Hacker News new | past | comments | ask | show | jobs | submit login
Google is tracking you. Even when you're in Airplane Mode w/o SIM card [video] (youtube.com)
42 points by Jerry2 47 days ago | hide | past | web | favorite | 20 comments

One thing this video implies is that no radios are on during airplane mode. Perhaps my terminology is imprecise but the passive GPS receiver can remain active. Still, its creepy (though unsurprising) that it uploads the data anyways.

BTW, having the GPS on must have been a massive battery drain. I know it is on my phone, especially for initial triangulation. I wonder if low power mode would help?

I guess I knew GPS was passive but I would have guessed - naively, it turns out - that "airplane mode" turns off all interfaces to the outside world.

Is there a way to toggle off the GPS on an android phone?

open the phone, find the chip, burn it out.

Faraday cage?

On iPhone, GPS is on in airplane mode as well (but you can just turn off the location services if you want).

You can set it to be off too in settings.

Is the android phone OS actually uploading location information unencrypted as implied (they mitm'd the phone and said they saw raw locations, unencrypted).

I know that Apple got in trouble for storing and passing around unencrypted location data a while back.[1] I also remember a story about predator drones sending unencrypted video feeds, apparently because key management is hard and they thought their enemies were too low tech to intercept.[2] I'm not a security/cryptography guy, but my impression is developers do this because it's easier.

[1]: https://www.fastcompany.com/40477441/facebook-google-apple-k...

[2]: https://www.wired.com/2012/10/hack-proof-drone/

Heh, sadly, I would not at all be surprised to see a: "TODO: encrypt this" somewhere in the comments

I assumed that they installed a root cert from the mitm device on the phones ahead of time so all the encrypted data could be read.

My guess is they installed an MITM tool which uses fake certificates to decrypt Https.

Not much data in or out of Google is plain http anymore.

Many of the youtube comments were people asking if he turned off location tracking... does anyone here know if that would be an effective countermeasure?

Yes. The reporter didn't understand the difference between airplane mode and Google Location Services. If you turn off the latter, the location upload won't happen, and you can still get your GPS location if you want it. iOS has the same location services system, but you cannot disable it if you want to get your location.

A distinction that almost no end user would realistically be expected to know and which Google doesn’t bother to inform users about in clear terms in the UI.

A user understands the difference between turning on airplane mode when they get on the airplane and turning off location services, which is described on first setup.

> The reporter didn't understand the difference between airplane mode and Google Location Services. If you turn off the latter, the location upload won't happen

“Google collects Android users’ locations even when location services are disabled”: https://qz.com/1131515/google-collects-android-users-locatio...

It collects iOS users' locations in those situations (local search, Google Maps usage, etc.) also. Location Services is a particular AGPS system that is separate from specific apps. Unlike iOS, Android lets you disable the AGPS system from collecting your location and is strictly better for privacy in that regard.

One difference is that your location is not associated with your identity, it’s associated with a random ID that automatically refreshes every few days.

Except that it has been demonstrated that no amount of 'anonymization' or 'pseudonimization' is effective at actually disconnecting the data from the person. With enough data, you can figure out who's who even with this 'randomID'.

Simple example: A random user with ID 'aaa' will provide location data throughout the day. This provides you with the means to figure out where they work, how late they get up, what their average walking speed is, etc. One day the user get's a new randomID 'bbb'. At first glance there is no connection between 'aaa' and 'bbb'. But from a specific day 'aaa' stops transmitting data, and 'bbb' starts transmitting data. 'bbb' will submit the same data and thus you can figure out for example their walking speeds and place of work. This means 'aaa''s data will match 'bbb''s. Looking at the datetime when the switchover happened you could deduce that 'aaa' and 'bbb' are probably the same. With more data points you can increase your accuracy.

IE: with sufficiently large datasets (which they have), no amount of anonymization works (which they know).

Google's location services data is also not associated with your identity. The only difference is that you can disable this collection on Android, and you can't disable it in iOS.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact