Google is embroiled in an issue that allegedly undermines privacy on its services. The event gained attention after the platform changed the URL domain of the Google Maps and Google Flights applications, as it is known in Brazil.
Learn how the shared permissions process can lead to users being tracked when opening company apps. This happens without their consent.
Permissions granted to more than one application.
After implementing the domain change in November, Google allegedly interfered with user privacy. The tech giant is said to have consolidated permissions that were being sent to other applications on the same domain.
The change meant that telemetry and data permissions were sent directly to the company's URL, rather than split between its platforms. In other words, any permission granted to Google Maps, such as location access, would also be granted to Google Flights, even without Google having access to it.
In this sense, it means that when the permissions pop-up appears on your screen, asking to access the camera, microphone, or location, it only needs to be accepted once within Google's domain; the company wouldn't need to request it again, even for another service.
In other words, with the permissions of the examples above, the search engine would have access to and be able to track the user's location, even without the knowledge or permissions of the other apps involved.
With location permission granted after accessing Google Maps, the browser can access this data at any time due to the implemented domain structure, which allows the user to be tracked as long as they have a Google website open.
A report from a software developer reinforced the importance of the subject.
Garrit Franke, a software developer, published on November 23rd, on his blog, a publication concerning Google's move. After the warning, the privacy risks began to circulate more widely. Portals began to cite it as a source and address the issue in other ways.
In the account, Garrit was in a hurry and wanted to use Google Maps as quickly as possible. He accessed the address maps.google.com and within it allowed the subdomain to use the browser's location services.
When he returned home, he noticed that when he opened maps.google.com, he was being redirected to google.com/maps. Upon proceeding, a phrase caught his attention:
"This implies that the permissions I grant to Google Maps now apply to all Google services hosted on this domain. So far, I've only identified Google Flights making the same switch." The developer suspects they are starting to transfer services to the company's main domain.
Finally, he congratulated her and said, "Now you have permission to track me geographically across all your services."
Brazilian legislation regarding personal data, the General Data Protection Law (LGPDIt stipulates that users need to grant permissions regarding the collection and use of data, something that did not happen at the time the URL was changed.
