe they’re able to perform more precise targeting instead of throwing away signal.
While it very much could be a frequency illusion, i also think it's naive to assume this is remotely value destructive for them in the longer term. The number of people who will notice or care is obscenely small in comparison to their larger population.
Personally I wouldn't put it past them to absolutely do it on purpose/by design.
Had the same thing happen to me and I am wondering how this can be legal (here in Europe).
It is basically indirectly leaking search information to other users of the IP.
I can think of not so bad information where it e.g. shows engagement ring ads.
But I can also think of quite bad scenarios.
> I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting
How would that work without unmasking the use of incognito mode? All the backend[1] knows is that it got a request for a search. There's (by design!) no way to know that that came from an incognito window in a browser that is otherwise logged in to a Google account.
[1] I know I know, this is a(nother) anti-Google rant. But Facebook and Microsoft and TikTok and everyone else does this too. If you flag your interest in $THING on the internet to $SITE, then $SITE will try to show ads for $THING to your roomates, kids, grandparents, etc...
You search for xyz and that goes into some online system with associated features like ip subnet or whatever. Then you load gmaps from the same subnet. It's not about "knowing who I am" it is just a distance metric in a hyperparameter space.
Hmm. Good point; agreed it's likely just getting ingested by online system. I guess I would've thought that Google would drop non-logged-in requests from going into their online system, or that at least they would do so for incognito requests from their own browser. Haha. How naive I am!
I have a separate phone with location off and always on mullvad VPN, and separate accounts for everything, and I still see ads on my main phone for things I search for or interact with on my VPN phone. It's infuriating.
Proximity to other rf emitting devices? I always assumed this is how those "I googled x and discussed it with a friend over dinner and now my friend sees adverts for X" type things work.
For some reason, this reads like a elaborately fake post to indirectly bring up search interest groups (google's ridiculous alternative to third party cookies).
> I acknowledge, by the way, that I use Google services to run my vanity domain, including my web site and mail server. It's a hassle to move all that, but one I am ever nearer to taking on.
> And a final response is for the engineers who work for these big tech companies simply to refuse to build systems that work this way. If you're at Google, you have agency – you decide what code you write. Yeah, I know: "No" might get you fired. But there are other jobs.
Am I to understand that it’s too much of a hassle to move domains but not to change jobs (after being fired, no less)?
Yeah, that's a pretty big case of dissonance there. While I agree with large parts of the article in general, the bit about getting yourself fired is just completely out of touch with reality in a job market trying to replace engineers with shitty AI.
Nitpick: it's not cognitive dissonance, just "selfishness". Wanting others to take on burdens that you don't want to bear is a universal human desire, and not very surprising. It's just frowned on as a matter of moral philosophy, so you're not supposed to frame it like that in formal writing. The author's crime is poor editing, basically.
I had the same train of thought when I moved from Android to iOS, back when Google killed off App Ops. It was incredibly suspicious of Google to remove a tool that lets you take away a permission that an app autogranted itself upon install.
I believe the location tracking is necessary for apps that are trying to detect the default/config access point that many devices spawn for setup. As I understand it, because wifi AP name awareness is approximately equal to location knowledge, wifi control requires a location information grant. It doesn't forgive the crummy design that implies (what about providing an allowlist of AP masks that can be scanned for?), but there is another side to the coin of "please give us location access so we can spy on you" in that uses that AREN'T for spying still require the same prompt for permission.
I wouldn't say /never/ attribute to malice anywhere we're in the vicinity of an an enormous data actor with a not-great track record, but probably at least /even/ are the number of cases of privacy violation attributable to maliciousness vs. terrible design that is either excessively encumbered or insufficiently granular.
I'm perfectly happy for Acme Random App to scan for `pps-setup-wifi-**` at one time, but not all wifi networks forever.
It's likely for Bluetooth access rather than WiFi. It's not uncommon for IoT devices to use bluetooth for setup, and it would be trivially cheap to put BLE beacons on every subway station exit in NYC, essentially giving you fine-enough location detection to uniquely identify most people within a week.
Full disclosure: I'm a Google employee, but not in the areas mentioned in the article. This is my personal opinion.
Regarding the Nest thing: I don't think those devices stop working completely if you don't enable location sharing for the "home and away" feature. It might be bad UI that made the user think that this is the case?
Regarding photo sharing: I think that permission is necessary to show a "photo picker" inside the app that allows the user to pick and choose which photos to upload. I'm not quite sure what the alternative would look like: "he can identify specific pictures in his library and grant access to just those" --> How exactly would that work without the app having access to the pictures? Also, does the author believe the app would then secretly analyze all pictures and send content back to the mothership without the user's consent? Again, this might be a communication/UX issue...
> How exactly would that work without the app having access to the pictures?
Android recently added an option that lets apps pop up a picker and only get access to the picked pictures. They probably just didn't realize that some users might want to only share some photos with Google Photos or didn't think the slice was big enough to justify implementing.
>How exactly would that work without the app having access to the pictures?
Extremely simple: the photo picker is part of the OS and not the app, so the app can open it and wait for return file handles without knowing a thing about what the file browser will display
Selective access to a set of user-specified photos is a native feature of iOS. Any time an app prompts you to choose some photos from your photo reel, you are first given the option to explicitly choose which photos the app even has access to.
On a desktop browser, if a web site wants me to upload photos, I click the "upload" button, and then the browser displays a file picker. The web site only ever sees the files I choose.
The web has this because it has to. Obviously you can't just give a web site permission to see your whole hard drive just to open one file.
But this kind of "privileged picker" approach does not seem to be the norm for mobile apps. I'm actually not even sure if iOS and Android even offer such a UI, or if apps simply have no choice but to request full access and implement their own picker.
If they do offer a picker, I would guess the reason the Google Photos app doesn't use it is not because Google's trying to invade your privacy, but rather because a product manager did not like the fact that they couldn't control the look and feel of the UI. It probably is significantly uglier and clunkier than what the Photos app itself can provide. And unfortunately, most users don't care about granting permissions. So the sleeker UX wins out. (I hate this.)
Bad UI is an intentional decision by the app developers to shepherd folks into thinking they have no choice.
As for how to make photo library access selective, iOS does this just fine. The app thinks it’s seeing everything, but it can only see what you selected. Plus Apple has made it easy to edit those choices. And if you do grant an app unlimited access, it checks in every once in a while to be sure you still want it (particularly if you don’t use the feature very often).
What I find interesting about this article is that the author is the founder of Cloudera. Cloudera was one of the pioneers of the Hadoop ecosystem (and de facto data lake movements).
For the uninitiated, data lakes are used to centralize vast quantities of data - often consumer data - usually by large organizations and governments to provide insights and inform decisions within the organization. Some call this surveillance capitalism.
Cloudera IPO'd somewhere around $2B and was taken private in a deal led by KKR for around $5B.
Other than possibly loosing social capital, why does this surprise you? they are intimately familiar with the intricacies of how the technology is used to hoard and catalogue every aspect of our digital lives.
It seems I’m not the only one who feels that Google’s ad tracking has improved a lot — to the point where it makes me a bit nervous. A few days ago, I searched for a medicine just once using Firefox’s private mode, and now both Google search ads and YouTube ads are filled with related topics. Maybe I need to reset all my Google ad tracking IDs and stop using Google for anything sensitive.
I've always wondered why we can't just re-create a product in its original form. The original Dropcams from 2014, along with their app, had a far superior user experience to anything available today.
You can. Just be the kind of founder that won't sell out your users for an extra payday (private equity, VC, sale to a bigger corporation, squeezing extra money by enshittifying the product, etc.)
That hacky workaround is beside the point. Most people arent that conversant with the permissions options on their devices. And even if they are, intentionally forcing them to turn it off is the problem: Google doesn’t care about your experience or your privacy. They just want to take advantage of captive users.
> As part of [a Nest update], Google demanded that I allow the app to track her location at all times, whether the app was active or not. The stated rationale was that it would allow Google to manage devices in her home
The app requests the permission via the normal mechanisms any app uses; it doesn't "demand" it. And you don't have to allow it (and of course can turn it off at any time by going to the app's permissions settings). If you don't, it will indeed pop up a warning that it can't enable the home-occupancy-detection feature, and direct you where you need to go to disable that in settings.
Contra the confused language in the article, Nest hardware works just fine if you disable that feature, though obviously it's a pretty useful feature to enable.
(And yes, I work there, but nowhere near Nest stuff. I do own one though.)
Google requested access to all the friends pictures? Or is that just the limits of Android permission?
GrapheneOS has storage scopes that get between app and OS to be able to do what the author wants: only let the app know of the existence of specific files, not entire libraries.
This is a part of Android natively. I assume that since most users intend to use Google Photos to manage their photos that it would request access to all photos.
I don't believe that Google would upload your photos remotely that haven't been backed up through Google Photos. Technically it sounds like their privacy policy would allow photos uploaded to Google to be used for training a model within Photos (e.g., I suspect their Ask Photos AI was probably trained on Google Photos data?) but it states that it won't be used for Ads or for training models outside of Photos.
my neighbor said he recently plugged in his iPhone to a PC while logged in to his Google account in the browser, and all his iPhone contacts were imported into GMail contacts.. is this possible? the contacts are now in Google GMail, and he did not affirmatively consent at any stage, is the story.
I’m pretty sure that Apple blocks any exporting of contacts without consent, maybe he previously consented and it stored it, or he clicked ok without thinking. Even things that require consent can be engineered to make it easy to thoughtlessly agree
Twitter pull that shit very early on iOS before they had the permissions, all my contacts were uploaded to their server. Never ever trust that company again.
Expecting engineers to refuse and get themselves fired or even finding another job is not good advice at all. It would be far better advice for people with like minds remain in a company like Google and collect data, share knowledge or information, and maybe even just not make certain improvements, etc. it is always far better to have someone on the inside than not. This self-righteousness of refusing to do something in a system that will hardly notice your protest for more than a day, is utterly foolish. These organizations need to be infiltrated and smartly, using intelligent methods report what is going on. This monster cannot be slayed from the outside and time is running out before tech companies totally remove the human threat vector from the system.
Curious to get HN's take on this. I was pretty surprised at Google a few days ago. A family member had recently passed away, and so I Googled ("funeral homes <location>") in incognito on Google Chrome (I suppose it felt a bit sensitive and I didn't want my Google account associated with it). A few minutes later I opened up Google Maps on my phone (different device, but logged into my Google account) and there were a few ads for funeral homes (they looked like squares and were highlighted).
Obviously, this is technically feasible: I was on my home internet (both computer & phone), and presumably there are <5 accounts that share this IP address. So when I search, they ~know who I am, and so therefore could serve me ads when I'm logged in. But I was still surprised that Google would do it — I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting. (Since, well... it is quite trust destructive.)
Does anybody know if Google is doing this intentionally? It seems like this is pretty value destructive for them long-term? Or... am I just being paranoid and this is just a frequency illusion?
Actually — while I'm here: does anybody have recommendations for per-app or per-site VPNs, especially on iOS? That's basically what I would want here: a different IP address when I open an incognito window, or for each app on my phone (e.g. Brave should have a different IP address than Gmail). I ask because while system-wide VPNs help somewhat... if I ever open anything identifying, I can effectively be fingerprinted anyways.
For example, if I start a Mullvad VPN, and open up an incognito window, but am still signed into Google (on my non-incognito window), Google now knows who I am (in both windows). Then if I browse a website that has GA (within incognito), theoretically Google could figure out who I am. This would be avoided if I shared nothing (not IP address, not browser fingerprinting) between my two windows. Is there any way to do that at scale besides just... closing everything before I go into incognito?
It has been obvious that we were supposed to be sandboxing these browser sessions in the OS and sandboxing these Google Accounts in basic internet opsec. Being able to create and discard these identities at will is the only sensible, resilient way to function.
Google has actively fought against this, and many people haven't noticed. Things like requiring 2FA for new Google account activation are ridiculously destructive to the ability to maintain any privacy or security. My workplace started demanding 2FA phone/email activation and their response to "So give us a workplace email account then, I'm not using my personal phone" was literally "Just go create a free GMail", which isn't a thing any more without a personal phone.
And it goes beyond new accounts.
I have a 2006-vintage, realname, first.last@gmail.com forwarding account for formal uses that I can't access any more DESPITE HAVING THE PASSWORD AND CONTROL OF THE RECOVERY EMAIL because I refused to hook up 2FA, and moved from the old PC to the new PC which Google doesn't recognize session cookies on. Give Google the keys to the castle or fuck you, we're walling up the doors.
These are dark patterns that, if Google is going to fight us on, demand regulation. Consistent access to specific email & phone numbers were never supposed to be this important to a functioning life, and not supposed to provide a shady for-profit private entity with a permanent panopticon dossier on your activities either. We would flip the table and replace governments if they tried to do this to us. We have, in some cases.
Burn it all down and create some kind of nonprofit NGO to run email or to run the Google Empire, which needs to be simultaneously secure and feasibly pseudonymous in order for people to continue having the basic human rights they enjoyed in the 2010's and 2000's when Google was still in the "Be Less Evil" phase.
> a different IP address when I open an incognito window, or for each app on my phone (e.g. Brave should have a different IP address than Gmail)
Isn't this essentially Tor? Per-connection almost-random IP addresses.
iCloud Private Relay does this for private windows in the latest iOS versions (18 and up)
https://support.apple.com/en-us/102602
Highly recommend iCloud Private Relay plus Safari. Sites often think I'm in New England, or Montreal, or a bunch of places I'm not, seemingly at random.
From Incognito window's note > Others who use this device won’t see your activity, so you can browse more privately. This won't change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks and reading list items will be saved
Incognito does not hide your activity from Google. Especially when you googled in incognito and they likely use IP addresses as part of their targeting. I am also assuming it's different for different kinds of ads given you wont see ads if you look at something personal. They infact allow IP address targeting somehow. [1] Their privacy stance is more about 3rd party not having access to the data google has collected.
[1]: https://www.shopifreaks.com/google-to-allow-the-use-of-ip-ad...
> Curious to get HN's take on this.
I don't think there is consensus on HN regarding privacy issues.
I'm with the author. I view Google as a mass surveillance operation that has grown so large and invasive that I no longer want anything to do with them. I avoid their services as much as I can, and try to minimize and isolate cases where I can't.
My assumption (I no longer work at Google, and I didn't have anything to do with this part of the infra) is that Google uses IP addresses for ad targeting (and other targeting). In fact I think they announced this recently, but I believe they were doing it before. It is also possible it was coincidence in your case, but I doubt it.
I would be surprised if they weren’t. Incognito mode is for cleaning up cookies and browser history, not actual privacy.
Google fully understands that users are reaching for incognito because they want their session to be 100% ephemeral they just don't care because they're paid to not care. Technical distinction between local and remote data is unrelated, Google could offer privacy if they wanted to.
Google has specifically created an entire page telling users exactly what to expect from incognito browsing: it's the first page that opens when you go incognito mode, every time
Relevant Scott McCloud Chrome comic: https://www.google.com/googlebooks/chrome/big_22.html (2008)
Do you think browsers should send to the server that it is in incognito mode? Because that is what you are asking for, that would just reduce privacy not increase it.
That's not the only way it could be done.
But sure, sending that extra tidbit of information specifically to servers that they can verify won't track you would be a good tradeoff.
Even worse is that they probably do try to detect if you're in an incognito session, but only for their benefit.
Edit: Here's an easy thing they could do. Even if we accept or pretend to desire cross-browser correlation at all, new-seeming browser profiles could have their information siloed for a few days and if they disappear in that time it all gets treated as an incognito session.
https://www.skeletonclaw.com/image/710734055173472257
It used to be worse. I operate a vpn for my extended family, some of whom are deployed overseas at any time.
They would google for things and suddenly my ads would show nightclubs near them (thousands of miles from me) and google’s default language would even change to the country they currently reside in. Just because the outgoing ip is shared across both users.
It’s actually gotten “better” but one could argue maybe they’re able to perform more precise targeting instead of throwing away signal.
While it very much could be a frequency illusion, i also think it's naive to assume this is remotely value destructive for them in the longer term. The number of people who will notice or care is obscenely small in comparison to their larger population.
Personally I wouldn't put it past them to absolutely do it on purpose/by design.
Had the same thing happen to me and I am wondering how this can be legal (here in Europe). It is basically indirectly leaking search information to other users of the IP. I can think of not so bad information where it e.g. shows engagement ring ads. But I can also think of quite bad scenarios.
> it is quite trust destructive
the common narrative is that they're gathering as much ad-targeting data as possible. No-one seems to care. What do they have to lose?
I also heard many similar stories. Seems like we may all need to run Tor Browser now!
> I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting
How would that work without unmasking the use of incognito mode? All the backend[1] knows is that it got a request for a search. There's (by design!) no way to know that that came from an incognito window in a browser that is otherwise logged in to a Google account.
[1] I know I know, this is a(nother) anti-Google rant. But Facebook and Microsoft and TikTok and everyone else does this too. If you flag your interest in $THING on the internet to $SITE, then $SITE will try to show ads for $THING to your roomates, kids, grandparents, etc...
You search for xyz and that goes into some online system with associated features like ip subnet or whatever. Then you load gmaps from the same subnet. It's not about "knowing who I am" it is just a distance metric in a hyperparameter space.
Hmm. Good point; agreed it's likely just getting ingested by online system. I guess I would've thought that Google would drop non-logged-in requests from going into their online system, or that at least they would do so for incognito requests from their own browser. Haha. How naive I am!
Incognito, as is explained thoroughly on the new tab page, exists to stop the browser from leaving data on your computer.
I have a separate phone with location off and always on mullvad VPN, and separate accounts for everything, and I still see ads on my main phone for things I search for or interact with on my VPN phone. It's infuriating.
How would this happen? Are you sure it's not just the frequency illusion? DNS? (Although that I think would only give you domains.)
Proximity to other rf emitting devices? I always assumed this is how those "I googled x and discussed it with a friend over dinner and now my friend sees adverts for X" type things work.
your phone knows which Wi-Fi networks are nearby. This alone can be used, in theory, to uniquely identify your location.
something to think about…
For some reason, this reads like a elaborately fake post to indirectly bring up search interest groups (google's ridiculous alternative to third party cookies).
> I acknowledge, by the way, that I use Google services to run my vanity domain, including my web site and mail server. It's a hassle to move all that, but one I am ever nearer to taking on.
> And a final response is for the engineers who work for these big tech companies simply to refuse to build systems that work this way. If you're at Google, you have agency – you decide what code you write. Yeah, I know: "No" might get you fired. But there are other jobs.
Am I to understand that it’s too much of a hassle to move domains but not to change jobs (after being fired, no less)?
Yeah, that's a pretty big case of dissonance there. While I agree with large parts of the article in general, the bit about getting yourself fired is just completely out of touch with reality in a job market trying to replace engineers with shitty AI.
Nitpick: it's not cognitive dissonance, just "selfishness". Wanting others to take on burdens that you don't want to bear is a universal human desire, and not very surprising. It's just frowned on as a matter of moral philosophy, so you're not supposed to frame it like that in formal writing. The author's crime is poor editing, basically.
I never said cognitive, just dissonance.
A tension or clash resulting from the combination of two disharmonious or unsuitable elements.
I had the same train of thought when I moved from Android to iOS, back when Google killed off App Ops. It was incredibly suspicious of Google to remove a tool that lets you take away a permission that an app autogranted itself upon install.
I believe the location tracking is necessary for apps that are trying to detect the default/config access point that many devices spawn for setup. As I understand it, because wifi AP name awareness is approximately equal to location knowledge, wifi control requires a location information grant. It doesn't forgive the crummy design that implies (what about providing an allowlist of AP masks that can be scanned for?), but there is another side to the coin of "please give us location access so we can spy on you" in that uses that AREN'T for spying still require the same prompt for permission.
I wouldn't say /never/ attribute to malice anywhere we're in the vicinity of an an enormous data actor with a not-great track record, but probably at least /even/ are the number of cases of privacy violation attributable to maliciousness vs. terrible design that is either excessively encumbered or insufficiently granular.
I'm perfectly happy for Acme Random App to scan for `pps-setup-wifi-**` at one time, but not all wifi networks forever.
It's likely for Bluetooth access rather than WiFi. It's not uncommon for IoT devices to use bluetooth for setup, and it would be trivially cheap to put BLE beacons on every subway station exit in NYC, essentially giving you fine-enough location detection to uniquely identify most people within a week.
I believe on Android that's the "find devices near you," which used to be part of location but now is discrete.
Full disclosure: I'm a Google employee, but not in the areas mentioned in the article. This is my personal opinion.
Regarding the Nest thing: I don't think those devices stop working completely if you don't enable location sharing for the "home and away" feature. It might be bad UI that made the user think that this is the case?
Regarding photo sharing: I think that permission is necessary to show a "photo picker" inside the app that allows the user to pick and choose which photos to upload. I'm not quite sure what the alternative would look like: "he can identify specific pictures in his library and grant access to just those" --> How exactly would that work without the app having access to the pictures? Also, does the author believe the app would then secretly analyze all pictures and send content back to the mothership without the user's consent? Again, this might be a communication/UX issue...
> How exactly would that work without the app having access to the pictures?
Android recently added an option that lets apps pop up a picker and only get access to the picked pictures. They probably just didn't realize that some users might want to only share some photos with Google Photos or didn't think the slice was big enough to justify implementing.
>How exactly would that work without the app having access to the pictures?
Extremely simple: the photo picker is part of the OS and not the app, so the app can open it and wait for return file handles without knowing a thing about what the file browser will display
Selective access to a set of user-specified photos is a native feature of iOS. Any time an app prompts you to choose some photos from your photo reel, you are first given the option to explicitly choose which photos the app even has access to.
GrapheneOS has Storage Scopes that does exactly this. (https://grapheneos.org/features#storage-scopes)
On a desktop browser, if a web site wants me to upload photos, I click the "upload" button, and then the browser displays a file picker. The web site only ever sees the files I choose.
The web has this because it has to. Obviously you can't just give a web site permission to see your whole hard drive just to open one file.
But this kind of "privileged picker" approach does not seem to be the norm for mobile apps. I'm actually not even sure if iOS and Android even offer such a UI, or if apps simply have no choice but to request full access and implement their own picker.
If they do offer a picker, I would guess the reason the Google Photos app doesn't use it is not because Google's trying to invade your privacy, but rather because a product manager did not like the fact that they couldn't control the look and feel of the UI. It probably is significantly uglier and clunkier than what the Photos app itself can provide. And unfortunately, most users don't care about granting permissions. So the sleeker UX wins out. (I hate this.)
I don’t know about Android but iOS does offer a picker. The user can grant permission for the app to access all photos, only selected photos, or none.
Bad UI is an intentional decision by the app developers to shepherd folks into thinking they have no choice.
As for how to make photo library access selective, iOS does this just fine. The app thinks it’s seeing everything, but it can only see what you selected. Plus Apple has made it easy to edit those choices. And if you do grant an app unlimited access, it checks in every once in a while to be sure you still want it (particularly if you don’t use the feature very often).
[dead]
> Larry and Sergey said the company's motto was "Don't be evil." I believed them!
Yes I believed it too back then, and I reckon Larry and Sergey did too.
Whenever I am reminded of this failed motto I can't help but wonder if Larry and Sergey are disturbed by nightmares.
What I find interesting about this article is that the author is the founder of Cloudera. Cloudera was one of the pioneers of the Hadoop ecosystem (and de facto data lake movements).
For the uninitiated, data lakes are used to centralize vast quantities of data - often consumer data - usually by large organizations and governments to provide insights and inform decisions within the organization. Some call this surveillance capitalism.
Cloudera IPO'd somewhere around $2B and was taken private in a deal led by KKR for around $5B.
Other than possibly loosing social capital, why does this surprise you? they are intimately familiar with the intricacies of how the technology is used to hoard and catalogue every aspect of our digital lives.
Good catch! Cloudera did not last long and grow enough to suffer the same problem.
It seems I’m not the only one who feels that Google’s ad tracking has improved a lot — to the point where it makes me a bit nervous. A few days ago, I searched for a medicine just once using Firefox’s private mode, and now both Google search ads and YouTube ads are filled with related topics. Maybe I need to reset all my Google ad tracking IDs and stop using Google for anything sensitive.
Check out Firefox PPA.
I've always wondered why we can't just re-create a product in its original form. The original Dropcams from 2014, along with their app, had a far superior user experience to anything available today.
You can. Just be the kind of founder that won't sell out your users for an extra payday (private equity, VC, sale to a bigger corporation, squeezing extra money by enshittifying the product, etc.)
Instead of writing a blog post or throwing away a working device, I would have just removed the location permission after updating the wifi...
That hacky workaround is beside the point. Most people arent that conversant with the permissions options on their devices. And even if they are, intentionally forcing them to turn it off is the problem: Google doesn’t care about your experience or your privacy. They just want to take advantage of captive users.
The good thing is that they are largely a consumer company, which means they are sensitive to consumer sentiment. No users, no ad revenue.
> What do we do to fight it?
Switch to Apple, a.k.a Not an Ad Company.
Just to un-spin this a bit...
> As part of [a Nest update], Google demanded that I allow the app to track her location at all times, whether the app was active or not. The stated rationale was that it would allow Google to manage devices in her home
The app requests the permission via the normal mechanisms any app uses; it doesn't "demand" it. And you don't have to allow it (and of course can turn it off at any time by going to the app's permissions settings). If you don't, it will indeed pop up a warning that it can't enable the home-occupancy-detection feature, and direct you where you need to go to disable that in settings.
Contra the confused language in the article, Nest hardware works just fine if you disable that feature, though obviously it's a pretty useful feature to enable.
(And yes, I work there, but nowhere near Nest stuff. I do own one though.)
Google requested access to all the friends pictures? Or is that just the limits of Android permission?
GrapheneOS has storage scopes that get between app and OS to be able to do what the author wants: only let the app know of the existence of specific files, not entire libraries.
This is a part of Android natively. I assume that since most users intend to use Google Photos to manage their photos that it would request access to all photos.
I don't believe that Google would upload your photos remotely that haven't been backed up through Google Photos. Technically it sounds like their privacy policy would allow photos uploaded to Google to be used for training a model within Photos (e.g., I suspect their Ask Photos AI was probably trained on Google Photos data?) but it states that it won't be used for Ads or for training models outside of Photos.
Nothing man-made is free.
> Nothing man-made is free.
That's only true if you define "free" differently than it has always been defined in the whole history of using it as a label for man-made things.
my neighbor said he recently plugged in his iPhone to a PC while logged in to his Google account in the browser, and all his iPhone contacts were imported into GMail contacts.. is this possible? the contacts are now in Google GMail, and he did not affirmatively consent at any stage, is the story.
I’m pretty sure that Apple blocks any exporting of contacts without consent, maybe he previously consented and it stored it, or he clicked ok without thinking. Even things that require consent can be engineered to make it easy to thoughtlessly agree
At this point FOSS address book on F-Droid has a way to store your contact that is NOT visible to other apps.
Wow can't believe this is still happening!
Twitter pull that shit very early on iOS before they had the permissions, all my contacts were uploaded to their server. Never ever trust that company again.
Sure are a lot of leaps of logic in here.
Expecting engineers to refuse and get themselves fired or even finding another job is not good advice at all. It would be far better advice for people with like minds remain in a company like Google and collect data, share knowledge or information, and maybe even just not make certain improvements, etc. it is always far better to have someone on the inside than not. This self-righteousness of refusing to do something in a system that will hardly notice your protest for more than a day, is utterly foolish. These organizations need to be infiltrated and smartly, using intelligent methods report what is going on. This monster cannot be slayed from the outside and time is running out before tech companies totally remove the human threat vector from the system.