Let's talk about Google

Google has many ways to collect information about us. In this article, we'll discuss some of them, focusing on how it collects data on the web and on Android devices. Other platforms are in no way exempt from what I'm describing here.

To get an idea of how much data Google knows about us, log in to your Google account and visit Google Takeout. Takeout was created to comply to EU privacy regulations, and it creates an archive of all the data that Google knows about you (but not what they datamined from you). This includes:

  • Everything you have on your Google Drive, YouTube, Gmail, Calendar, Contacts, etc. accounts (as expected), including files, photos, comments, interactions, etc.
  • A list of all your purchases since the account was created, both on your Google account, and from any other site that sent you a confirmation email to your Gmail account
  • Your search history since the account was created
  • Recordings of every time the Google Assistant was activated on your phone (deliberately or accidentally, it's always listening)
  • Your physical location, sampled every few minutes, since the account was first used on an Android device
  • Your browsing history and passwords if you used Google Chrome
  • And a lot more, see for yourself...

In addition to what you can see on Takeout, there probably a lot more that Google knows about you, including your interests and political views, but they won't share this with you.

Why should I care about it? I got nothing to hide

Every time I talk about this, people call me a tinfoil hatter, a conspiracy theorist. Let me put it in terms that anyone can understand: imagine that you walk into a bar, and the bartender tells you that by setting foot inside the building, you consented to having your identity and your every move be stored, analyzed, and given to other bartenders around the world, and every time you ever step into any bar, he will know who you are, where you are, and what you did in there. And there is nothing you can do about it. This is exactly what Google does with your browser.

Saying that you don't care about privacy because you have nothing to hide is like saying that you don't care about free speech because you have nothing to say (quot. Edward Snowden). By using Google services (or any other "free" cloud service) you are giving a great deal of personal information to complete strangers. If you think that's a good idea or that it's somehow OK because they're giving you free services, my email address is info@fdossena.com: send me the passwords to all your email accounts and I'll give you 50GB of cloud storage on this site. That's more than Google offers. Do you accept? Because you did that when you signed up to Google.

Let's talk about how they collect data.

On the web

When we first connect to Google (or any of their services), we get a cookie that uniquely identifies us on all of Google's services (such as YouTube, Maps, Translator, ...); but this is not just an ordinary cookie, it's a permanent, third party, tracking cookie; in other words, the cookie is valid not just for Google's domains, but for the whole web, and if we're on some random website that happens to use any Google service (this is very common, since Google provides a lot of services to web developers), Google will receive that tracking cookie along with the request, and it will know exactly who we are and where we are on the web.
By using these tracking cookies, Google can get a good idea of our browsing history if we don't protect ourselves, and they will use it to profile us, display targeted ads based on our interests, and general data mining. This happens even if we're not logged in with our Google account. Without any protection, it only takes Google a few days to get all our web browsing habits, including those sites that we don't want others to know we visit.

What services does Google provide on the web?

In addition to the services that Google directly provides to end users, like search, YouTube and Maps, Google provides a huge deal of services to web developers, who, by using these services, expose users of their websites to tracking and profiling. Let's see some of them:

  • Ever been on the website for some restaurant or store, and there was a map showing you where the place is? It's most likely provided by Google.
    Embedded map
  • Ever had to prove that you're not a robot to access a website? The ReCAPTCHA service is provided by Google.
    ReCAPTCHA
  • Ads everywhere? Google Ads (easily recognizable by the triangle icon in one of the corners).
    Google ads
  • Nice font? It's probably provided by Google Fonts.
    Google Fonts
  • Sites that collect information without you knowing? That data goes through Google Analytics.
    Google Analytics
  • And a lot more...

These services are pretty much everywhere on the web, even on services that claim to be privacy aware, Google uses them to track your activities on the web. Some of them, like Analytics and ads, can be blocked without adverse consequences, others, like ReCAPTCHA, are outside of your control as a user.

Fingerprinting

Some of Google's most used services, like Analytics and ReCAPTCHA, use fingerprinting techniquest to identify users without using tracking cookies, and to collect information about the user and the machine.

Fingerprinting consists in giving the browser ambiguous instructions and seeing what it does. The most common fingerprinting technique is the invisible Canvas fingerprinting: a piece of JS tells the browser to create a Canvas, draw a gradient with an unusual angle, draw lines that don't perfectly align to pixels, write text with unusual fonts that are only present on the system if certain applications are installed, and so on and so forth; then, a hash of the image is calculated and this is your fingerprint, and this is highly unique even, because it depends on browser, screen resolution, browser settings, hardware acceleration, GPU, GPU driver, OS, installed applications, and more. To get an idea of how unique your fingerprint is, you can visit this site.

Services like ReCAPTCHA and Analytics use these techniques to get a great deal of information about you and your hardware, and they do it all behind your back. As a matter of fact, ReCAPTCHA's JavaScript code is not only proprietary, it's also heavily obfuscated to the point where it resisted many attempts at reverse engineering by security specialists. The only people knowing exactly how ReCAPTCHA works, what information it collects, and what it does on your machine, are the people developing it at Google. Also, ReCAPTCHA punishes users that try to protect themselves from tracking and fingerprinting by forcing them to do more challenges (and harder ones) before confirming that they're human. As an added bonus, know that every time you solve a ReCAPTCHA, you're working for Google for free, training their neural networks for self-driving cars. The system confirms that you're human if your answers are similar enough to what other users answered.

Google Chrome

If you're using Chrome, you are literally sending your whole digital life to Google. All the privacy problems of Google get infinitely worse if you use Chrome.

Here are some of the problems with Google Chrome:

  • Chrome is not entirely open source (Chromium is, but it still sends data to Google): the Flash player, the Widevine implementation, and the updater service are all proprietary, and no one knows what that code does on your machine
  • Chrome tracks your browsing and search history, and if you're logged in with your Google account, it will also store your passwords and preferences
  • Before you even press enter on a search, Google already knows what you're typing (search prediction), and while you're reading a webpage, Chrome sends Google the current URL to get suggestions for the most visited pages on that site so that it can preload them while you're reading.
  • Chrome profiles your computer: in addition to all your activities in Chrome, it collects all your inputs (yes, it contains a keylogger!), your installed apps, your usage times, and a lot more information that has nothing to do with Chrome
  • Chrome is always listening and recording: if you're logged in with your Google account, everything you say ends up in your account, including "a few seconds of audio before the record function is activated" (that's what it says in the privacy policy), meaning that it's always listening
  • If a webpage wants to know your location, Google will know it too
  • If you enable the Data Saver function on your smartphone, all your connections will go through Google, which acts as a proxy server
  • And a lot more...

Search

Search is the main service provided by Google, and it makes heavy use of tracking and profiling, especially if you're logged in with your Google account:

  • When you search for something and click on a result, Google will know what you clicked and how long you'll be on that page
  • Google Search, according to the privacy policy, collects: usage data, preference, search and browsing history, location. According to that same privacy policy, your search history is not considered sensitive information, because it doesn't contain your name (but who in the world never googled their name?)
  • Google uses your information to create a profile of your interests, and uses this information to profile us, show relevant ads, sell the profile to other advertising companies, and to create a bubble around us, manipulating what information we see to strengthen or weaken some of our beliefs
  • Google Search results are heavily censored and manipulated. Try comparing the search results between Google and Yandex.ru if you're looking for the torrent of the latest movie
  • If you open a news article on your smartphone, you won't even end up on the site that hosts the article, instead you'll end up on an AMP page full of Google tracking and ads. If you're using Chrome (or another Chromium-based browser), it will even spoof the address to show that of the original article in the address bar

Gmail

If you use Gmail as your main email account, be aware that Google analyzes your conversations with friends and coworkers, and also stores any purchase you have made by analyzing the confirmation emails that you get from the various stores. The only way to delete this information at the moment is to delete your Google account. Previously, you could simply delete the confirmation emails, but now your purchase history is permanent.

Gmail also has another great problem: in order for your conversation to be secure, it's not enough that we are using a privacy respecting email provider, the other person needs to do it too, and unfortunately Gmail is the most used email provider at the moment. For this reason, we need to remember not to add any interesting information in emails if we're replying to someone using Gmail.

Also, Gmail makes use of Analytics.

Drive

When you create your Google account, you get 15GB of free storage on Google Drive. If you use them, you should know that all your data will be analyzed and can be deleted at any time, for any reason. Try uploading a pirated movie, see how long it lasts.

Also, Drive makes use of Analytics.

Google Docs is part of Drive. If you work for an organization that uses Google Docs, you're giving all your company information (and possibly trade secrets) to Google.

YouTube

YouTube has been owned by Google since 2006, therefore it displays Google ads, and is affected by all the tracking and profiling like mentioned previously.

In addition to this, YouTube is known for the heavy censorship, demonetization, and deplatforming of youtubers that talk about controversial topics (like identity politics) and whose views are not aligned with Google. This is not a privacy issue, but it is an ethical issue, because YouTube claims to be an open space for debate, but in reality it's used by Google to influence your views by only showing you certain contents.

YouTube also attacks any service that allows users to access YouTube videos in a privacy respecting way (such as Hooktube and invidio.us).

On Android devices

When we purchase an Android smartphone, 99% of the time, it comes with Google services preinstalled, with no alternatives to choose from, and sometimes no way to remove them (see smartphones with locked bootloader). This is in no way subtle, as soon as we turn on the phone, we are welcomed by several animations of the Google logo, and an invitation (read "obligation") to sign in to a Google account and accept the terms of services which we can sum up as "by using Google services, you accept that all your activities and all your data related to this account and this device are stored and analyzed by Google for techical and commercial reasons".
Once this setup is done, we will have several services available on the smartphone: Google Play Store, the Google Chrome browser, Google Music, Google books, and a more. What we don't see is the rest of the Google Services Foundation, called GSF.

GSF is an enormous proprietary framework that provides access to a lot of Google services to Android applications, similar to the ones that Google provides to web developers. Developers of Android application can use GSF to embed maps in their apps, use geolocation, show ads, use analytics, show push notifications, use sync, and much more. In all of this, Google is always involved: every time an app shows an ad, Google knows who we are and what app we are using; if an app uses Firebase to show push notifications, Google will know the contents of that notification; if an app wants to access our location, Google will know it too (along with a list of nearby Wifi networks); if the app uses Analytics, Google will know all we do in that application; if we use Google Play Store, Google will know which apps we have installed and how we use them. Through this same service, Google can also install and uninstall apps from our devices, even without our consent (for instance, if an app gets pulled from the store).

Almost all the applications that we find on the Google Play Store (even if we access through an alternative client like Aurora Store) depend from GSF, and sometimes this is against the developer's will; for instance, in order to publish an app on the Google Play Store, if this app needs to use push notifications, it must use Google Firebase for that. This is a giant privacy issue and it makes it completely pointless to use privacy respecting messaging apps if they are forced to send all notifications through Google.

Google services on Android are also responsible for synchronization of contacts, calendar, and photos on Google servers; these functions are enabled by default (they're opt-out) and are a huge privacy issue, because we are giving Google all our contacts, our schedules, and our photos (including metadata).

Google also provides a service called SafetyNet, which allows developers (and Google) to know details about the phone's security that have nothing to do with the app (for instance, if we have an unlocked bootloader, or if the device is rooted). As a matter of fact, some apps will straight out refuse to work or nag the user in some way if they made some modification to the phone's software.

The privacy issues of the individual services (like Gmail and Drive) are pretty much the same listed in the previous section about the web, but there are a couple things that make it worse:

  • Being native applications, they have greater access to the device than they do when running inside a browser, and for this reason, Google nags Gmail users if they're not using the official app on Android
  • Google constantly monitors everything we do, even when we're not using the phone, everything we say, everything we type, if, when and how we use applications, and a lot more

The only way to protect ourselves from Google if we have an Android device is to install a custom ROM like LineageOS, without Google service, but Google has some nasty surprises for users of the Android Open Source Project:

  • Stock Chromium is used for WebViews in apps, with Google telemetry
  • Apps that use GSF may not work properly or at all (Ads and analytics can work without it!)
  • The Google DNS server is used, and changing it is very complicated
  • A Google server is used for internet connectivity checks whenever we connect to a network, and changing or disabling this is complicated
  • Apps that need to receive push notifications cannot use Firebase, and must ask for permission to stay connected in background
  • Geolocation is much slower because it cannot use Wifi networks known to Google to find an approximate location (alternative services exist)
  • Google removed the Text To Speech engine and made it proprietary. This stops some navigation apps and assistants from working

In addition to all the privacy issues of Google, we must always be careful about what we install, because they may contain dubious analytics, or straight out malware. To know what an app contains before installing it, we must always check the permissions, and we can also search it on Exodus Privacy.

In conclusion

This article is hardly an exhaustive list of all of Google's wrongdoings, but it should give you an idea of how much they don't care about your privacy.
Remember when Google's slogan was "Don't be evil"? Now you know why they dropped it.

If you're a developer like me, you should avoid Google services like the plague if you care about your users at all.

Let me know if I missed anything important or if there are inaccuracies in the article, and I will be happy to expand or rectify errors.

Share this article

Comments