Google’s processing of user data has long been of concern to data privacy enthusiasts. While the technology giant has experienced relatively few data leaks in recent history, its control over the Android platform allows them to collect unprecedented amounts of data.
Google is now taking additional steps to ensure that user data is collected on non-mobile devices as well. A network user has recently discovered that Google has changed the structure of its domains to include all its services in one parent domain. This means that any permissions granted by a user to a single Google service, such as Google Maps, apply to all Google services in the domain.
To understand why this is a serious privacy issue for users, we must first look at how domains work. There are two types of web directory management systems: subdomains and subdirectories.
Subdomains are treated as child elements of the parent domain, but they exist outside the primary domain in a separate section. On the other hand, subdirectories are considered part of the primary domain, as they are nothing more than a domain page.
For example, Google previously used a subdomain for Google Maps, as evidenced by its URL «maps.google.com». Now they have switched to the subdirectory with the change of the URL to «google.com/maps». This means that the resolution pop-up window that appears when a website attempts to access a camera, microphone, or user location must be taken only once in a wide range of Google services. Google can then use these permissions for all of its services without requesting users.
As shown below, the user’s microphone can be accessed from the Google Search page, and camera permissions are granted by Google Meet. Access to the location can be provided through Google Maps, and this will probably allow the search engine to track the user’s location even if they have specifically not given permission or other applications. This goes beyond the law when it comes to important data protection rules such as GDPR and the American Data Privacy and Protection Act.
The GDPR states that the provider’s privacy policy clearly states that the company must seek consent to access the camera and microphone. In addition, the company must also provide an explanation of its purpose of requesting access to the camera. On the other hand, India’s new privacy policy has no legal effect on the company’s use of location data. Google’s privacy policy does not provide clarity on these matters.
In addition, location data is considered personal data according to GDPR and most of the regulation is applicable. Google Chrome’s Privacy Policy includes a section on how Google locates users and what it uses them for. However, although they indicate that they do not allow the site to access users’ locations without permission, they also state that they send the data to Google’s location services to determine the user’s location. This data consists of information about the nearest Wi-Fi routers, cell tower identifiers next to the user, and the user’s IP address.
Any user who wishes to use Google Maps for short navigation will now be asked to grant Google permission to access their location. With this permission, Google can access this data at any time because of its new domain structure, which allows it to geo-track the user at any time when they have a Google website.
