> The Court ruled that when consumers created a new Google Account during the initial set-up process of their Android device, Google misrepresented that the ‘Location History’ setting was the only Google Account setting that affected whether Google collected, kept or used personally identifiable data about their location. In fact, another Google Account setting titled ‘Web & App Activity’ also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.
>
The Court also found that when consumers later accessed the ‘Location History’ setting on their Android device during the same time period to turn that setting off, they were also misled because Google did not inform them that by leaving the ‘Web & App Activity’ setting switched on, Google would continue to collect, store and use their personally identifiable location data.
the Guardian coverage is less editorialized. Here's the judge's actual words:
“Google’s conduct would not have misled all reasonable users in the classes identified; but Google’s conduct misled or was likely to mislead some reasonable users within the particular classes identified.
“The number or proportion of reasonable users who were misled, or were likely to have been misled, does not matter for the purposes of establishing contravention.”
> To use home and work when you search or use directions, you must turn on Web & App Activity. If can't find home and work in Maps, learn how to turn on Web & App Activity.
The google agreement seems to break the "reasonable person" aspect of laws that I learned in college. It's not reasonable to have more than one place to shut off geolocation/tracking and the court decided this in the obvious way. Google should be fined heavily for such evil bait-and-switch tactics. Not only are they not avoiding "evil" they're embracing it the past decade or so.
I assume it would be whatever you gave the specific app. If you search for "weather in [your city]", they might get either that or ip data. If you share your GPS to get your weather, then they get that.
Unlike Location History, which is a specific feature that keeps a history of your location, Web & Apps activity is just that, activity from Google websites and apps. Said activity may include location data depending on the app or website.
People say this frequently. Is this true? I always assume the fine establishes the illegal behavior and awareness of it for both parties and Google would be forced to correct the behavior regardless of the fine's size.
Were they to do it again or resume the behavior after the fine I assume the charges would escalate and eventually become criminal, hence companies curb their behaviors.
While this does create a 'get fined first' mentality, it does mean that good regulating could curb bad behavior. Am I wrong?
They've been breaking the law for over a decade, has abyonw gone to jail?
And before someone says: "those instances were different law/etc", please remember that you will bot avoid jailtime if you rob the bank three different ways. Commiting crimes one after another makes sentences more aevere for an individual even if you broke totally different laws.
Haven't companies like Google been fined enough in the past alerady and despite that they have made little effort to conform to the data privacy measures? Instead they have enabled alternative ways for tracking (eg. recent FLOC debate). Once the right to privacy (online or otherwise) becomes fundamental, such violations of privacy, consciously or otherwise, by the private companies will fall into illegal activities prosecutable with imprisonment like it is done atm for insider trading and so on. This will create a substantial sense of responsibility in everyone working on any aspects of user data.
The lack of a direct way to measure how much profit in $$ a company made in the past decade because of a single privacy violation makes it an arduous task for prosecuting agencies to decide the amount of fines and/or prison time.
A multivariate regression using do-calculus might help, could be an interesting graduate project.
Penalties have not yet been decided. Lets hope the Judge is brave and sticks it to them as an example to all slimy companies who trade on PII and lie about it.
Being found guilty of misleading cinduct hurts trust in their brand.
Because it's easy to switch search engines, public relations are a key economic moat.
Although now, Android being so entrenched makes a deeper moat.
However, as google can't help itself from increasingly screwing users, it creates space for new entrants.
If you manage domains and force this stuff off your users will def complain.
My worry is we end up w a situation such as cookie notices - users have gotten so used to clicking through content screens they don’t pay attention anymore because a lot of it is meaningless
I had a funny situation in person recently. This place had consent forms - lady checking folks in would offer to sign on your behalf. A few folks asked what it was - a consent form - oh sure, please sign for me.
In gsuite I guess there are some settings that can impact things like location - people want recent locations to pop up etc I learned. So anytime you make 95 percent of users click through stuff they don’t care about - you start losing the battle here
the cookie debacle really illustrated how toothless and futile current regulatory attemps are, the industry simply side-stepped the intent of the legislation and that was the end of it. It seems the cookie notices are annoying by design to guide public opinion against future regulatory attempts. "See what they made us do? Don't regulations stink?!"
>It seems the cookie notices are annoying by design to guide public opinion against future regulatory attempts. "See what they made us do? Don't regulations stink?!"
I get that impression also, and doubly so for the FUD-packed GDPR messages. "Oh sorry, we can't legally serve this webpage to you, EU resident, because of the atrocious GDPR! (because it's full of spyware which the GDPR forbids but we won't say that part out loud)"
For what it's worth, I do think the GDPR messages are raising awareness in a way the cookie warnings were not, in part because some websites use dark patterns to get you to "agree" and others do not, and people are starting to smell the bullshit. If nothing else, the laundry list of trackers the websites are required to tell you about is a real eye-opener to the layperson who doesn't run uMatrix.
If think the regulation wasn't a point of this work, but the main reason this was worked on in my opinion, was to fleece the tax payer. Imagine how many dinners, conferences, experts, lawyers, contractors, researchers had to be paid over the years. They eventually had to come up with something and that's the half bottomed result. If it doesn't work? Well, everyone already got paid and probably now work on something completely different.
If there is too much noise about this, they'll have a reason to fleece the tax payer again and go through years of "fixing" the legislation.
This is when you have unaccountable organisation (EC) without any bodies that would and could investigate corruptions and scams like these.
That and an attempt by companies to continue a business model that is expressly illegal under the GDPR. If a company relies on user-tracking with assumed consent, being required to get affirmative and freely given consent tanks their income. And that's perfectly okay and reasonable for laws to do. Business models are not a right.
But, those companies then have a choice. Option A: Accept that their business model relied on widespread stalking of their users which was never acceptable and is now illegal, and significantly change the business. Option B: Pretend they didn't notice, throw up a pop-up ignore the "freely given" requirement for consent, and hope nobody calls them out on it.
Option B is a lot easier for scummy companies to do, and the prevalence of opt-out banners with assumed consent and dark patterns shows how many companies went that route.
Google, Facebook and other companies, in my opinion, are allowed to continue ignoring the law, because they provide valuable information to various services. They are essentially an enormous network of unwilling spies / informants. If the data they (in my opinion) provide wasn't useful, they would have been shut down long time ago.
Other thing is why even publish materials like this and what's the point of such commissions if they are toothless?
Isn't that a massive waste of tax payer money?
In many countries government creates various commissions to be able to give family members and associates well paid bogus jobs or pay for favours (if you vote for X, we will give a job to your wife's sister) and so on. Other reason is also to tick boxes - when asked by unscripted journalist about something, they can say look we care about this, we setup a commission...
It's definitely an artifact of my personality but I don't get the sense they are unwilling, though I imagine they would be coerced anyway and you could certainly start a discussion about how meaningful their consent would be in that context.
I'm a broken record but the profit motive is what will always always always enable this: people depend on this machine for their livelihoods and are only personally responsible for a negligible, ignore-able portion of its activities. Path of least resistance in a world of friction is these companies will continue to act with an agenda even its employees might disagree with (if that isn't fault tolerance though idk what is!)
Does anyone have a source for additional information on the mechanism by which Google is collecting location data when "Web & App Activity" is turned on? Is that permission giving access to the location API in the browser?
this article from 2018 has a bit more detail. What it boils down to seems to be that if you use search or maps to look for something local, say a restaurant, Google will remember that in your search history, which connects you and your location.
There's no way this is what this is about, no? This seems totally fine, whereas the article makes it seem like they were actively tracking your location while telling you they weren't.
If this is it then I disagree completely with the ruling.
I worked for the ACCC from 2008 and 2011. I'd like to share some more context on the ACCC and Australian legal system that may be of interest to HN readers.
The ACCC is an independent authority empowered to enforce Australian Consumer Law (ACL) which contains consumer protection, completion product safety, anti-trust (competition) and other adjacent laws. It is most similar to the Federal Trade Commission in the US.
The ACCC leadership are commissioners who are appointed based on input of federal and state governments. The appointments tend to be "non-partisan" with the current chair leading the organization for 10 years (with 3 term renewals under multiple governments).
The ACCC has been taking action against Google since mid 2000s. The last case against Google that they won was in relation to consumers being misled about what were advertisements vs native results. [1]
The main provision of law protecting Australian consumers that is invoked in these cases is s18 of Australian consumer law that states: "A person [or entity] must not, in trade or commerce, engage in conduct that is misleading or deceptive or is likely to mislead or deceive."
Laws with this wording have existed in Australia since the the 1970s.
This law is enforced widely and there are also state agencies that enforce similar laws. All kinds of industries have received enforcement action ranging from retailers to supplement providers. As far as i know it's one of the but most broadly enforced consumer protection laws in any country.
The ACCC won a case against Apple under this same law in 2018 for misleading consumers about their warranty rights after third party repairs were done. Apple was fined $9 million dollars.
The action against Apple included 254 complaints from customers impacted. You can literally call or email the ACCC to log a complaint about any business and it will use this complaints to identify patterns of misconduct thst then enforce enforcement priorities.
The ACL currently limits penalties to $10 million per contravention for corporations. Only parliament can increase thst limit amending legislation. Individuals can also be fiend up to $5million.
Litigation is typically the last resort, and businesses have many oppurtunities to resolve or settle the matter. I am not in any way privy to this case, but typically a remediation action the ACCC seeks is notifying and posting notices that it engaged in misleading conduct, sometimes with a way for the consumer to seek a remedy. It's likely Google was not willing to do this without a fight.
Individuals and businesses can also privately take action if they were misled or deceived.
The Australian Court system that enforced this law is also relatively non-partisan. The australian government and judicial system was formed relatively recently - in the late 1800s and there was a strong intention to prevent political patronage in tbe public service and court system. [2]
Australian Consumer law also has other specific protections that i like such as requiring businesses to make the price the consumer has to pay most prominent (as opposed to making the price exclusive of taxes and fees most prominent).
The ACCC has just under 1000 employees and a small team would have worked on this case with support from outside lawyers. Congrats to them and hopefully this will encourage Google and other vendors to be more thoughtful about their data collection opt-ins.
ACCC is utterly toothless. They issue these pathetic fines but the behaviour continues. Yes you may have issued Apple a $9 million fine but it is commonly known that Apple stores in Australia openly flout Australian consumer laws. I would be embarrassed to admit I had ever worked for ACCC in any capacity.
Hi there!
1) I think you may have missed this from my post?
> "The ACL currently limits penalties to $10 million per contravention for corporations. Only parliament can increase that limit by amending legislation."
The ACCC can't give itself more teeth, your elected representatives can.
2) Also, as far as I know Australia is the only country that has a regulator that has gone to court and won against Apple (A few foreign regulators have fined them or made decisions without going to court).
Would you rather an agency with "no teeth" or one that doesn't bite at all? :)
3) I want to highlight that "I would be embarrassed to admit I had ever worked for ACCC in any capacity." felt condescending. I see that tone in comments you've made towards others on HN. I'd kindly challenge you to think about how that contributes the community, and what draws you to making dismissive comments rather than kind ones. It personally had the opposite affect for me - reminding me how much I enjoyed that job and the work I did there.
Readit News
> The Court ruled that when consumers created a new Google Account during the initial set-up process of their Android device, Google misrepresented that the ‘Location History’ setting was the only Google Account setting that affected whether Google collected, kept or used personally identifiable data about their location. In fact, another Google Account setting titled ‘Web & App Activity’ also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.
> The Court also found that when consumers later accessed the ‘Location History’ setting on their Android device during the same time period to turn that setting off, they were also misled because Google did not inform them that by leaving the ‘Web & App Activity’ setting switched on, Google would continue to collect, store and use their personally identifiable location data.
“Google’s conduct would not have misled all reasonable users in the classes identified; but Google’s conduct misled or was likely to mislead some reasonable users within the particular classes identified.
“The number or proportion of reasonable users who were misled, or were likely to have been misled, does not matter for the purposes of establishing contravention.”
https://twitter.com/jonathanmayer/status/1044300922149588993
https://support.google.com/maps/answer/3093979
> Fix problems with home and work in Maps
> To use home and work when you search or use directions, you must turn on Web & App Activity. If can't find home and work in Maps, learn how to turn on Web & App Activity.
Unlike Location History, which is a specific feature that keeps a history of your location, Web & Apps activity is just that, activity from Google websites and apps. Said activity may include location data depending on the app or website.
Were they to do it again or resume the behavior after the fine I assume the charges would escalate and eventually become criminal, hence companies curb their behaviors.
While this does create a 'get fined first' mentality, it does mean that good regulating could curb bad behavior. Am I wrong?
These legal scholars even hypothesize that there might not be a big enough fine to deter illegal behavior from corporations. [0]
Your idea of escalating punishments doesn’t take into account corporate influence of legislation and regulatory capture.
[0] https://clsbluesky.law.columbia.edu/2020/03/18/the-cost-of-d...
They've been breaking the law for over a decade, has abyonw gone to jail?
And before someone says: "those instances were different law/etc", please remember that you will bot avoid jailtime if you rob the bank three different ways. Commiting crimes one after another makes sentences more aevere for an individual even if you broke totally different laws.
The lack of a direct way to measure how much profit in $$ a company made in the past decade because of a single privacy violation makes it an arduous task for prosecuting agencies to decide the amount of fines and/or prison time.
A multivariate regression using do-calculus might help, could be an interesting graduate project.
Deleted Comment
Dead Comment
Because it's easy to switch search engines, public relations are a key economic moat.
Although now, Android being so entrenched makes a deeper moat. However, as google can't help itself from increasingly screwing users, it creates space for new entrants.
My worry is we end up w a situation such as cookie notices - users have gotten so used to clicking through content screens they don’t pay attention anymore because a lot of it is meaningless
I suspect the goal is to manufacture consent through inundation of fraudulent and coercive consent agreements.
I had a funny situation in person recently. This place had consent forms - lady checking folks in would offer to sign on your behalf. A few folks asked what it was - a consent form - oh sure, please sign for me.
In gsuite I guess there are some settings that can impact things like location - people want recent locations to pop up etc I learned. So anytime you make 95 percent of users click through stuff they don’t care about - you start losing the battle here
I get that impression also, and doubly so for the FUD-packed GDPR messages. "Oh sorry, we can't legally serve this webpage to you, EU resident, because of the atrocious GDPR! (because it's full of spyware which the GDPR forbids but we won't say that part out loud)"
For what it's worth, I do think the GDPR messages are raising awareness in a way the cookie warnings were not, in part because some websites use dark patterns to get you to "agree" and others do not, and people are starting to smell the bullshit. If nothing else, the laundry list of trackers the websites are required to tell you about is a real eye-opener to the layperson who doesn't run uMatrix.
But, those companies then have a choice. Option A: Accept that their business model relied on widespread stalking of their users which was never acceptable and is now illegal, and significantly change the business. Option B: Pretend they didn't notice, throw up a pop-up ignore the "freely given" requirement for consent, and hope nobody calls them out on it.
Option B is a lot easier for scummy companies to do, and the prevalence of opt-out banners with assumed consent and dark patterns shows how many companies went that route.
Other thing is why even publish materials like this and what's the point of such commissions if they are toothless?
Isn't that a massive waste of tax payer money?
In many countries government creates various commissions to be able to give family members and associates well paid bogus jobs or pay for favours (if you vote for X, we will give a job to your wife's sister) and so on. Other reason is also to tick boxes - when asked by unscripted journalist about something, they can say look we care about this, we setup a commission...
I'm a broken record but the profit motive is what will always always always enable this: people depend on this machine for their livelihoods and are only personally responsible for a negligible, ignore-able portion of its activities. Path of least resistance in a world of friction is these companies will continue to act with an agenda even its employees might disagree with (if that isn't fault tolerance though idk what is!)
https://www.abc.net.au/news/2018-08-17/google-makes-changes-...
If this is it then I disagree completely with the ruling.
The ACCC is an independent authority empowered to enforce Australian Consumer Law (ACL) which contains consumer protection, completion product safety, anti-trust (competition) and other adjacent laws. It is most similar to the Federal Trade Commission in the US.
The ACCC leadership are commissioners who are appointed based on input of federal and state governments. The appointments tend to be "non-partisan" with the current chair leading the organization for 10 years (with 3 term renewals under multiple governments).
The ACCC has been taking action against Google since mid 2000s. The last case against Google that they won was in relation to consumers being misled about what were advertisements vs native results. [1]
The main provision of law protecting Australian consumers that is invoked in these cases is s18 of Australian consumer law that states: "A person [or entity] must not, in trade or commerce, engage in conduct that is misleading or deceptive or is likely to mislead or deceive."
Laws with this wording have existed in Australia since the the 1970s.
This law is enforced widely and there are also state agencies that enforce similar laws. All kinds of industries have received enforcement action ranging from retailers to supplement providers. As far as i know it's one of the but most broadly enforced consumer protection laws in any country.
The ACCC won a case against Apple under this same law in 2018 for misleading consumers about their warranty rights after third party repairs were done. Apple was fined $9 million dollars.
The action against Apple included 254 complaints from customers impacted. You can literally call or email the ACCC to log a complaint about any business and it will use this complaints to identify patterns of misconduct thst then enforce enforcement priorities.
The ACL currently limits penalties to $10 million per contravention for corporations. Only parliament can increase thst limit amending legislation. Individuals can also be fiend up to $5million.
Litigation is typically the last resort, and businesses have many oppurtunities to resolve or settle the matter. I am not in any way privy to this case, but typically a remediation action the ACCC seeks is notifying and posting notices that it engaged in misleading conduct, sometimes with a way for the consumer to seek a remedy. It's likely Google was not willing to do this without a fight.
Individuals and businesses can also privately take action if they were misled or deceived.
The Australian Court system that enforced this law is also relatively non-partisan. The australian government and judicial system was formed relatively recently - in the late 1800s and there was a strong intention to prevent political patronage in tbe public service and court system. [2]
Australian Consumer law also has other specific protections that i like such as requiring businesses to make the price the consumer has to pay most prominent (as opposed to making the price exclusive of taxes and fees most prominent).
The ACCC has just under 1000 employees and a small team would have worked on this case with support from outside lawyers. Congrats to them and hopefully this will encourage Google and other vendors to be more thoughtful about their data collection opt-ins.
[1] https://www.australiancontractlaw.com/cases/google.html
[2] https://www.aph.gov.au/About_Parliament/Parliamentary_Depart...
2) Also, as far as I know Australia is the only country that has a regulator that has gone to court and won against Apple (A few foreign regulators have fined them or made decisions without going to court).
Would you rather an agency with "no teeth" or one that doesn't bite at all? :)
3) I want to highlight that "I would be embarrassed to admit I had ever worked for ACCC in any capacity." felt condescending. I see that tone in comments you've made towards others on HN. I'd kindly challenge you to think about how that contributes the community, and what draws you to making dismissive comments rather than kind ones. It personally had the opposite affect for me - reminding me how much I enjoyed that job and the work I did there.
They did their job. To challenge dodgy practices, and get courts to uphold the law. I'm not sure what else you want them to do.
Dead Comment