Agreement to an app’s “permissions” does not, by itself, equal consent to collect, use and disclose personal information - Google encouraged to provide users with greater clarity to avoid misperception

PIPEDA Report of Findings #2014-008

May 29, 2014


In December 2012, Google Inc. (“Google”) released an update for the Google Search App (the “App”) on the Android operating system.  This update asked users to grant the App a number of “permissions,” which had to be accepted in order to use the updated app.  A complainant filed a complaint with our Office alleging that Google was, in forcing him to consent to these permissions, requiring his consent to the collection of personal information beyond that required for the purposes of the App’s functionality.

Permissions

In its representations to our Office, Google asserted that the complainant’s agreement to the App’s permissions was not, by itself, equivalent to his consenting to the collection, use or disclosure of his personal information.   Google provided clarity with respect to the Android permissions system, explaining that it is a transparency mechanism intended to provide users with information about an app’s capabilities, not its actual functionalities.  More specifically, each permission represents a type of data and/or function to which an app will have access for the purposes of its operation.  A standard description for each permission explains what the permission means and how it could be used by the app - not how it will actually be used by the app.  In particular, according to Google, the description provides a warning to users, identifying certain harmful ways that the permission could be used by a malicious app.  Google further explained that the permissions system is not intended to replace communications to users about how it will use permission-related capabilities.

The Google Search App

Google also outlined to our office what information was actually collected by the App, via the capabilities associated with required permissions, as well as the purposes for which such information was collected.  More specifically, Google stated that the App supports several functions, necessitating the broad range of capabilities tied to the permissions requested by the App.  These functions include providing: an interface for the Google search engine; voice-based control of the device; and, “Google Now” - a notification service that actively informs users of relevant information such as upcoming appointments, travel arrangements, news, etc.  Google explains its collection and use of personal information for the purposes of these functions through: the App’s description in the Google Play marketplace and on Google’s webpage about the App; the App’s permissions; the App’s in-app notices; and the Google privacy policy.

Finding

Our Office accepted that the act of granting app permissions does not, by itself, equate to consent for the collection, use or disclosure of associated personal information.  In particular, this was because the permissions system did not describe Google’s actual collection and use of information via the App.

Ultimately, in our view, Google was not requiring consent to the collection, use or disclosure of personal information beyond that which was necessary for the App’s broad range of functions.  As such, we found the complaint to be not well-founded.

Additional Issue – Meaningful Consent

The complainant did not use the App.  As such, Google did not collect, use or disclose his personal information via the App, and his complaint did not raise the question of the adequacy of Google’s consent.  We did, however, make certain observations during the course of the investigation, which we shared with Google in our Final Report.

While we recognize that presenting permissions up-front serves an important role in both security and transparency, we were concerned that the way in which permissions are presented could lead to user confusion.  For instance, users may mistakenly believe that by accepting permissions, they are consenting to the collection, use or disclosure of certain information.  As a result they may be less likely to seek out, or pay attention to, other privacy communications presented by an app.  We therefore encouraged Google, in its role as overseer of the Android operating system, to take certain steps to ensure clarity with respect to the meaning and function of permissions, and to integrate into the permissions system a way for app developers to explain how permissions will be used.  We are pleased to note that since the conclusion of our investigation, Google has implemented certain changes to clarify the permissions system, including the creation of a plain-language explanation of the system, which is accessible via link within the ‘permissions details’ section of apps’ Google Play Store listings.

Finally, while we commended Google for its “just-in-time” in-app notification, we also encouraged Google to provide greater clarity to individuals by supplementing its organization-wide privacy policy with context-specific information regarding the privacy practices of its individual services (like the Google Search App).

We continue to engage with Google, outside of the investigations process, to discuss how the permissions system could be further improved to support transparency regarding the actual privacy practices of Android apps.

Lessons Learned

  • Consent must be meaningful; mobile app developers must inform users about how they collect, use and disclose personal information via their apps. More information about online consent.
  • Privacy practice transparency can be greatly enhanced by providing privacy information to users at key decision points (i.e. by using “just-in-time” notifications).

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

  1. The complainant alleges that Google Inc. (“Google”) required him to consent to the collection and use of personal information beyond that which was necessary for the Google Search application for the Android mobile operating system (“the App”). In particular, he objects to being required to agree to “permissions” to allow the App to perform the following functions:
    1. access and turn on his mobile device’s camera and microphone without his knowledge;
    2. access his mobile device’s calendar and email (and send email on his behalf);
    3. call phone numbers;
    4. send SMS messages, and;
    5. access Google account information, log information, and contacts.
  2. In its response, Google explained that permissions are a security and transparency feature, and do not necessarily equate with functions that the App will, in practice, perform without further notice to the individual. It further stated that any information collected or used by Google via the App:
    1. was done with the user’s informed consent, and
    2. did not exceed that required to provide the service
  3. Our Office found that agreement to the App’s permissions does not equate to consent for the collection, use and disclosure of personal information by Google via the App. Our Office also found that, for each function of the App, Google is not requiring that individuals consent to the collection or use of personal information beyond that necessary to provide that function.
  4. However, our Office suggests that it would be beneficial for Google, in its role of developer of the App to provide users with additional information about its data handling practices associated with the App. Our Office also suggests that Google, in its role as overseer of the Android operating system, also provide an explanation of the meaning and function of “permissions”, and to integrate into the permissions system a way for developers to explain how the permissions will be used.

Summary of Investigation

Information from the Complainant

  1. The complainant owns multiple mobile devices running the Android mobile operating system (“Jelly Bean” version – 4.2.x or 4.3.x). On each, the App came pre-installed.
  2. The complainant states that on December 5, 2012, Google released an update for the App. When he attempted to download the update, the App required him to agree to a number of new “permissions” (a term that will be further described later in this report). The permissions with which he expressed particular concern wereFootnote 1:
    • Permission: Directly call phone numbers
      Description: Allows the app to call phone numbers without your intervention. … Malicious apps may cost you money by making calls without your confirmation.

    • Permission: Send SMS messages
      Description: Allows the app to send SMS messages. … Malicious apps may cost you money by sending messages without your confirmation.

    • Permission: Take pictures and video
      Description: Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.

    • Permission: Edit your text messages
      Description: Allows the app to write to SMS messages stored on your tablet/phone or SIM card. Malicious apps may delete your messages.

    • Permission: Read your text messages
      Description: Allows the app to read SMS messages stored on your tablet/phone or SIM card. This allows the app to read all SMS messages, regardless of content or confidentiality.

    • Permission: Read sensitive log data
      Description: Allows the app to read from the system’s various log files. This allows it to discover general information about what you are doing with the phone/tablet, potentially including personal or private information.

    • Permission: Read your contacts
      Description: Allows the app to read data about your contacts stored on your phone/tablet, including the frequency with which you’ve called, emailed, or communicated in other ways with specific individuals. This permission allows apps to save your contact data, and malicious apps may share contact data without your knowledge.

    • Permission: Read calendar events plus confidential information
      Description: Allows the app to read all calendar events stored on your phone/tablet, including those of friends or co-workers. This may allow the app to share or save your calendar data, regardless of confidentiality or sensitivity.

    • Permission: Add or modify calendar events and send email to guests without owners’ knowledge
      Description: Allows the app to add, remove or change events that you can modify on your phone/tablet, including those of friends or co-workers. This may allow the app to send messages that appear to come from calendar owners, or modify events without the owners’ knowledge.
  3. The complainant expressed concern that by agreeing to these permissions, he was consenting to collections and uses of his personal information that he felt were unacceptable. However, he felt that he was required to agree to these permissions, as the App came pre-installed and could not be deleted (only disabled). He did not actually use the App.
  4. On the advice of our Office, the complainant sent a letter to Google outlining his concerns. He did not receive a reply to this letter.

Information from the Respondent / OPC Research and Testing

  1. During this investigation, Google provided written representations to, and engaged in discussions with, our Office. To further our understanding, our Office also gathered additional information from Google’s public documentation of the Android operating system and the App, as well as through our Office’s testing of the App. Where public documentation is cited below, references are provided

About the App

  1. Based on Google’s submissions and information, the App allows the user to perform three main functions: (i) searching, (ii) controlling the device using voice commands, and (iii) using a service called “Google Now”, which is described below.
  2. The search functionality of the App allows the user to search the web using the Google search engine, or to search his or her device. Searches are performed by entering text into a ‘search bar’ on the homescreen of the device or within the App, or by pressing the microphone icon on the search bar and speaking the desired search term(s). If “hotword detection” is enabled, the user can also initiate a voice search by speaking “OK Google” while the App is open.
  3. These searches can be personalized based on the individual’s current location. For instance, a search for “movies” might return movie listings in the individual’s current city. Opt-out features relating to the use of location are discussed later in this report, at Paragraph 26.
  4. The second functionality allows users to control the device using voice commands. This is done by pressing the microphone icon on the homescreen or within the App, or stating “OK Google” while in the App (if hotword detection is enabled) and speaking a voice command. “Voice Actions” that can be initiated using voice commands include opening apps, creating calendar events, composing and sending text messages or emails, getting directions to a location, etc.Footnote 2
  5. The third functionality associated with the App is Google Now. Google Now is a notification service that actively informs users of relevant information such as upcoming appointments, travel arrangements, news, etc. To do this, it uses “contextual data from [the user’s] device and from other Google products, plus data from third-party products that [the user allows] Google Now to access.Footnote 3 This information can include current location and location history, searches saved in the user’s web history across devices, and/or information from synced calendars or Gmail, along with many other sources of information. This information is continually monitored and used to deliver Google Now “Cards,” which contain information that Google Now determines may be of interest to the user at a particular point in time.
  6. By way of example, if the App has access to a user’s calendar, the Google Now function is able to provide the user with a reminder prior to an appointment. If the appointment’s location is specified, the reminder might also contain the time it would take to get there from the user’s current location (and provide driving directions where available).
  7. Other examples of Google Now’s functionality include providing the user with sports scores based on teams he or she has searched for in the past, retrieving electronic boarding passes from the user’s Gmail account near the time of a flight, or setting time- or location-based reminders, such as “Remind me to call John when I get home,” which would display a Card when Google Now detects that the current location of the device is the pre-defined “home.”
  8. Google Now is an optional component of the App; this functionality is only enabled after the user completes an opt-in process in the App (described below). Should the user not opt-in, the search and device voice control functionalities of the App remain active.
  9. Use of the App is not required in order to use the device on which it is installed. While the App is considered a ‘system app’ and cannot be deleted, it can be disabled.
  10. Use of the App is also not required in order to use the Google search engine, which can be accessed, for instance, through the device’s built-in web browser, or a third-party browser installed by the user.
  11. Google also stated that individuals do not need to be logged into a Google account in order to use the App, though some functions that rely on the presence and content of such an account, such as Google Now, may not work unless the user is logged in.

Information collected and used by Google via the App

  1. Google notes in its response that:

    Simply because the Google Search App is developed and distributed by Google does not necessarily mean that all personal information it processes is collected, used or disclosed by Google. It is important to distinguish between, on the one hand, processing of information on the device and on the user’s behalf and, on the other hand, transmission of information to Google for use by Google.

  2. In response to a question by our Office about what information processed by the App was transmitted to Google’s servers, Google confirmed that each of the App’s primary functions – search, device voice controls, and Google Now – results in the transmission of at least some information to Google’s servers.

Information collected/used related to the search function and device voice controls

  1. Search terms: The search function of the App operates in fundamentally the same manner as Google’s browser-based search engine. A user’s search query is transmitted to Google’s servers, and relevant results are returned. If the user is logged into his or her Google account, these results may be personalized to him or her based on his or her past search activity on Google, including prior searches and results clicked.
  2. If the “Web History” option is enabled in the App, in addition to providing search results, the search terms the user has entered will be used for the purpose of customizing the Cards presented to the user through the Google Now function of the App.
  3. As with browser-based search, information collected by Google to provide the search functionality may be used for advertising, subject to Google’s privacy policy.
  4. Location information: When pre-installed on a mobile device (as is the case with the complainant’s mobile device), the App is granted permission to access the device’s location. However, notwithstanding this, individuals can disable the ability for the App to access location information via the App’s settings menu (among other means).
  5. If the App is able to access location information, the App transmits this information to Google’s servers along with the search terms in order to provide search results customized to the user’s location. Location information can also be used in the customization of Google Now Cards.
  6. Voice: If the user performs a voice-based search, his or her voice is recorded and sent to Google for processing. These recordings are not associated with the individual’s Google account, unless the user has opted-in to a “Personalized Speech Recognition” program through the App’s settings menu. This program allows Google to improve its speech recognition accuracy for an individual by keeping samples of what he or she has said in the past.Footnote 4
  7. If the user corrects the speech-to-text results returned to his or her phone, this information is sent back to Google in order to improve the recognition algorithms.
  8. As previously described, if the user has opened the App and has hotword detection enabled, he or she can speak the phrase “OK Google” to activate voice search or device voice controls. According to Google’s online documentationFootnote 5, hotword detection functions by analyzing sounds picked up by the device’s microphone in intervals of a few seconds or less. The sound is immediately discarded after analysis, and is not stored on the device or sent to Google.
  9. Contacts: In order to allow the user to make phone calls or send text messages using device voice controls, the App must access the user’s contact information to provide the relevant context for commands such as “Call/Text Jane Smith.” Access to the frequency of use of each contact helps avoid ambiguities; if the user has multiple contact phone numbers for Jane Smith, the most frequently used one will be preferred by the App.
  10. In discussions, it was noted by Google that the contact list stored on a user’s Android phone is not currently transmitted to Google’s servers by the App.Footnote 6 Instead, when a function (such as initiating a phone call) requires voice input to be matched with the contact list, the voice input is processed on Google’s servers, but the comparison between the result and the user’s contact list is processed on the device itself.
  11. Other: When using voice commands, once the desired action has been identified, the App will access the information required to perform that command. Where the data processing required to perform the user’s command can be best effected by Google’s servers, as opposed to the device, the required information will be transmitted to Google for this purpose. Google did not detail the situations in which this would occur, or specify what information is sent to its servers in these situations.
  12. Information transmitted to Google for the purpose of effecting actions initiated by device voice controls is not used for any additional purposes, except making improvements to the product (improving speech recognition, developing usage statistics, etc.).

Information collected/used related to Google Now

  1. Should the user opt to activate the App’s Google Now functionality, a broad range of information may be used to generate Google Now Cards. This includes information associated with the device (current location, location history, searches saved in the user’s web history across devices, synced calendars, etc.), and with the individual’s use of other Google services (Gmail, etc.).
  2. In its response, Google highlighted, in particular, that when location information is used by Google Now (for instance, to provide maps or transit times), it is generally submitted to Google in an anonymized fashion. Exceptions to this anonymous transmission include when the device computes a user’s “home” and “work” location for providing suggested departure times.

Permissions not, or no longer, applicable to the App

  1. In relation to the permissions of particular concern to the complainant, Google stated that the following permissions are not, or are no longer, applicable to the App:

    1. Category: Sensitive Log Data
      Google’s response: Sensitive log data is information that is useful in attempting to debug an error or crash. In some instances, should either occur, the user is given the choice to provide this information to Google. However, the version of the App installed on the complainant’s phone would not have used this functionality.

    2. Category: Call log
      Google’s response: In previous versions of the Android operating system, applications that could read a user’s contact list could also read the call log. However, based on the version of the operating system on the complainant’s mobile device, this permission would not have been sought from him.

    3. Category: Activating the camera
      Google’s response: Prior to May 2013, the App allowed the user to take photos of landmarks or text, and search for additional information about them. This would have been explicitly initiated by the user. While the functionality would have existed at the time of the complaint, it has since been removed from the App.

No information disclosed to third-parties by Google

  1. Google states that the App does not independently transmit any information about the user to third parties, and that it does not disclose to third parties any of the information it collects via the App. The user can choose to disclose information about him- or herself to others (e.g. by sending text messages), but this would be an express choice of the user.

Notices to users regarding information handling by the App

  1. There are four principal means by which users are notified about the App’s information handling practices: the App’s Google Play Store listing (in combination with Google’s webpage about the App), the App’s previously-described permissions, the App’s in-app notices, and the Google privacy policy.

Google Play Store listing / Google webpage about the App

  1. The description of the App available on its listing on the Google Play Store provides initial information about how the app will use information. It states:

    Google Search app for Android: The fastest, easiest way to find what you need on the web and on your device.

    • Quickly search the web and your phone or tablet
    • Use your voice to search and more
    • Get personalized results based on your location

    Plus: *Google Now* gets you just the right information at just the right time. It tells you today’s weather before you start your day, how much traffic to expect before you leave for work, and more.Footnote 7

  2. This information is expanded upon on Google’s webpage about the AppFootnote 8. This page states, in part:

    Google Now: just the right information at just the right time. Google Now gives you what you need to know, when you need to know it.

    Use your voice to search and more. Speak instead of type, using your voice to control your phone or tablet. Search the web and your phone, call your contacts, send emails, get directions and listen to music, all without worrying about having to type.

    Get personalized results based on your location. Google Search can give you personalized results for things like weather and movies based on where you are.

Permissions

  1. According to Google’s online documentation, “A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user.Footnote 9 Instead of allowing default access, the developer of each Android application is required to declare, in the app’s “App Manifest,” which “permissions” for additional capabilities (access to information on the device, device features, etc.) are required by the application.
  2. The permissions requested by each app are articulated to the user, who is then given the opportunity to accept those permissions or decline to install the application. Apps are unable to access or use any feature or data element protected by a permission not specified in their manifest at the time of installation. In its representations, Google states that this model provides a “very high level of visibility into the technical capabilities of [an app] … which surpasses the level of transparency of other operating systems.”
  3. Google asserts in its representations that “permissions are not ‘consent’ per se.” They explained that,

    [t]he permissions granted under the Android security model are simply to enable capabilities, which does not necessary [sic] speak to how those capabilities can be used and whether they even will be used. They do not replace later communications to the user about how and when those capabilities will be used, or other functionality of the application in question.

    [Permissions] do not necessarily equate with functions that the application will use without further notice to the user.

  4. At the time of this complaint, information about the permissions requested by an app was presented to users in three ways.
  5. First, listings for applications on the Google Play Store (the primary source for Android applications) contained a tab detailing the permissions required by the app. Following an update to the Google Play Store, this tab no longer exists.
  6. The complainant provided our Office with a partial screen capture of the permissions tab on the Google Play Store listing for the App at the time of his complaint. The tab showed 18 separate permissions, including those of concern to him as described in Paragraph 6 of this document.
  7. Each permission in this tab had a description associated with it. Google’s convention for this description is to use two sentences, the first describing the permission, and the second warning the user of “what bad things can [potentially] happen if an application is granted the permission.”Footnote 10 Examples of these descriptions can be seen in Paragraph 7 of this report.
  8. In addition to the information formerly provided in the Google Play Store listing, when a user downloads an app, he or she is presented with a pop-up stating “This app has access to these permissions:”, followed by a list of the permissions required by that particular version of the app. The user can then choose to “Install” the app, or “Cancel.”
  9. We note however, that as the App came pre-installed on the complainant’s device, he would not necessarily have had reason to access the Google Play Store, nor download the App. However, as with any Android app, when an update to the App required additional permissions to be granted to it, the complainant was presented with, and asked to agree to, the revised list of permissions.
  10. Lastly, at any time after download, a user can also check the permissions associated with installed apps in the device’s settings.

In-app notices

  1. In addition to the information provided by the permissions model, the App uses in-app notices to inform the user of how certain information will be used.
  2. One prominent in-app notice is the opt-in mechanism for the App’s Google Now functionality. The first time the App is opened, this opt-in screen is immediately presented.Footnote 11 After providing examples of the functionality of the App (determining driving time to work; checking flight status), the App presents the following:

    Google Now is always working for you. To best help you, Google needs to:

    • Use and store your location for traffic alerts, directions and more
    • Use your synced calendars, Gmail, and Google data for reminders and other suggestions.
  3. The user is presented the options of “No, maybe later” and “Yes, I’m in,” along with a link to “Learn more.” The “Learn more” page contains the following:

    The Google Now service is always working for you in the background. You don’t have to ask for anything: Google displays Google Now cards when you’re most likely to need them.

    When you touch “Yes, I’m in”, you’re turning on both Now and, if you haven’t already turned it on, your location history. Google won’t share your location history with other users or marketers without your permission. You may have opted in to location history in the past. If so, Now uses your previously recorded locations as well as ongoing details when making suggestions. To manage all such records, visit Location History [a link is provided]. Google Now also uses Google’s location service and GPS periodically, if they are turned on.

    Now also uses data from other sources, such as your data in Google products or in third party products that you allow Now to access. For example, if you have a synced calendar entry for a dentist appointment, Now can check traffic and suggest when to leave. If the dentist is in your contacts, Now can label the destination accordingly. And if you have searches stored in your Web History, Now can also show things like sports scores, flight status, stock quotes, and so on.

    You can turn off Now anytime by going to settings. You can also turn off Google’s location service, GPS, location history or Web History without turning off Now. Note that turning off location history or reporting does not turn off Google’s location service or GPS.

    Data is used by Now under the Google Privacy Policy [a link is provided].

Privacy policy

  1. Generally, information about Google’s information handling practices can be found in Google’s unified privacy policy, to which the App is subject. A link to this policy is provided on the App’s Google Play Store listing, during the Google Now opt-in process, and in the App’s “Settings” menu, under “Accounts & privacy.”
  2. This policy states in part, in relation to how Google uses information collected:

    We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.

Granular options available to users

  1. Lastly, a number of options are available to users within the App’s “Settings” menu. Such options include:
    • Turning Google Now on/off
      • Default: Off
    • Turning ‘hotword detection’ on/off
      • Default: On
    • Signing in to, out of, or switching between the user’s Google account(s)
      • Default: Signed into Google account associated with the device
    • Turn access to location on/off (for all Google apps in Android 4.3; for all apps in Android 4.4+)
      • Default: On, unless the user has previously turned this setting off for his or her device.
    • Turning web history on/off (if on, this feature allows Google to record and use your search history to improve Google Now predictions and search results)
      • Individuals can also pause, delete, or remove individual web history items
      • Default: On
    • Turn ‘personal results’ on/off (if on, search results may include information from the user’s Gmail account and/or other data on the device)
      • Default: On
    • Turn personalized voice recognition on/off
      • Default: Off

    The appropriateness of the default settings described above is not discussed in this report.

Application

  1. In making our determinations, we applied Principle 4.3.3 of Schedule 1 of the Act.
  2. Principle 4.3.3 states that organizations shall not, as a condition of supply of a service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.

Findings and Analysis

Scope of the investigation

  1. Two particular factors are relevant to determining the scope of our investigation: (i) the complaint filed with our Office alleged that Google was requiring consent for the collection and use of personal information beyond that which was required to provide the service, and (ii) as the complainant did not actually use the App, no collection of personal information by Google via the App actually occurred. As such, we have limited our findings to the issue of required consent.
  2. However, given its relevance, a discussion about meaningful consent follows these findings in the “Other” section of this report.

Google is collecting and using personal information via the App

  1. To the extent that Google acknowledges that each function of the App results in at least some information being transmitted to, and processed by, its servers, Google does collect and use information via the App.
  2. This information includes, but is not limited to, search terms, recordings of a user’s voice, device location, calendar entries, and email. In our view, much of this information can be linked to a specific individual, either alone or in combination with other information available to Google.
  3. Therefore, our Office finds that the information collected and used by Google via the App would generally be considered personal information.

Permissions are not consent

  1. The complainant has alleged that Google is requiring him to consent to the collection and use of personal information beyond that which is necessary for the purpose of providing the services of the App, based on the permissions requested by the App.
  2. Google has explained to our Office that the permissions requested by an app describe the app’s technical capabilities, and not necessarily its actual behaviours. In particular, Google has stated that the descriptions associated with the App’s permissions do not represent the collection, use and/or disclosure of personal information by Google via the App.
  3. As permissions do not describe the collection, use and/or disclosure of personal information by Google but rather the data and functions on the mobile device that the App is permitted to access, our Office finds that agreement to these permissions does not (by itself) constitute consent to the collection, use or disclosure of personal information by Google.
  4. In general, requiring a user to grant a permission to an app is not equivalent to requiring that user to consent to the collection, use or disclosure of the personal information associated with the permission. As such, requiring agreement to a permission would not represent a contravention of Principle 4.3.3 of the Act; however, nor would it necessarily represent consent to any collection, use or disclosure of personal information.
  5. Our Office must also consider what consent(s) for the collection and use of personal information Google actually requires from individuals in order to use the App.

Search

  1. With regard to the App’s search functionality, Google requires that the individual consent to the collection of his or her search terms, for the purposes of providing search results and contextual advertisements.Footnote 12
  2. Signing into a Google account (to allow for personalized search results), collection of location information (for the customization of search results to the user’s current location), and inclusion of search terms in the individual’s Google web history are each optional, in that they can be enabled or disabled in the App’s settings. As such, consent to these collections and uses is not required for the provision of the service of the App (excepting those functions enabled by the information).
  3. Given the above, our Office finds that Google does not require individuals to consent to the collection or use of personal information beyond that required in relation to the search function of the App.

Voice Commands

  1. Use of the App’s voice command function requires that the user consent to the transmission of a recording of the voice command to Google’s servers, as well as any other information required to effect the command.
  2. Processing of voice commands is a processor-intensive task; that is, significant computing power is required to perform this task efficiently. As such, it would be difficult to perform this task directly on the user’s phone, without transmitting a voice recording to Google’s servers.
  3. The subsequent use of the collected information to fulfil the action requested by the user does not exceed what is necessary to provide the service. According to Google, the only other use of this information is to make improvements to the product – by, for instance, improving voice recognition.
  4. As such, our Office finds that, with regard to the voice command functionality of the App, Google is not requiring individuals to consent to the collection or use of personal information beyond that required to provide the service.

Google Now

  1. Google Now requires that the individual consent to the collection and use of a broad range of information. This is explicitly described to individuals through an extensive in-app notification. Notably, Google Now operates on an opt-in basis and consent to the collection and use of information related to Google Now is not required for use of the App’s other functions.
  2. he predictive nature of Google Now’s notifications, which aim to anticipate what information will be relevant to an individual, understandably necessitates the collection and use of a large amount of personal information. In this investigation, our Office did not find evidence that, after an individual opted-in to this function of the App, Google was collecting or using more information than would be required to provide the Google Now service.
  3. In summary, our Office finds that Google does not require an individual to consent to the collection or use of information beyond that which is required to provide the service.

Conclusion

  1. Accordingly, our Office concludes that the complaint is not well-founded with regard to the allegation of requiring an individual to consent to collection and use beyond that which is required for the provision of the service.

Other

  1. As noted above, this report speaks to the consent(s) required by Google for collection and use of personal information via the App; it does not speak to the form that consent takes. However, the latter is worthy of comment. Google’s efforts to ensure it obtains meaningful consent for its collection and use of personal information via the App can be seen to be exemplary in some respects while lacking in others.

Explanation of Permissions

  1. Our Office notes that the Android permissions model creates a moment at which the individual’s attention is focussed on an app’s potential data collection and use. In our view, this would be an ideal moment at which to provide information about the app’s actual collection, use and disclosure of personal information.
  2. As it currently exists, the Android permissions model is unclear. In particular, it is not clear that: (i) the permissions represented data and functions to which an app has access, and not necessarily its behaviours; (ii) the description provided for each permission does not necessarily describe the app’s actual use of that permission; and (iii) an individual should look elsewhere for a full description of an app’s actual collection, use and disclosure of personal information.
  3. In our Office’s view, while presenting permissions up-front serves an important role in both security and transparency, the way that they are presented can lead to confusion.
  4. Moreover, a user agreeing to these permissions may mistakenly believe that he or she has provided consent to certain collections, uses or disclosures of personal information, and thus be less likely to seek out, or pay attention to, other information about data practices provided by the app developer within the app.
  5. Our office would therefore encourage Google, in its role as overseer of the Android operating system, to take steps to clarify the function of the permissions model, and expand the functionality of this model. More specifically, our Office suggests that Google:
    1. Explain to users the role and functionality of permissions in a clear and transparent manner whenever permissions are displayed (for example, via a link to an explanation in the Google Help Center); and
    2. Provide a mechanism by which app developers can describe, at the time permissions are presented to the user, how they will collect, use and/or disclose personal information associated with those permissions.

In-App Notifications

  1. Our office would also highlight the in-app notification explaining the Google Now service, as described in Paragraphs 53 and 54 of this report. Through this mechanism, individuals are provided a clear explanation of the types of data that will be collected by Google via the App, and how it will be used, in the provision of this service. This explanation brings clarity to what might otherwise be an unclear collection and use of a significant amount of personal information. Moreover, this explanation is provided immediately prior to the individual’s choice of whether or not to engage the service.
  2. Google’s use of in-app notifications to extensively explain the data collection practices associated with Google Now highlights the transparency benefits available to app developers from the use of “just-in-time,” context-specific notifications.

App-specific Privacy Information

  1. On the other hand, specific information about what data will be transmitted to Google’s servers, and how it will be used, in relation to the App’s voice command function was not found by our Office, and became known only during direct discussions with Google.
  2. Some information can be gleaned from Google’s unified privacy policy, which states in part:

    We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.

  3. Based on this statement, an individual might reasonably believe that any information collected by Google via any service it provides, including the App, may be used for each of the purposes described. In particular, there is no information available to the individual that would indicate that information collected by Google via the App’s device voice control feature is not used to offer tailored content, as would appear to be the case based on information obtained during this investigation.
  4. Organization-wide privacy policies, such as that used by Google, should be supplemented with context-specific information related to the collection, use and disclosure of personal information by the organization via individual services.
  5. Our Office would thus suggest that Google create a single resource which explains what personal information Google collects and uses via the App. This resource would be supplemental to Google’s privacy policy, and should be available to individuals either (i) (preferably) prior to downloading the App, or (ii) prior to any collection, use or disclosure of information by Google via the App.

Google’s lack of response to the complainant

  1. Lastly, our Office notes the fact that the complainant did not receive a response to his letter to Google outlining his concerns about the App’s permissions, which was sent by the complainant at the suggestion of our Office.
  2. The Act requires that individuals be able to address challenges concerning compliance with the principles of the Act. However, in many instances – including this one – complainants express frustration that they are unable to contact a “real person” within an organization, or to receive a response to their issue, without engaging our Office.
  3. It is the protocol of our Office to initially suggest that individuals raise their issue with an organization, prior to filing a complaint with our Office. However, the effectiveness of this protocol is wholly dependent on those individuals receiving an appropriate and timely response from the organization.
  4. Our Office thus suggests that Google put in place and/or publicize a mechanism by which individuals can raise privacy complaints, and have these complaints acknowledged, heard, and where possible, actioned.
Date modified: