Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matthew Green is on BlueSky Profile picture
@matthew_d_green
Jan 25, 2022 13 tweets 5 min read Read on X
Scrolly
I read the new location tracking complaint against Google filed by three state AGs and DC. It shouldn’t be surprising to anyone who is familiar with Google, but it’s pretty detailed. Thread. 1/
The basic allegation is that Google (mainly via Android) made it extremely difficult to turn off location data collection, and when people *did* try to turn this off, Google still collected and used location data for advertising.
As described in the complaint, there are basically three ways Google can get your location. (1) via GPS, (2) by monitoring nearby WiFi networks, (3) through IP address. Even if you turn GPS off, Google uses some of these. 2/
Once Google has your location information, the question is whether the user can stop them from recording it. As of 2018, Google seemed to make this possible through a Location History account setting. 3/
The Location History setting was described as “let[ting] Google save your location.” Presumably to ordinary non-technical users this language was about as clear as things get. According to the complaint, however, Google saved your location regardless of the setting. 4/
Specifically, Google has another “Web & App Activity” setting that also lets Google save your location. Because why have one setting when you can have many confusing ones? 5/
A brief interlude here to see what Google employees thought of these options. “[F]eels like it is designed to make things possible, but difficult enough that people won’t figure it out” is a solid quote. 6/
The complaint has a long section on “dark patterns” and this reads like a syllabus in a course on Silicon Valley privacy invasion. 7/
All the typical stuff: (1) presenting users with complicated opt-ins once at setup; (2) repeatedly “nudging” people who opt-out; (3) rewording dialog boxes to be less specific and maximize engagement; (4) hinting that apps “need” location history to work. It goes on. 8/
The one area where I felt j needed more detail was around the scanning of Wi-Fi networks. Even if you turn off GPS, companies like Google can determine your location by seeing nearby Wi-Fi. The complaint hints that Google does these even when you disable location. 9/
In fact, from context it feels like a lot of the redacted text in this document is about Wi-Fi geolocation. I hope future amended complaints get into the details. 10/
Final note: how did Google management feel about all of this? Was it all a big misunderstanding caused by good people trying hard not to be evil? Judge for yourself. 11/11 fin.
Here is the complaint so you can read for yourself. It’s only about 20 pages long. cdn.vox-cdn.com/uploads/chorus…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green is on BlueSky

Matthew Green is on BlueSky Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green is on BlueSky Profile picture
Dec 29, 2024
What is this new setting that sends photo data to Apple servers and why is it default “on” at the bottom of my settings screen? Image
I understand that it uses differential privacy and some fancy cryptography, but I would have loved to know what this is before it was deployed and turned on by default without my consent.
This seems to involve two separate components. One that builds an index using differential privacy (set at some budget) and the other that does a homomorphic search?

Does this work well enough that I want it on? I don’t know. I wasn’t given the time to think about it.
Read 5 tweets
Matthew Green is on BlueSky Profile picture
Sep 19, 2024
Most of cryptography research is developing a really nice mental model for what’s possible and impossible in the field, so you can avoid wasting time on dead ends. But every now and then someone kicks down a door and blows up that intuition, which is the best kind of result.
One of the most surprising privacy results of the last 5 years is the LMW “doubly efficient PIR” paper. The basic idea is that I can load an item from a public database without the operator seeing which item I’m loading & without it having to touch every item in the DB each time.
Short background: Private Information Retrieval isn’t a new idea. It lets me load items from a (remote) public database without the operator learning what item I’m asking for. But traditionally there’s a *huge* performance hit for doing this.
Read 14 tweets
Matthew Green is on BlueSky Profile picture
Sep 12, 2024
The new and revived Chat Control regulation is back. It still appears to demand client side scanning in encrypted messengers. But removes “detection of new CSAM” and simply demands detection of known CSAM. However: it retains the option to change this requirement back.
For those who haven’t been paying attention, the EU Council and Commission have been relentlessly pushing a regulation that would break encryption. It died last year, but it’s back again — this time with Hungary in the driver’s seat. And the timelines are short. Image
The goal is to require all apps to scan messages for child sexual abuse content (at first: other types of content have been proposed, and will probably be added later.) This is not possible for encrypted messengers without new technology that may break encryption.
Read 4 tweets
Matthew Green is on BlueSky Profile picture
Sep 10, 2024
One of the things we need to discuss is that LLMs listening to your conversations and phone calls, reading your texts and emails — this is all going to be normalized and inevitable within seven years.
In a very short timespan it’s going to be expected that your phone can answer questions about what you did or talked about recently, what restaurants you went to. More capability is going to drive more data access, and people will grant it.
I absolutely do believe that (at least initially), vendors will try to do this privately. The models will live on your device or, like Apple Intelligence, they’ll use some kind of secure outsourcing. It’ll be required for adoption.
Read 6 tweets
Matthew Green is on BlueSky Profile picture
Aug 26, 2024
I hope that the arrest of Pavel Durov does not lead to him or Telegram being held up as some hero of privacy. Telegram has consistently acted to collect huge amounts of unnecessary private data on their servers, and their only measure to protect it was “trust us.”
For years people begged them to roll out even rudimentary default encryption, and they pretty aggressively did not of that. Their response was to move their data centers to various middle eastern countries, and to argue that this made your data safe. Somehow.
Over the years I’ve heard dozens of theories about which nation-states were gaining access to that giant mousetrap full of data they’d built. I have no idea if any of those theories were true. Maybe none were, maybe they all were.
Read 6 tweets
Matthew Green is on BlueSky Profile picture
Aug 25, 2024
Apropos Pavel Durov’s arrest, I wrote a short post about whether Telegram is an “encrypted messaging app”. blog.cryptographyengineering.com/2024/08/25/tel…
The TL;DR here is that Telegram has an optional end-to-end encryption mode that you have to turn on manually. It only works for individual conversations, not for group chats. This is so relatively annoying to turn on (and invisible to most users) that I doubt many people do.
This on paper isn’t that big a deal, but Telegram’s decision to market itself as a secure messenger means that loads of people (and policymakers) probably assume that lots of its content is end-to-end encrypted. Why wouldn’t you?
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(