Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matthew Green Profile picture
@matthew_d_green
Jan 25, 2022 13 tweets 5 min read Read on X
Scrolly
I read the new location tracking complaint against Google filed by three state AGs and DC. It shouldn’t be surprising to anyone who is familiar with Google, but it’s pretty detailed. Thread. 1/
The basic allegation is that Google (mainly via Android) made it extremely difficult to turn off location data collection, and when people *did* try to turn this off, Google still collected and used location data for advertising.
As described in the complaint, there are basically three ways Google can get your location. (1) via GPS, (2) by monitoring nearby WiFi networks, (3) through IP address. Even if you turn GPS off, Google uses some of these. 2/
Once Google has your location information, the question is whether the user can stop them from recording it. As of 2018, Google seemed to make this possible through a Location History account setting. 3/
The Location History setting was described as “let[ting] Google save your location.” Presumably to ordinary non-technical users this language was about as clear as things get. According to the complaint, however, Google saved your location regardless of the setting. 4/
Specifically, Google has another “Web & App Activity” setting that also lets Google save your location. Because why have one setting when you can have many confusing ones? 5/
A brief interlude here to see what Google employees thought of these options. “[F]eels like it is designed to make things possible, but difficult enough that people won’t figure it out” is a solid quote. 6/
The complaint has a long section on “dark patterns” and this reads like a syllabus in a course on Silicon Valley privacy invasion. 7/
All the typical stuff: (1) presenting users with complicated opt-ins once at setup; (2) repeatedly “nudging” people who opt-out; (3) rewording dialog boxes to be less specific and maximize engagement; (4) hinting that apps “need” location history to work. It goes on. 8/
The one area where I felt j needed more detail was around the scanning of Wi-Fi networks. Even if you turn off GPS, companies like Google can determine your location by seeing nearby Wi-Fi. The complaint hints that Google does these even when you disable location. 9/
In fact, from context it feels like a lot of the redacted text in this document is about Wi-Fi geolocation. I hope future amended complaints get into the details. 10/
Final note: how did Google management feel about all of this? Was it all a big misunderstanding caused by good people trying hard not to be evil? Judge for yourself. 11/11 fin.
Here is the complaint so you can read for yourself. It’s only about 20 pages long. cdn.vox-cdn.com/uploads/chorus…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green Profile picture
May 29
Last week I discovered that ChatGPT and Claude will send you their “encrypted raw reasoning” and of course I immediately wasted a weekend trying to do something bad with it. What I got for my trouble was this blog post: blog.cryptographyengineering.com/2026/05/29/foo…
The TL;DR is that frontier LLM providers will ship their “raw reasoning” (not just the summaries you see on ChatGPT) over their APIs for the client to store. But they encrypt and authenticate it to keep it safe from the same clients.
So the interesting question here is: what can you do with this? Can you tamper with reasoning? Are there ways to learn things about what’s in it? I tried a bunch of attacks including replays and side channels, both with some success.
Read 6 tweets
Matthew Green Profile picture
May 18
There’s been some reporting that Meta contributed an unfathomable sum to promote age verification laws globally. This is broadly true, but actual situation is a bit more complex. Figured it was worth an update.
The original reporting was OSINT-style reporting: on Reddit and a site (tboteproject.com) but most of it subsequently disappeared. Claimed $2 BN spent, which is an awful lot. An archived version is here: web.archive.org/web/2026031409…
So this reporting is gone, but some of the details are verifiable. Meta did verifiably spend significant sums backing a US bill called the “App Store Accountability” act. Here’s some Bloomberg reporting, which you probably can’t read. bloomberg.com/news/articles/…
Read 13 tweets
Matthew Green Profile picture
May 9
“Ghost participants” have been floating around for years as a way to break encrypted messaging. The idea is to add invisible extra people (the police, essentially) to group chats. It’s a dumb idea, and let me explain why.
First, the original idea was proposed by two GCHQ experts (the UK’s equivalent of NSA). For details of their proposal, I wrote about it when they put it forward in 2018. The idea has two components. /1 blog.cryptographyengineering.com/2018/12/17/on-…
First, the observation is that most encrypted messaging apps support group messaging. So a conversation with two people can be easily extended into a group of 3, a group of 10 into a group of 11, etc. So it’s “easy” to add an extra person to most conversations. /2
Read 13 tweets
Matthew Green Profile picture
Mar 13
Meta appears to be reversing its strong stance on encryption. The first obvious casualty is that they’re abandoning and disabling end-to-end encryption in Instagram DMs.
A big tell is the statement by Meta in this article: “very few people were opting in.” Meta knows opt-in encryption doesn’t get adoption, which is why their original strategy was to make encryption on by *default* in WhatsApp, Messenger and their other products. Image
The article is here: androidpolice.com/instagram-is-g…
Read 9 tweets
Matthew Green Profile picture
Jan 23
Microsoft is handing over Bitlocker keys to law enforcement. forbes.com/sites/thomasbr…
For those who don’t have context, Bitlocker is the built-in drive encryption in Windows. This is supposed to protect the data on your machine from being accessed without authorization. In many configurations, Windows will upload a recovery key to your Microsoft cloud account.
The problem is that these recovery keys aren’t encrypted end-to-end in a way that Microsoft can’t access. So if law enforcement wants to access your encrypted drive (even without knowing your password) they can just ask Microsoft for the key. And Microsoft will hand it over.
Read 6 tweets
Matthew Green Profile picture
Nov 15, 2025
Globally, state after state is hurtling towards digital surveillance just at a time when we need to be having a discussion about how to protect ourselves from the surveillance capabilities of the future. Here, Switzerland. tuta.com/blog/switzerla…Image
There are many problems with these ideas, not the least of which is that we’re asking for-profit companies to collect even more identifying information on users — information that (even if you fully trust the government) could end up breached or sold.
What I don’t understand about all of these plans (UK, Switzerland, the EU) is the absolute mad rush. Is there a crisis of dangerous crime suddenly in 2025 that needs to be addressed immediately, at any cost to privacy? We can’t wait a few years for safer technology?
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(