When Will added his share house as a pay-to-use toilet on Google Maps, he didn’t expect that it would accidentally reveal how the service could be used to track someone’s movements without their knowledge.
Will, whose last name has been withheld to avoid professional repercussions, has been registering his houses as businesses on Google’s popular map service for years “as a joke”. Anyone can create a “Business Profile” with Google, which uses this crowdsourced information to populate Maps with the details of businesses’ locations, contact details and opening hours.
A few years back, Will added a share house as a McDonald’s restaurant. It didn’t didn’t last long before it was removed by Google, he told Crikey in a phone call this week, but it appeared to fool at least one person. “A car drove past slowly with its driver looking pretty confused,” he said. Another time, he registered a share house as a cafe and was surprised when years later he came across a real estate agent’s listing for another rental that spruiked the place as being “only 400 metres from” the fake cafe.
At this point, these false businesses were a familiar gag among Will’s friends. When he added a Canberra rental as “Big Dumpers” with a fake phone number, his mates flooded it with positive reviews.
“I thought it would be really funny if a stranger came over asking to do a poo,” explained Will. They never did, and about a year ago Will moved out.
Recently, Will had a look to see if Big Dumpers was still marked on Google Maps. It was. He was getting monthly emails about the performance of his business with information on how many people had viewed it or clicked to see its phone number.
But looking at the app’s listing for the “business”, Will spotted something that he didn’t find as funny. Like many other businesses, Google Maps showed a “Popular times” graph depicting how popular the location is using information provided by Google users who’ve agreed to let the app access their geolocation data. 9AM on Thursday was a busy time for Big Dumpers, according to Google Maps, but completely empty later in the day.
What clicked in Will’s mind is that he had inadvertently created a public tracker of when people were in his share house — almost certainly without their knowledge. Will quickly voluntarily “closed” his business on Google but the listing remained up afterwards.
After being informed of the exploit by Crikey, founder of Australian information security company DVULN Jamieson O’Reilly said that his review of Google’s technical material corroborated Will’s understanding of the situation.
“My gut tells me you could list any place as a business then if the residents had opted in to location services you could totally use it to measure someone’s patterns,” he said.
Being able to track people without their consent is a significant privacy and safety issue. Vulnerable groups like domestic and intimate partner abuse victims already have to contend with technology-enabled coercive control through devices like Apple AirTags or access to their digital accounts. This Google Maps misuse potentially allows someone to monitor another person’s whereabouts even without access to their devices and without arousing suspicion.
O’Reilly also raised how criminals have used information gleaned via social media to assist in crimes, like check-in locations or travel plans to know when a house might be empty. He said Google should enhance its verification processes but users also needed to be aware of what information they might be sharing with the world.
“This incident serves as a reminder of the evolving challenges in digital security and the importance of proactive measures in safeguarding user privacy,” he said.
Google has built in some protections for the feature. A help page states that a popular times graph only appears if there is “sufficient visit data” — although it’s unclear how much that is — and notes that the data is anonymised so it doesn’t show who is visiting the location.
When Crikey contacted Google’s Australian press email, a staff member first wasn’t able to even see that Big Dumpers had a popular times graph. After sending through a screenshot showing it, Google removed it from its maps and sent a statement.
“User contributions in Google Maps help people more confidently make decisions about where to go and what to do in a constantly changing world, whether it is updated store hours or newly opened businesses,” they said.
“We continually work to identify and remove content that violates our policies, and encourage people to flag any such content so we can review and take action.”
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.