Waze: Google’s New Spying Tool

In 2013, Google acquired Waze, a tool designed to find you the best route while driving. Upon hearing of the application, I thought I’d check it out. Unfortunately, I didn’t get past the privacy policy, which was updated only six months ago. While Waze’s policy begins with “Waze Mobile Limited respects your privacy”, reading the policy demonstrates that they do no such thing.

Interesting note: Waze will not let you view the privacy policy inside the app until you’ve already agreed to let it track your location.

Unique Tracking Identifiers

The first thing I immediately noticed about Waze is that they function in the same way Whisper does: under the false guise of anonymity. The average user would wrongly assume that by not registering an account, their identity remains unknown. Even if you don’t create an account in Waze, the privacy policy states that their software creates a unique identifier on your device to track you; to my knowledge, this is a violation of Apple’s own App Store guidelines, but it seems that Google (and Whisper) have gotten a free pass on this. From the policy:

“If you choose to use the Services without setting up a username you may do so by skipping the username setup stage of the application installation process. Waze will still link all of your information with your account and a unique identifier generated by Waze in accordance with this Privacy Policy.”

I’ve previously written about Whisper and how this technique, combined with multiple GPS data points, can easily identify who you are and where you live, even if the GPS queries are fuzzed. With Google as a parent company, not only is your location information particularly identifying, but cross-referenced with Google data and their massive analytics, could easily determine a complete profile about you including your web search history (interests, fetishes, etc). Even if you don’t have a Google account, any Google searches you’ve done through local IP addresses or applications that track your geolocation can easily be used to link your Waze data to your search history, to your social networking profiles, to virtually any other intelligence Google or its subsidiaries are collecting about you. Simply by using Waze just once, you’ve potentially granted Google license to identify you by GPS or geolocation, and associate an entire web search history with your identity, to de-anonymize you to Google.

Of course, Waze doesn’t come out and admit this; if you read their privacy policy, however, you see that they’ve granted themselves a number of interesting (some nonconventional) rights to your data that make this possible. Perhaps this is why company may have been worth over a billion dollars to Google.

What Else is Collected

Other data that Waze grants themselves the right to collect on you includes:

• Your GPS location and driving routes. Of course, some of this is needed to deliver the services described, however it does not need to be stored indefinitely. Waze’s privacy policy states that this information will be used to “create a detailed location history of all the journeys you have made”. The question, of course, is “for whom, exactly?”.
• Your home, work, and favorite destinations (as you assign within the application).
• All of your chat messages with other Waze users
• All queries you make to Waze
• All of your calendar information
• All of the phone numbers stored on your device’s phone book; in other words, selling out all of your friends to Google.
• Your own phone number
• Any personally identifiable information you add in your profile (such as your name, gender, photos). Some fields are specifically made mandatory in order to use Waze.
• Information from your other social network accounts (explained later). Really?
• Information from all mobile devices you’ve ever linked to your account
• Meta-data about you: how long you use Waze, information about your device, web pages that you visit within Waze, everything that you read in Waze, advertisements that you view or click on, your communications with other users and third parties, your IP address and domain, and the geolocation of the device you log in from.
• Any personal information that comes out of emails you use to contact them; for example, if you sign your emails with a signature line containing your phone number and place of business, Waze gets to use that information.

Uses of Your Personal Information

While you’d expect Waze to use this information to provide you with a number of services, this is only one of several uses that Waze has given themselves permission to do with your data. Aside from a single line item to provide you services, they also reserve the right to use your personal data for a number of self-serving purposes.

The most notable misuse of your data is the right for Waze to provide your GPS data to providers, partners, third parties, and others. Not only is this likely Google, but could also mean pretty much anybody else they want to share your GPS data with.

In the same breath, Waze claims that your GPS data is shared in an “aggregated and/or anonymous form”. As you are likely aware, there is no such thing as anonymous GPS data. Even if aggregated with other users, statistical inference (oddly also mentioned in the privacy policy) can easily help to break down aggregated data. As for anonymous? It’s interesting to note here that they used the word “or”; so they claim that they will either aggregate your data, or they’ll anonymize it. In other words, they can share your specific GPS data without your name on it. Does that sound anonymous to you? Even if Waze were to fuzz the accuracy of the GPS data, it’s extremely easy to get an identity on someone when multiple data points are involved (note: their privacy policy makes no such requirement of fuzzing). Once your identity is determined, (which could be very easy), whoever they’re sharing your data with (Google, the government, whomever) now has your entire location history, and probably knows more about you than most spyware could tell.

Other interesting rights that Waze claims on using your data are:

• To use how you’ve chosen to drive home and to your office locations to provide better routes (potentially for others) to your home and office.
• To spam you with marketing and advertising materials when using Waze; specifically location-specific advertisements using your GPS history.
• To email you marketing and advertising materials
• To conduct surveys and questionnaires (possibly for others, using your data)
• To enforce “Terms of Use”. How exactly? This is amazingly broad.
• To contact you whenever Waze deems it necessary. How? Will they show up for dinner?

Law Enforcement and Legal Use

Stop thinking about Google in terms of advertising for a minute, and think about them in terms of an intelligence company with possible defense contracts. Google has three active CAGE codes with the government on file, which are searchable via public records. CAGE codes are used to assign and track military, government, and agency contracts at a federal level (I know because I had to get one just over a year ago to assist with a military case). Of course, Google would need one of these to sell search appliances and other similar commercial solutions. Three seems a little excessive. In contrast, Twitter doesn’t appear to have any, and social media giant Facebook only has one. Out of Google’s three CAGE codes, one is for a “Google Special Services” department located in the DC area (Reston, VA), the same city the MAE-East exchange is located in.

Typically when we think “law enforcement” or government use, we get the immediate image of a company providing information about a drug deal or a murder and only under a subpoena. It’s easy to answer that with a simple, “well, don’t commit crimes”. Waze, like most companies, assumes the rights to use your data to assist law enforcement. They used interesting wording here though: they don’t appear to require subpoenas or any legal documentation. They simply state that they can share your personal information with law enforcement whenever Waze “has a good faith belief” that legal standards are met. This leaves the door open for virtually any kind of information sharing with law enforcement, either on a case-by-case, or widespread basis, solely on pretty much any legal justification of having good faith. In a world where personal privacy has been all but revoked under the guise of “terrorism”, and where Google’s own executives have taken a “you should have nothing to hide” stance, it’s quite troubling to see a company that will have direct access to your GPS history use such broad terminology.

I am not a lawyer, but I am fairly confident that Waze could legally provide (sell) all of its customers’ GPS data directly to a government feed under the guise of preventing terrorism. Another model that fits here would be blanket requests for data related to others committing crimes. For example, if a crime occurred at a particular location along your route, law enforcement may request the GPS data of anyone who took that particular route on a given day, immediately implicating you as a suspect simply because you used Waze to get where you were going. Of course, if that were also cross referenced with a Google search history, or other analytics, it could be quite useful to law enforcement agencies. Who needs NSA hacking you when you’re giving this kind of information away?

This is made possible as uses for your GPS data extend to “prevent fraud, misappropriation, infringement, identity theft, and other illegal activities.” They used the word prevent there, if you haven’t noticed. In other words, to pass your personal information onto whomever they deem necessary to prevent bad things from happening, or if Waze thinks you’re involved in something suspicious. Again, this supports my claim that Waze could easily be providing your data in broad strokes to government where you’re not implicated in any specific crimes.

Legal process doesn’t appear to actually matter to Waze, in fact. Later on in their privacy policy, they state that they can share your information “If Waze is required, or reasonably believes that it is required by law to share or disclose your information.” So Waze doesn’t even have to consult their legal team, require a subpoena, or verify any requests for information. As long as someone at Waze reasonably believes that they’re legally required to turn over information, they can do it without any legal process whatsoever.

If that doesn’t sound crazy enough, Waze goes even a step further and reserves the right to share your GPS data to take action in case of dispute or legal proceedings of any kind between you and Waze, or between you and other users or third parties. In other words, if someone sues you, divorces you, or if you sue any affiliates of Waze, Google, or pretty much anything else that involves legal proceedings, it’s possible that your entire location history could be released upon request. Again, no mention is made of what legal requirements, if any, exist: merely good faith.

Information You (Don’t) Share

Of course, there is some information that users will publicly share. Services like this can be great for alerting other drivers to an accident or some other problem on the road. Waze, however, goes to great lengths to claim ownership of and the right to make public, any information you don’t intentionally share that is attached to any information you do share. They use the example here of reporting an accident. Because you reported the accident, you surrender your rights to keep the entire route that you drove that day private. So every time you report a speed trap, an ambulance, or anything else, you are essentially giving Waze the right to publish the route back to your home, work, or wherever you came from.

Social Networks

“By setting your Account to integrate with social networks including by signing onto Waze by using your social network account (such as your Facebook  account), you agree to share information (including personal information) between Waze and such social networks, for the purposes provided under this Privacy Policy.”

This is one of those jaw dropping paragraphs that really doesn’t need much else to say. If you sign into Waze using Facebook, you’re giving Waze permission to use your personal information from that social network to potentially build an even deeper profile about you. Unbelievable.

Waze claims later on that they only collect social network account information that you’ve made publicly available; the problem, of course, is how you define the words collect and public. The word public may mean something very different to Waze’s legal team than it does you. In addition to this, anything that’s ever been public on Facebook (even if it was an accident) could be collected and stored long term by Waze. To further confuse the difference between public and private, Waze adds this:

“Please note that certain information which you have defined as private on your third party social network accounts may become public to other Waze Users through the Services if you have defined such information to be public on the Services.”

As if Facebook’s privacy settings weren’t confusing enough, now Waze is saying that information you mark as private on Facebook can in fact be accessed, and even made public on Waze, unless you also remembered to dig through Waze’s privacy settings to make sure that same information is marked private in your Waze account. With language like that, I don’t expect very much stays private here for the average user.

The Hypocrisy

Further down the agreement, Waze makes heart warning statements again suggesting they care about your privacy:

“Waze will not share your personal information with others, without your consent, except for the following purposes and to the extent necessary in Waze’s good-faith discretion:”

After about a dozen exceptions, you soon come to this paragraph, allowing Waze to basically do what they just said they wouldn’t: share your personal information with pretty much anybody they want:

“Waze may also share personal information with companies or organizations connected or affiliated with Waze, such as subsidiaries, sister-companies and parent companies. Personal information may also be shared with Waze’s other partners and service providers, with the express provision that their use of such information must comply with this Privacy Policy.”

Deleted, Never Forgotten

Waze has provided a mechanism for registered users to delete their account, however does not appear to provide a means for unregistered users who have been tracked by a unique id. Nevertheless, even deleting your account does not mean your data will actually be forgotten. Waze insists you need to give them time to fully exploit your personal information for all of the uses described in the policy. After that, they still might not delete your data, but only take your name off of it… which is really doing nothing at all, when it comes to GPS intel.

“This information is held by Waze associated with your Account and username/ unique identifier for such limited period of time as is necessary in order for Waze to be able to use the information for the purposes described in this Privacy Policy. At the end of this period of time, Waze will then anonymize or delete your location and route information.”

Only Waze Can Spam You

“The Service includes an internal messaging system which provides you the ability to send and receive messages to and from other users, and to receive marketing messages from us.  You hereby agree that we may use the internal messaging system for the purpose of informing you regarding products or services, which may interest you and to send to you advertisements and other marketing material.  You further consent that Waze may send such information to the e-mail address you have provided. The foregoing consent constitutes consent to transmission of advertisements by Waze, as described, according to any applicable law.

Please note however that other Waze users are not allowed to use your contact details or our internal messaging account for commercial advertising purposes.”

Oh, the irony.

We’re Not Responsible If We’re Hacked

If Waze is hacked and your private information (including your GPS history, your name, and everything else they store on you) is stolen, Waze made sure to let you know that you can’t hold them responsible, even if they prove to be completely negligent. In fact, Waze believes that you shouldn’t reasonably expect that their database will be secure in any way!

“Waze cannot guarantee and you cannot reasonably expect that Waze’s  databases will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.”

After all, what kind of nerve do you have, insisting that Waze secure their data.

Conclusion

This is just too messy for me. Waze’s privacy policy guarantees anything but privacy. It’s a misnomer to call it a privacy policy, when in fact, it’s a very lengthy document granting the company (and Google) the rights to claim ownership of, and potentially abuse, your personal data. There are virtually no consumer rights stated in this privacy policy whatsoever, in fact. The entire policy only benefits Waze legally, financially, and in virtually every other way.

GPS data is highly sensitive, and should be treated with respect. It’s downright scary the kinds of rights Waze has claimed over your private location information. The average user probably thinks they’re simply using a service to help them get to work. What could actually be going on in the background is terrifying, and unless you’ve taken the time to read the privacy policy, you’d be none the wiser.

Their original privacy policy was much simpler, and less Google-esque by far. As the company got much closer to an acquisition, you’ll notice much of their verbiage evolved from around 2012, with major changes in 2013.