In this edition of AdGuard’s digest: Apple unveils new privacy and security features, a popular fitness app poses privacy risks, US intelligence comes clean about how exactly they spy on Americans, Google’s AI-powered chatbot Bard is not welcome in the EU, and the European Commission threatens to chop up Google’s ad tech business.

Popular running app can lead strangers to your home, study claims

A study has found publicly accessible data from Strava, a popular fitness tracking app, can be used to reveal home addresses of people who use its heatmap feature. The GPS-enabled feature aggregates users’ activity to show the most popular routes and trails, and is turned on by default.

Researchers from North Carolina State University Raleigh extracted a month’s worth of data about user routes from Strava to determine their endpoints, which often correspond to users’ homes. Then they compared heatmap images with images from a free map of the world, to pinpoint the exact locations of the houses.

Finally, they used Strava’s search feature to match the locations with users who listed a certain area as their home area. They were able to correctly identify 37.5% of the home addresses for the users they tested. This is not a very high percentage, and the chances of being ‘discovered’ are low if you live in a highly populated area or do not share much personal information on your Strava account. You can also set your account to private or opt out of the heatmap feature altogether.

This is not the first time Strava’s heatmap feature has raised privacy concerns. In 2018, it was reported that the feature helped to reveal locations of secret US military sites, as soldiers used the app to track their workouts. The new study reiterates the need for people to be aware of the potential risks of sharing their location (or other personal information) with apps, and to use available privacy settings if an app doesn’t enforce maximum privacy by default.

Bard gets red light in the EU: Google’s AI chatbot hits a privacy roadblock

Google’s AI-powered chatbot, Bard, may be available in 180 countries and territories across the globe. But none of them are in the EU. And it looks like EU residents will have to wait some more, after the Irish privacy watchdog put a brake on the planned launch of Bard in the EU this week, Politico reported.

The Irish Data Protection Commission objected to the launch, saying that Google had failed to provide enough details as to how Europeans’ rights to privacy would be protected when they use Bard. It’s unclear what exactly regulators want from Google, but it may be similar to what OpenAI had to do to ChatGPT, which is accessible in Europe without a VPN. Under regulatory pressure, OpenAI gave users the option to ask to delete their personal data and any references to them from the AI-generated output, and opt out of having their data used to train the AI.

Google may have to jump through hoops to get its chatbot approved in the EU, and the challenges it faces highlight the privacy problem that is common for generative AI —the lack of control that users have over how their personal data is handled. The EU regulators are setting an example of how to address this issue, which has already resulted in more privacy controls for users in OpenAI’s chatbot. Unfortunately, the rest of the world does not seem to be taking many cues, but we wish it would.

Open secret: US government admits buying Americans’ personal data

A newly declassified report has confirmed what many already knew or at least suspected: the US government buys sensitive private data on Americans, such as location data, from data brokers, sidestepping the laws that require it to get a warrant.

The report was published by the Office of the Director of National Intelligence and is dated January 2022, which suggests the practice is ongoing. The report admits that although the data for sale is supposed to be “anonymized,” it is “often possible” to re-identify individual users by combining it with other sources of data. The data typically comes from smartphones and other internet-connected devices, including cars, the report says. It warns of several privacy risks from this widespread surveillance, such as the possibility of data misuse that can lead to “blackmail, stalking, harassment, and public shaming.” It also notes that the ability to purchase such data from third parties gives more power to the government, that would otherwise never been able to “compel billions of people to carry location tracking devices on their persons at all times” and log all their activities. You can read the full 48-page report here.

The report sheds light on the practice that has been widely reported by the media, but never before acknowledged by the US government. Hopefully, it will spur legislative changes that are long overdue, such as passing a federal privacy law. But it also serves as a good reminder to be careful about which data we share with apps — denying unnecessary permissions, taking advantage of optional privacy settings, as well as using tools that block ads and trackers such as AdGuard can help to limit your digital footprint and minimize privacy risks.

Apple delights users with a slew of new privacy and security features

Apple has unveiled a range of new security and privacy features that will be available in iOS 17 and Mac later this year, and we’re pretty pumped about them.

Safari Private Browser feature is one of many that is getting an upgrade. Apple said that Privacy Browsing will now lock automatically when idle, allowing users to keep their tabs open without worrying about others snooping on their online activity while they’re away from the device. You can unlock it with a fingerprint or a password.

Another feature is the “embedded Photos picker” that encourages users to only share specific photos from their library with apps while keeping the rest hidden. In an effort to fend off trackers, Apple said it would remove those extra letters and numbers that advertisers add to URLs to track users across the web, making link sharing in Messages and Mail more private. In addition to that, Apple also introduced new and upgraded old safety features designed to protect both adults and children from unwanted content, such as nude images or videos. For more information on Apple’s privacy and security tools, see their post.

Apple’s new features are a welcome addition to the company’s existing suite of privacy and security tools. It’s great to see Cupertino investing in the privacy and security of its users — putting its money where its mouth is, so to speak — and we hope it continues to do so.

EU Commision wants to take an ax to Google’s adtech empire

Google’s advertising empire might have to be broken after all, the European Commission said. On June 14, the European Commission announced it had launched formal antitrust proceedings against Google, to investigate whether it had abused its dominant position on both the ad buying and ad selling market.

Commission’s representative, Margrethe Vestager, said that Google’s influence has been “pervasive” and that so far the regulators see “no alternative” to Google divesting from some of its services to eliminate the conflict of interest. Google’s adtech business has been under the European competition watchdog’s scrutiny since 2021, but it seems the Commission is now sharpening its knives to cut it down to size. Google has naturally disagreed with the EC’s claims and vowed to respond “accordingly.”

The news shows that the European Commission is getting serious about taking Google to task over its massive influence on the online advertising industry. Google’s adtech business is the main source of revenue for the company, accounting for more than 80% of its total income. By controlling both the buy and sell sides of the market, Google has crafted a closed ecosystem that squeezes out competitors. That situation is unhealthy, and it would be more beneficial for the market, advertisers and users if there is more competition. So we hope the EC will complete its investigation in earnest, and if it finds that Google did violate antitrust laws, wouldn’t let it off scot-free.