web analytics

Groups Urge FTC to Scrutinize Google Location Data Practices – Source: www.databreachtoday.com

groups-urge-ftc-to-scrutinize-google-location-data-practices-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Governance & Risk Management
,
Healthcare
,
Industry Specific

Complaint Alleges Tech Giant Is Breaking Privacy Promises, Putting Patients at Risk

Marianne Kolbasuk McGee (HealthInfoSec) •
January 19, 2024    

Groups Urge FTC to Scrutinize Google Location Data Practices
Image: Google

Two tech advocacy groups are pushing the Federal Trade Commission to investigate Google, alleging the company has reneged on a promise it made after the Supreme Court’s 2022 overturn of Roe v. Wade to promptly delete location data about users’ visits to sensitive places, such as abortion clinics.

See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

The complaint filed Thursday by advocacy groups Electronic Privacy Information Center and Accountable Tech also claims the tech giant is violating the terms of an earlier FTC enforcement action stemming from a separate data privacy complaint filed by EPIC more than a decade ago.

In the complaint filed Thursday, EPIC and Accountable Tech allege that Google has failed to honor the public pledge it made in 2022 – and updated in 2023 – to delete location data involving users’ visits to sensitive places, such as addiction treatment centers, domestic abuse shelters and abortion clinics (see: Taking Actions to Enhance Sensitive Health Data Privacy).

The groups want the FTC to investigate Google for unfair and deceptive practices in violation of Section 5 of the FTC Act and for violating an FTC consent order in 2011 that arose from EPIC’s complaint against Google targeting the company’s alleged mishandling of personal data in the rollout of its Google Buzz social network.

The FTC’s enforcement action in the Google Buzz case prohibited the company from making privacy misrepresentations in the future, required the implementation of a comprehensive privacy program, and called for regular, independent privacy audits for 20 years.

In this latest complaint, the advocacy groups are urging the FTC to issue civil penalties, order Google to delete “wrongfully retained” location data, and order the company to halt its “unlawful” collection, disclosure and retention of personal data, including sensitive location data.

Following the U.S. high court’s June 2022 ruling in Dobbs v. Jackson Women’s Health Organization, rescinding the national right to abortion, Google said that it would update its location history retention practices and delete records of visits to certain sensitive medical facilities “soon after” each visit.

“Location History is off by default, but if you choose to turn it on and our systems identify that you’ve visited certain locations that can be particularly personal, we will delete those entries from Location History soon after you visit,” Google said in a May 2023 update, clarifying its policy promise.

“To estimate where you are, we rely on several sources, like GPS and Wi-Fi, so accuracy can be impacted by a variety of factors, like whether you’re inside a building, in a dense area or underground,” Google said.

Google said the deletion policy applies to certain sensitive medical facilities, including counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics and cosmetic surgery clinics. “If you visit a general purpose medical facility – like a hospital, the visit may persist,” Google said.

The advocacy groups’ complaint alleges that research conducted by Accountable Tech and others found that months after making its pledge, Google had failed to delete the location information as promised and that issues continue to persist.

“Accountable Tech found that while Google had scrubbed ‘Planned Parenthood’ from a user’s Location History map, it retained the route to the clinic in four out of eight of its tests,” the groups allege.

“Follow-up research published by Accountable Tech in January 2024 confirms that this failure is still ongoing even as Google recently renewed its assurances to users that their sensitive location data would be protected,” the complaint alleges.

“When this information is retained by companies like Google, it can be accessed by law enforcement and can be used to profile individuals in harmful ways,” the groups allege.

“These harmful practices show us why we cannot rely on pinky promises from Google to protect our most sensitive information,” said Sara Geoghegan, an EPIC attorney, in a statement. “The FTC and Google have recognized the serious harms that stem from excessive data retention, and it is critical for the commission to step in to hold Google accountable for these violations.”

Google in a statement to Information Security Media Group disputed the groups’ allegations.

“We continue to uphold our promise to delete particularly personal places from Location History if these places are identified by our systems – any claims that we’re not doing so are patently false or misguided,” said Marlo McGriff, director of product for Google Maps. “This report is an inaccurate and misleading representation of our commitment and how Location History works – it does not show evidence that visits to particularly personal places are being retained.”

An FTC spokeswoman declined Information Security Media Group’s request for comment on the groups’ allegations about Google. “I can confirm we received the complaint but we do not have any additional comment,” she told ISMG.

Growing Scrutiny

The groups’ complaint about Google comes in the midst of FTC enforcement actions against several other entities in cases involving the collection of sensitive data, including location and health-related information.

On Thursday, the FTC issued a proposed order banning data aggregator InMarket Media from selling or licensing any precise location data. This order settled charges that the company did not fully inform consumers and obtain their consent before collecting and using their location data for advertising and marketing.

Also, earlier this month, the FTC issued an order banning data broker Outlogic, formerly X-Mode Social, from sharing or selling sensitive location data with third parties (see: Breach Roundup: FTC Bans Data Broker From Sharing Location).

The commission over the past year or two has also taken actions against several health-related business – including GoodRx, BetterHelp, Premom and Flo Health – in cases involving the collection and disclosure of sensitive health and other information.

Given the FTC’s enforcement actions in these and previous cases, regulatory attorney Rachel Rose predicts the agency will take up the request by EPIC and Accountable Tech to investigate their complaint.

“The FTC has the authority to do so under FTC Act,” she said. “It is likely that the FTC will proceed.”

The collection and disclosure of sensitive personal and health information by data brokers, health-related companies and others appears to be a hot-button issue for the FTC, whether it involves the use of web tracking or other tech tools.

The FTC and the Department of Health and Human Services over the last year has been warning telehealth companies and hospitals about potential FTC Act and HIPAA violations involving their use of web trackers that collect and disclose sensitive personal and health information with third parties (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).

“This is an area that will continue to receive more interest, especially with the July 2023 FTC-HHS joint letters and the anticipated updates to the HIPAA Privacy Rule,” Rose said (see: Biden Administration Issues Cyber Strategy for Health Sector).

Original Post url: https://www.databreachtoday.com/groups-urge-ftc-to-scrutinize-google-location-data-practices-a-24149

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Cybersecurity Talent Crisis Today and Tomorrow by Codrut Andrei
Cybersecurity Talent Crisis Today and...
SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
ACSC Australia
Personal Cyber Security First Steps by Australian Government – ACSC
Personal Cyber Security First Steps...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

New York State
Cybersecurity Program Template A resource to help individual licensees and individually owned businesses develop a cybersecurity program as required by New York State’s Cybersecurity Regulation 23 NYCRR Part 500
Cybersecurity Program Template A resource...
Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An...
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL...
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats...
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations...
Hidaia Mahmood Alassouli
Common Windows, Linux and Web Server SystemsHacking Techniques
Common Windows, Linux and Web...
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by...
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY...
SOC SIEM Use Cases
SOC SIEM Use Cases
safecode
Six Pillars of DevSecOps- Collaboration and Integration
Six Pillars of DevSecOps- Collaboration...
SentineOne
WatchTower I ntelligence-Driven Threat Hunting
WatchTower I ntelligence-Driven Threat Hunting
CNIL
Security of Personal Data
Security of Personal Data

More Latest Published Posts

CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing
Joas A Santos
Windows API for Red Team #101
Windows API for Red Team #101
Economic Research Working Paper
Artificial Intelligence and Intellectual Property
Artificial Intelligence and Intellectual Property
CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN UN SIEM
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of AI Risk and Impact Assessments
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity planning
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat Huntingand Detection
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES
Project Management Institute
Building Resilience Through Strategic Risk Management
Building Resilience Through Strategic Risk Management
DATA LOSS PREVENTION (DLP)
DATA LOSS PREVENTION (DLP)
AICSSolutions
Cybersecurity Red Team
Cybersecurity Red Team
cisco
Cyber Incident Response
Cyber Incident Response
CSR Cyber Security Council
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
SYBEX
Cybersecurity ESSENTIALS
Cybersecurity ESSENTIALS
Agency for Digital Government
Cyber security in supplier relation ships
Cyber security in supplier relation ships
RINKU
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
CNIL
PRACTICE GUIDE GDPR
PRACTICE GUIDE GDPR