Users were not aware the information was being collected, and have no way of opting out of it.
The data was gathered as part of an effort to find out how often a phone should “ping” a cell tower to stay connected to Google’s servers, a process Google calls “heartbeat analysis,” Google says.
Too-frequent pinging wastes battery power, while not enough pinging risks disconnecting, a company spokesperson who spoke on the condition she not be identified explained in an email.
Starting in January, Google began asking Android devices for the unique ID, or “cell ID,” of the cell towers they were connected to. Triangulating between cell towers will reveal a device’s location to a high degree of accuracy, especially in urban areas where towers are more common.
The information was never stored, and the practice will end by the end of November, she wrote.
The practice came to light after Quartz published a story Tuesday.
The practice is separate from location tracking with Google Maps Timeline, a more transparent service that keeps track of users’ movements. It is supposed to be opt-in, but opting in without realizing it seems to not be difficult.
The disadvantage of Google Maps Timeline is that anyone who gets access to a user’s Google login information can see a complete record of their movements, potentially going back for years.
Google did not respond to questions about whether the practice conforms to Canadian privacy laws.
“Given that we may have to investigate a complaint on the issue, it would be inappropriate to comment without proceeding with a formal investigation,” wrote Tobi Cohen, a spokesperson for the federal privacy commissioner.
“We plan to follow up with Google to seek further information.”
Federal privacy law requires private companies to get consent to collect personal information, and to do so “only for purposes that a reasonable person would consider appropriate in the circumstances,” she wrote.