Sergey Nivens - Fotolia

Google's 'My Activity' data: Avoiding privacy and compliance risk

Google's Activity Controls create privacy and compliance risks for organizations, as well as a potential gold mine for social engineering hacks. Here's how to avoid those threats.

During an interview with CNBC in 2009, Google's former CEO Eric Schmidt said something that should still make modern business owners pause: "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to The Patriot Act and it is possible that all that information could be made available to the authorities."

He added, "If I look at enough of your messaging and your location, and use artificial intelligence, we can predict where you are going to go."

Schmidt's comments from almost a decade ago have proved prescient. Google's many products -- including Android, Gmail, Drive, Google Maps, YouTube and Google Search -- can now collect all your business information into one convenient dashboard-style location and the only thing preventing complete access to this data by unauthorized personnel is a single password.

The risks surrounding activity controls

Activity Controls are a family of features in a Google Account that tracks all search and browsing history activities, including searches done in YouTube. It also creates a personal location map of where people go with logged-in devices such as smartphones and tablets. Additionally, anyone using an Android phone has calendars, apps and contacts all stored in a Google Activities Controls dashboard called "My Activity." The My Activity dashboard will also convert and store audio recordings made using the device's microphone if the person was speaking to the digital assistant or was using the audio to text tool for messaging and email.

Many of these features may need to be turned off or disabled as they can pose extreme cybersecurity risks due to the detailed information they reveal.

Organizations should carefully consider the privacy and compliance risks that these Google Activity Control features create and employ strict cybersecurity compliance guidelines addressing these features that come as default settings as part of its initial operating standard. Many of these features may need to be turned off or disabled as they can pose extreme cybersecurity risks due to the detailed information they reveal, particularly from social engineering hackers.

The My Activity page organizes every single piece of data that Google has collected about online actions for the last 10 to 15 years -- including websites accessed, images downloaded, every search term typed into the Google Search box and places visited.

Privacy and compliance laws in the United States primarily target healthcare and financial institutions. In the past, entities such as marketers have been able to rely on attorneys to provide privacy disclosures to get around regulatory concerns. There may be some potential privacy and compliance regulations that target these types of features that are organized into an "Activity" dashboard like Google is doing. These potential compliance rules would certainly need to address flaws in this service; for example, once a person has signed into his Gmail account on someone else's device, any of his searches will also be saved to the second person's My Activity dashboard.

Avoid regulatory and privacy risk

There are some specific adjustments that organizations can make to avoid privacy and compliance risks in relation to using these Google features.

First, the Device Information setting needs to be turned off, as it stores private and often sensitive information about contacts and all the information put into the calendar including schedules and appointments -- creating a potential gold mine for social engineering hackers.

Also turn off the Voice & Audio Activity setting, as it records voice and audio. This should be shut off permanently due to the nature of voice and audio and its relationship to privacy risk. It would be advisable to keep checking this feature, as Google might automatically turn the feature back on the next time there is a Google update. Even if this feature is turned off, Google notes that even though voice inputs will no longer be saved to the individual's Google account, they still may be saved to Google using anonymous identifiers.

Location History settings should also be turned off, as it can be useful information for phishing attack schemes by hackers employing social engineering strategies. Geolocation can reveal intimate details about employees' visits to clinics, psychiatrists, potential employers and even expose employees to risk of physical harm. Some organizations require tracking of its company-owned devices, so it can be left on for this purpose, otherwise it can be considered a breach of privacy.

The data collected by Google Activity Controls could lead to numerous issues. If employees who use these features are not properly informed about the data collected by this service, it is entirely possible that employees could take legal action. Hackers could also potentially exploit employees' privacy by tapping into this data to track their locations, online interactions and search history. This could lead to a massive security breach within companies that would also target employees' information.

Along with the initial information describing what data Google Activity Controls collects, employees and users should be made aware of how Google's policies change when features are updated. The risks of Google Activity Controls should be presented in written form to employees, and an opt-out option should be made available in employee contracts. If this is done properly, companies protect themselves from legal action as well as protect their employees' privacy rights.

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing