Of all the accusations routinely hurled Google’s way, there’s one that especially alarms users: the company can track the location of all Android — and to some extent, Apple — phones. Past experience suggests that Google indeed does this — not only using this data to display ads, but also storing it in Location History and even providing it to law enforcement agencies. Now Google promises to only store Location History on the device. Should we believe it?

What’s wrong with Location History?

Location History lets you easily view the places a user visited and when they did so. You can use it for all kinds of things: remembering the name of that beach or restaurant you went to while on vacation two years ago, finding the address of a place your better half often goes to after work, getting new bar suggestions based on the ones you’ve been to, locating the florist that delivered the surprise bouquet for a party, and many more. The different ways this feature both benefits and harms Google account holders are commonly reported. Little wonder then that many — even those with a clean consciences — often want to turn it off completely.

Regrettably, Google has often been caught abusing its Location History setting. Even if explicitly disabled, Location History was still collected under “Web & App Activity”. This led to a series of lawsuits, which Google lost. In 2023, the company was ordered to pay $93 million under one suit, and a year earlier $392 million under another. These fines were but a pinprick to a corporation with hundreds of billions of dollars in revenue, but at least the court had Google revise its location tracking practices.

The combined legal and public pressure apparently led to the company announcing at the end of 2023 a drastic change: now, according to Google, Location History will be collected and stored on users’ devices only. But does that make the feature any more secure?

How does Location History (supposedly) work in 2024?

First of all, check that the feature has been updated on your device. As is wont with Google, updates for the billions of Android devices roll out in waves, and to relatively recent OS versions only. So, unless you see an alert that looks like the one below, it’s likely your device hasn’t received the update, and enabling Location History will save the data on Google’s servers.

If your Location History is now stored locally, however, Google Maps will offer options for centralized management of your “places”. By selecting a point on the map, such as a coffee shop, and opening its description, you’ll see all the times you visited the place in the past, all searches for the place on the map, and other things like that. One tap on the location card can delete all of your activity associated with the place.

Google says it will store the history for each place for three months by default and then delete it. To change this setting or disable history, simply tap the blue dot on the map that shows your current location and turn off Location History in the window that pops up.

An obvious downside to offline Location History is that it won’t be accessible to the user on their other devices. As a workaround, Google suggests storing an encrypted backup on its servers.

Keep in mind that what we’re discussing here is the new implementation of Location History as described by Google. Detailed analysis of how this new pattern actually works may reveal pitfalls and caveats that no one except Google’s developers knows about at this point.

What threats does this update eliminate?

Although the new storage method improves the privacy of location data, it can’t be considered a one-size-fits-all solution to all existing issues. So how does it affect various hypothetical threat scenarios?

Tracking you to customize ads. This is unlikely to be affected in any way: Google can continue to collect data on places you visit in an anonymized, generalized form. You’ll keep seeing ads linked to your current or past locations unless you disable either that or all targeted ads entirely. Remember that Google isn’t the only one out there tracking your location. Other apps and services have been found guilty of abusing this data as well; here are a few examples: one, two, and three.
Evil hackers and cyberspies. These malicious groups typically use commercial spyware (stalkerware) or malicious implants, so the changes to Google’s Location History will hardly affect them.
Jealous partner or prying relative. It’ll be harder to use a computer on which you’re signed in to your Google account to track your location. Someone could still quietly snoop on your phone while it’s unlocked, as well as secretly install commercial spyware such as stalkerware, which we mentioned above. Therefore, it’s general steps to protect smartphones from mobile spyware, not the updates to Google Maps, that are crucial to addressing this.
Law enforcement. This isn’t likely to change much, as, in addition to asking Google, the police can request your location data from the mobile carrier or deduce it from surveillance camera footage, which is both easier and faster.

So, the update doesn’t help user privacy all that much, does it? We’re afraid not.

How do I effectively protect my location data?

You’re limited to fairly drastic options these days if you want to prevent location tracking. We list these here in ascending order of extremity.

Use comprehensive security on all your devices, including phones and tablets. This will reduce the likelihood of being exposed to malware, including stalkerware.
Disable Google Location History and Web & App Activity, avoid giving location permissions to any apps except navigation apps, turn off personalized ads, and use a DNS service that filters ads.
Turn off all geo-tracking features (GPS, Google location services, and others) on your smartphone.
When on an especially important trip, activate flight mode for an hour or two, or just turn off your smartphone.
Ditch smartphones in favor of the most basic dumbphones.
Ultimately, stop carrying around any kind of phone at all.
Live 100% off-grid; e.g., in a cave.

Kaspersky official blog – ​Read More