Google is closing a loophole that allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort that privacy activists have welcomed in the wake of the US Supreme Court’s decision to end a woman’s constitutional right to abortion.
It also took another step on Friday to reduce the risk of smartphone data being used to monitor the new abortion restrictions, announcing that it would automatically delete location history on phones that were close to a sensitive medical location such as an abortion clinic.
Silicon Valley’s moves come amid growing concerns that mobile apps will be used by US states to monitor the country’s new abortion restrictions.
The companies previously harvested and sold information on the open market including lists of Android users who use apps related to menstrual tracking, pregnancy, and family planning, such as Planned Parenthood Direct.
Over the past week, privacy researchers and advocates have called on women to delete period-tracking apps from their phones to avoid being tracked or penalized for considering abortions.
The US tech giant announced last March that it would restrict the feature, letting developers know what other apps have been installed and deleted on individuals’ phones. This change was supposed to be implemented last summer, but the company failed to meet that deadline citing the pandemic among other reasons.
The new July 12 deadline will come just weeks after the repeal of Roe vs Wade, a ruling that highlighted how surveillance smartphone apps are being used by US states with new anti-abortion laws.
“It’s long overdue. Data brokers have been banned from using data under Google’s terms for a long time, but Google has not put safeguards into the app approval process to catch this behavior,” said Zach Edwards, an independent cybersecurity researcher who has been investigating the vulnerability for a year. 2020, “They just ignored it.”
“Now anyone with a credit card can buy this data online,” he added.
Google said: “In March 2021, we announced that we plan to restrict access to this permission, so that only utility applications such as device search, antivirus, and file management applications can see other applications installed on the phone.”
“The collection of app inventory data to sell or share for the purposes of analytics or ad monetization on Google Play has never been permitted,” she added.
Despite its widespread use by application developers, users remain unaware of this feature of the Android software – a Google-designed programming interface, or API, known as “Query All Packages”. Allows apps, or snippets of third-party code within them, to query the inventory of all other apps on a person’s phone. Google itself referred to this type of data as high risk and “sensitive”, and it was discovered that it was being sold to third parties.
The researchers found that apps’ inventories “can be used to accurately infer end users’ interests and personality traits,” including gender, race, and marital status, among other things.
Edwards found that one data marketplace, Narrative.io, was openly selling data obtained by intermediaries in this way, including smartphones using family planning, and various time-tracking apps.
Narrative said it removed pregnancy and menstrual tracking app data from its platform in May, in response to the leaked draft outlining the upcoming Supreme Court decision.
Another research firm, Pixalate, discovered that consumer apps, such as a simple weather app, were running small pieces of code that exploited the same feature as Android and were collecting data for a Panamanian company with ties to US defense contractors.
Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover violations, we take action,” adding that it has imposed sanctions on several companies believed to be selling user data.
Google said it will limit the Query All Packages feature to those who request it starting July 12. App developers will be asked to fill out an announcement explaining why they need access, and notify Google before the deadline so they can be screened.
The company warned that “deceptive and unstated uses of these permissions may result in the suspension of your app and/or termination of your developer account.”
Additional reporting by Richard Waters.