You would expect that if your “location history” in Google settings is turned off, you are not being tracked. You would expect that if you switch off your ‘web & app activity’, your activity using the web and apps won’t be recorded.

The ACCC contended that neither was the case in 2017-2018 on Android phones, the period the commission homed in on, in its federal court action against Google. The judgment says around 6.3 million Australian users set up a new Google account on devices using the Android OS between January 2017 and August 2019.

The court examined in minute detail whether users were given information about the limitation of these services when they clicked “learn more” or “more options” buttons.

Not part of this case, but equally important, is ‘incognito mode’ when browsing in Chrome. It turns out you are not incognito to others on the internet.

The ACCC may have won the day in pointing out these technical transgressions. Google these days does include more information about the limitations of these privacy protections in the fine print.

However the situation is hopeless. Users are mostly not lawyers and don’t read the screeds of legal fine print about software they use. I’m also guilty of pressing the “agree to the terms and conditions button” when I’m anxious to use a much-needed app. I suspect most of us are the same.

It’s not good enough to detail how services are used in the fine print. The options have to reflect what their everyday meaning implies.

If Google offers an option to turn location history off, the option should do exactly that. Those common everyday meanings should also apply to “web & app activity” and “incognito mode”.

Instead we have a hopeless mess with countless qualifications about what services do.

When location history is off, Google now says your settings for other location services on your device, like Google location services and Find My Device, are not changed.

“Some location data may continue to be saved in other settings, like Web & App Activity, as part of your use of other services, like Search and Maps, even after you turn off Location History.”

If you turn off web and app activity, your device will still share information with Google such as how often you use your device and apps, battery levels and system errors. Google says your search and ad results may be customised using search-related activity even if you‘re signed out.

When you select ‘incognito mode’ Google says files you download and bookmarks you create will be kept, and your activity isn’t hidden from websites you visit, your employer or school.

Chrome only goes as far as not saving your browsing history, cookies and site data, or information entered in forms.

Unless you read the fine print, these privacy settings are misleading. Given most people don’t read the fine print, the situation around tweaking these settings is hopeless, despite today’s court judgment.

In addition, the ACCC case didn’t address some of the worst cases of privacy abuse by Google.

In August 2019, The Australian revealed that Android phones were sending a relentless secret fire hose of user data that extended beyond the public flow of data.

The Australian detected this data using software supplied by Oracle that intercepted it and sent it to a server where we could view and analyse it.

The secret data stream from the Android phones included the identification of cellular towers and the identification by ID (Mac address) of every Wi-Fi access point you encounter, constant recordings of barometric pressure — Google seems to want to know which floor of a building you are on — and your state: whether you are on a bicycle, or in a car; your longitude, latitude and speed, and an estimate of data accuracy.

Location data was sent to Google even when Google Maps location history was turned off during the test.

In one 31 minutes period, one of the test phones conducted 39 Wi-Fi scans, 15 location scans, 15 barometric readings, and 24 activity scans, whether I was still or on foot. More than 20 of the Wi-Fi scans each identified more than 20 Wi-Fi access points.

On one occasion, I commuted by train and tram to a conference, then stayed in the city for dinner. The phone sent 529 readings of data to Google. Of that, 158 were activity-related, 222 were barometric readings, 121 were locations, 29 were about changes in rates of data accumulation and 151 were scans of Wi-Fi sources.

This fire hose of data was way beyond the normal, regular collection of data on Android phones.

Google never admitted to this stream of data at the time (they never denied it either), but several months later, we noticed a lot of it stopped.

The judgment includes reference to an “oh shit” meeting of Google employees after publication of an Associated Press article in 2018 about the inaccuracy of Google’s descriptions of its settings.

This judgment is a partial win for the ACCC. It found Google had contravened sections 18, 29 and 34 of Australian Consumer Law. That includes conduct that is misleading or deceptive or is likely to mislead or deceive. It’s a damning finding.

But it also found that more savvy users were less likely to be misled. The judgment gives users credit for thinking through privacy settings screen by screen but I don’t believe most users have the patience and time to do that.

The case didn’t involve the breadth of the data privacy breaches that Google has perpetrated overall.

Users will continue not to read the screen fulls of fine print about smartphone services they use. And who can blame them?

More Coverage

Google’s conduct misleading: Federal Court rules

James Madden

MINING OUR OWN BUSINESS

Chris Griffith