Unique Tracking Identifiers
I’ve previously written about Whisper and how this technique, combined with multiple GPS data points, can easily identify who you are and where you live, even if the GPS queries are fuzzed. With Google as a parent company, not only is your location information particularly identifying, but cross-referenced with Google data and their massive analytics, could easily determine a complete profile about you including your web search history (interests, fetishes, etc). Even if you don’t have a Google account, any Google searches you’ve done through local IP addresses or applications that track your geolocation can easily be used to link your Waze data to your search history, to your social networking profiles, to virtually any other intelligence Google or its subsidiaries are collecting about you. Simply by using Waze just once, you’ve potentially granted Google license to identify you by GPS or geolocation, and associate an entire web search history with your identity, to de-anonymize you to Google.
What Else is Collected
Other data that Waze grants themselves the right to collect on you includes:
Your home, work, and favorite destinations (as you assign within the application).
All of your chat messages with other Waze users
All queries you make to Waze
All of your calendar information
All of the phone numbers stored on your device’s phone book; in other words, selling out all of your friends to Google.
Your own phone number
Any personally identifiable information you add in your profile (such as your name, gender, photos). Some fields are specifically made mandatory in order to use Waze.
Information from your other social network accounts (explained later). Really?
Information from all mobile devices you’ve ever linked to your account
Meta-data about you: how long you use Waze, information about your device, web pages that you visit within Waze, everything that you read in Waze, advertisements that you view or click on, your communications with other users and third parties, your IP address and domain, and the geolocation of the device you log in from.
Any personal information that comes out of emails you use to contact them; for example, if you sign your emails with a signature line containing your phone number and place of business, Waze gets to use that information.
Uses of Your Personal Information
While you’d expect Waze to use this information to provide you with a number of services, this is only one of several uses that Waze has given themselves permission to do with your data. Aside from a single line item to provide you services, they also reserve the right to use your personal data for a number of self-serving purposes.
The most notable misuse of your data is the right for Waze to provide your GPS data to providers, partners, third parties, and others. Not only is this likely Google, but could also mean pretty much anybody else they want to share your GPS data with.
Other interesting rights that Waze claims on using your data are:
To use how you’ve chosen to drive home and to your office locations to provide better routes (potentially for others) to your home and office.
To spam you with marketing and advertising materials when using Waze; specifically location-specific advertisements using your GPS history.
To email you marketing and advertising materials
To conduct surveys and questionnaires (possibly for others, using your data)
To contact you whenever Waze deems it necessary. How? Will they show up for dinner?
Law Enforcement and Legal Use
Stop thinking about Google in terms of advertising for a minute, and think about them in terms of an intelligence company with possible defense contracts. Google has three active CAGE codes with the government on file, which are searchable via public records. CAGE codes are used to assign and track military, government, and agency contracts at a federal level (I know because I had to get one just over a year ago to assist with a military case). Of course, Google would need one of these to sell search appliances and other similar commercial solutions. Three seems a little excessive. In contrast, Twitter doesn’t appear to have any, and social media giant Facebook only has one. Out of Google’s three CAGE codes, one is for a “Google Special Services” department located in the DC area (Reston, VA), the same city the MAE-East exchange is located in.
Typically when we think “law enforcement” or government use, we get the immediate image of a company providing information about a drug deal or a murder and only under a subpoena. It’s easy to answer that with a simple, “well, don’t commit crimes”. Waze, like most companies, assumes the rights to use your data to assist law enforcement. They used interesting wording here though: they don’t appear to require subpoenas or any legal documentation. They simply state that they can share your personal information with law enforcement whenever Waze “has a good faith belief” that legal standards are met. This leaves the door open for virtually any kind of information sharing with law enforcement, either on a case-by-case, or widespread basis, solely on pretty much any legal justification of having good faith. In a world where personal privacy has been all but revoked under the guise of “terrorism”, and where Google’s own executives have taken a “you should have nothing to hide” stance, it’s quite troubling to see a company that will have direct access to your GPS history use such broad terminology.
I am not a lawyer, but I am fairly confident that Waze could legally provide (sell) all of its customers’ GPS data directly to a government feed under the guise of preventing terrorism. Another model that fits here would be blanket requests for data related to others committing crimes. For example, if a crime occurred at a particular location along your route, law enforcement may request the GPS data of anyone who took that particular route on a given day, immediately implicating you as a suspect simply because you used Waze to get where you were going. Of course, if that were also cross referenced with a Google search history, or other analytics, it could be quite useful to law enforcement agencies. Who needs NSA hacking you when you’re giving this kind of information away?
This is made possible as uses for your GPS data extend to “prevent fraud, misappropriation, infringement, identity theft, and other illegal activities.” They used the word prevent there, if you haven’t noticed. In other words, to pass your personal information onto whomever they deem necessary to prevent bad things from happening, or if Waze thinks you’re involved in something suspicious. Again, this supports my claim that Waze could easily be providing your data in broad strokes to government where you’re not implicated in any specific crimes.
If that doesn’t sound crazy enough, Waze goes even a step further and reserves the right to share your GPS data to take action in case of dispute or legal proceedings of any kind between you and Waze, or between you and other users or third parties. In other words, if someone sues you, divorces you, or if you sue any affiliates of Waze, Google, or pretty much anything else that involves legal proceedings, it’s possible that your entire location history could be released upon request. Again, no mention is made of what legal requirements, if any, exist: merely good faith.
Information You (Don’t) Share
Of course, there is some information that users will publicly share. Services like this can be great for alerting other drivers to an accident or some other problem on the road. Waze, however, goes to great lengths to claim ownership of and the right to make public, any information you don’t intentionally share that is attached to any information you do share. They use the example here of reporting an accident. Because you reported the accident, you surrender your rights to keep the entire route that you drove that day private. So every time you report a speed trap, an ambulance, or anything else, you are essentially giving Waze the right to publish the route back to your home, work, or wherever you came from.
This is one of those jaw dropping paragraphs that really doesn’t need much else to say. If you sign into Waze using Facebook, you’re giving Waze permission to use your personal information from that social network to potentially build an even deeper profile about you. Unbelievable.
Waze claims later on that they only collect social network account information that you’ve made publicly available; the problem, of course, is how you define the words collect and public.The word public may mean something very different to Waze’s legal team than it does you. In addition to this, anything that’s ever been public on Facebook (even if it was an accident) could be collected and stored long term by Waze. To further confuse the difference between public and private, Waze adds this:
“Please note that certain information which you have defined as private on your third party social network accounts may become public to other Waze Users through the Services if you have defined such information to be public on the Services.”
As if Facebook’s privacy settings weren’t confusing enough, now Waze is saying that information you mark as private on Facebook can in fact be accessed, and even made public on Waze, unless you also remembered to dig through Waze’s privacy settings to make sure that same information is marked private in your Waze account. With language like that, I don’t expect very much stays private here for the average user.
Further down the agreement, Waze makes heart warning statements again suggesting they care about your privacy:
“Waze will not share your personal information with others, without your consent, except for the following purposes and to the extent necessary in Waze’s good-faith discretion:”
After about a dozen exceptions, you soon come to this paragraph, allowing Waze to basically do what they just said they wouldn’t: share your personal information with pretty much anybody they want:
Deleted, Never Forgotten
Waze has provided a mechanism for registered users to delete their account, however does not appear to provide a means for unregistered users who have been tracked by a unique id. Nevertheless, even deleting your account does not mean your data will actually be forgotten. Waze insists you need to give them time to fully exploit your personal information for all of the uses described in the policy. After that, they still might not delete your data, but only take your name off of it… which is really doing nothing at all, when it comes to GPS intel.
Only Waze Can Spam You
“The Service includes an internal messaging system which provides you the ability to send and receive messages to and from other users, and to receive marketing messages from us. You hereby agree that we may use the internal messaging system for the purpose of informing you regarding products or services, which may interest you and to send to you advertisements and other marketing material. You further consent that Waze may send such information to the e-mail address you have provided. The foregoing consent constitutes consent to transmission of advertisements by Waze, as described, according to any applicable law.
Please note however that other Waze users are not allowed to use your contact details or our internal messaging account for commercial advertising purposes.”
Oh, the irony.
We’re Not Responsible If We’re Hacked
If Waze is hacked and your private information (including your GPS history, your name, and everything else they store on you) is stolen, Waze made sure to let you know that you can’t hold them responsible, even if they prove to be completely negligent. In fact, Waze believes that you shouldn’t reasonably expect that their database will be secure in any way!
“Waze cannot guarantee and you cannot reasonably expect that Waze’s databases will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.”
After all, what kind of nerve do you have, insisting that Waze secure their data.