Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matthew Green is on BlueSky Profile picture
@matthew_d_green
Jan 25, 2022 13 tweets 5 min read Read on X
Scrolly
I read the new location tracking complaint against Google filed by three state AGs and DC. It shouldn’t be surprising to anyone who is familiar with Google, but it’s pretty detailed. Thread. 1/
The basic allegation is that Google (mainly via Android) made it extremely difficult to turn off location data collection, and when people *did* try to turn this off, Google still collected and used location data for advertising.
As described in the complaint, there are basically three ways Google can get your location. (1) via GPS, (2) by monitoring nearby WiFi networks, (3) through IP address. Even if you turn GPS off, Google uses some of these. 2/
Once Google has your location information, the question is whether the user can stop them from recording it. As of 2018, Google seemed to make this possible through a Location History account setting. 3/
The Location History setting was described as “let[ting] Google save your location.” Presumably to ordinary non-technical users this language was about as clear as things get. According to the complaint, however, Google saved your location regardless of the setting. 4/
Specifically, Google has another “Web & App Activity” setting that also lets Google save your location. Because why have one setting when you can have many confusing ones? 5/
A brief interlude here to see what Google employees thought of these options. “[F]eels like it is designed to make things possible, but difficult enough that people won’t figure it out” is a solid quote. 6/
The complaint has a long section on “dark patterns” and this reads like a syllabus in a course on Silicon Valley privacy invasion. 7/
All the typical stuff: (1) presenting users with complicated opt-ins once at setup; (2) repeatedly “nudging” people who opt-out; (3) rewording dialog boxes to be less specific and maximize engagement; (4) hinting that apps “need” location history to work. It goes on. 8/
The one area where I felt j needed more detail was around the scanning of Wi-Fi networks. Even if you turn off GPS, companies like Google can determine your location by seeing nearby Wi-Fi. The complaint hints that Google does these even when you disable location. 9/
In fact, from context it feels like a lot of the redacted text in this document is about Wi-Fi geolocation. I hope future amended complaints get into the details. 10/
Final note: how did Google management feel about all of this? Was it all a big misunderstanding caused by good people trying hard not to be evil? Judge for yourself. 11/11 fin.
Here is the complaint so you can read for yourself. It’s only about 20 pages long. cdn.vox-cdn.com/uploads/chorus…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green is on BlueSky

Matthew Green is on BlueSky Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green is on BlueSky Profile picture
Oct 15
The “age verification” and the “human identification” problem are the same problem. It upsets me to be around people who think they’re working on the first, but don’t understand they’re actually working on the second.
To be really clear: it’s pretty obvious that the central (Internet communication) problem of our time is going to be determining whether the stranger you’re talking to (or delivering ads to) is a person or a bot. And every existing tech we have for doing this will fail.
So how do we do this? Presumably by tightly binding physical identity to your device and then proving possession (with some other bells and whistles). Not coincidentally that’s exactly what age verification is. Weird how corporate and gov’t priorities suddenly align, right?
Read 10 tweets
Matthew Green is on BlueSky Profile picture
Aug 5
Trying to plan a seminar on the topic of “how do we maintain privacy in the coming dystopia” and it’s kind of a thing.
Over the past thirty years we’ve done amazing thing technologically when it comes to anonymity and privacy, and to some extent it was “all theoretical” that we’d need it. That’s all behind us.
So here we are in the bad timeline. Social networks want to jam AI into your encrypted messages; governments want to access your private messages; everyone you maybe once hoped to rely on is either planning to sell you out or else trying to find the fastest way to monetize you.
Read 5 tweets
Matthew Green is on BlueSky Profile picture
Jul 29
I cannot tell what’s going on with Google here. washingtonpost.com/politics/2025/…
Specifically, Google when asked by a US senator could easily have denied that the UK was pressuring them, but instead said this. Image
If you call someone in their home and ask them if someone has a gun to their head, and they say “I can’t talk about that” then you call 911 because that’s what common sense tells you to do.
Read 6 tweets
Matthew Green is on BlueSky Profile picture
Apr 24
It is insane how scary the threat models of encrypted messaging apps providers are.
You have these apps with billions of users. Some of those users are doing huge financial transactions. Some are politicians. Some are coordinating literal national security operations. And all these messages go through a few vulnerable servers.
I think older people (that includes me I guess) think that messaging apps are like AOL Instant Messenger, not used for anything important. It’s completely insane how much of our society now runs on them, and what a total disaster it would be if a couple of major apps were broken.
Read 11 tweets
Matthew Green is on BlueSky Profile picture
Mar 27
Ok, look people: Signal as a *protocol* is excellent. As a service it’s excellent. But as an application running on your phone, it’s… an application running on your consumer-grade phone. The targeted attacks people use on those devices are well known. Image
There is malware that targets and compromises phones. There has been malware that targets the Signal application. It’s an app that processes many different media types, and that means there’s almost certainly a vulnerability to be exploited at any given moment in time.
If you don’t know what this means, it means that you shouldn’t expect Signal to defend against nation-state malware. (But you also shouldn’t really expect any of the other stuff here, like Chrome, to defend you in that circumstance either.)
Read 5 tweets
Matthew Green is on BlueSky Profile picture
Mar 25
You should use Signal. Seriously. There are other encrypted messaging apps out there, but I don’t have as much faith in their longevity. In particular I have major concerns about the sustainability of for-profit apps in our new “AI” world.
I have too many reasons to worry about this but that’s not really the point. The thing I’m worried about is that, as the only encrypted messenger people seem to *really* trust, Signal is going to end up being a target for too many people.
Signal was designed to be a consumer-grade messaging app. It’s really, really good for that purpose. And obviously “excellent consumer grade” has a lot of intersection with military-grade cryptography just because that’s how the world works. But it is being asked to do a lot!
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(