Google is closing a loophole that has allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy campaigners in the wake of the US Supreme Court’s decision to end women’s constitutional right to abortion.
It also took a further step on Friday to limit the risk that smartphone data could be used to police new abortion restrictions, announcing it would automatically delete the location history on phones that have been close to a sensitive medical location such an abortion clinic.
The Silicon Valley company’s moves come amid growing fears that mobile apps will be weaponised by US states to police new abortion restrictions in the country.
Companies have previously harvested and sold information on the open market including lists of Android users using apps related to period tracking, pregnancy and family planning, such as Planned Parenthood Direct.
Over the past week, privacy researchers and advocates have called for women to delete period-tracking apps from their phones to avoid being tracked or penalised for considering abortions.
The US tech giant announced last March that it would restrict the feature, which allows developers to see which other apps are installed and deleted on individuals’ phones. That change was meant to be implemented last summer, but the company failed to meet that deadline citing the pandemic among other reasons.
The new deadline of July 12 will hit just weeks after the overturning of Roe vs Wade, a ruling that has thrown a spotlight on how smartphone apps could be used for surveillance by US states with new anti-abortion laws.
“It’s long overdue. Data brokers have been banned from using the data under Google’s terms for a long time, but Google didn’t build safeguards into the app approvals process to catch this behaviour. They just ignored it,” said Zach Edwards, an independent cyber security researcher who has been investigating the loophole since 2020.
“So now anyone with a credit card can purchase this data online,” he added.
Google said: “In March 2021, we announced that we planned to restrict access to this permission, so that only utility apps, such as device search, antivirus, and file manager apps, can see what other apps are installed on a phone.”
It added: “Collecting app inventory data to sell it or share it for analytics or ads monetisation purposes has never been allowed on Google Play.”
Despite widespread usage by app developers, users remain unaware of this feature in Android software — a Google-designed programming interface, or API, known as the “Query All Packages”. It allows apps, or snippets of third-party code inside them, to query the inventory of all other apps on a person’s phone. Google itself has referred to this type of data as high-risk and “sensitive”, and it has been discovered being sold on to third parties.
Researchers have found that app inventories “can be used to precisely deduce end users interests and personal traits”, including gender, race and marital status, among other things.
Edwards has found that one data marketplace, Narrative.io, was openly selling data obtained by intermediaries in this way, including smartphones using Planned Parenthood, and various period tracking apps.
Narrative said it removed pregnancy tracking and menstruation app data from its platform in May, in response to the leaked draft outlining the Supreme Court’s forthcoming decision.
Another research company, Pixalate, discovered that consumer apps, like a simple weather app, were running bits of code that exploited the same Android feature and were harvesting data for a Panamanian company with ties to US defence contractors.
Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover violations we take action,” adding it had sanctioned multiple companies believed to be selling user data.
Google said it would restrict the Query All Packages feature to only those who require it from July 12. App developers will be required to fill out a declaration explaining why they need access, and notify Google of this before the deadline so it can be vetted.
“Deceptive and undeclared uses of these permissions may result in a suspension of your app and/or termination of your developer account,” the company warned.
Additional reporting by Richard Waters
