Google

Manipulating Systems Using Remote Lasers

Many systems are vulnerable:

Researchers at the time said that they were able to launch inaudible commands by shining lasers — from as far as 360 feet — at the microphones on various popular voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant.

[…]

They broadened their research to show how light can be used to manipulate a wider range of digital assistants — including Amazon Echo 3 — but also sensing systems found in medical devices, autonomous vehicles, industrial systems and even space systems.

The researchers also delved into how the ecosystem of devices connected to voice-activated assistants — such as smart-locks, home switches and even cars — also fail under common security vulnerabilities that can make these attacks even more dangerous. The paper shows how using a digital assistant as the gateway can allow attackers to take control of other devices in the home: Once an attacker takes control of a digital assistant, he or she can have the run of any device connected to it that also responds to voice commands. Indeed, these attacks can get even more interesting if these devices are connected to other aspects of the smart home, such as smart door locks, garage doors, computers and even people’s cars, they said.

Another article. The researchers will present their findings at Black Hat Europe — which, of course, will be happening virtually — on December 10.

Google Responds to Warrants for “About” Searches

One of the things we learned from the Snowden documents is that the NSA conducts “about” searches. That is, searches based on activities and not identifiers. A normal search would be on a name, or IP address, or phone number. An about search would something like “show me anyone that has used this particular name in a communications,” or “show me anyone who was at this particular location within this time frame.” These searches are legal when conducted for the purpose of foreign surveillance, but the worry about using them domestically is that they are unconstitutionally broad. After all, the only way to know who said a particular name is to know what everyone said, and the only way to know who was at a particular location is to know where everyone was. The very nature of these searches requires mass surveillance.

The FBI does not conduct mass surveillance. But many US corporations do, as a normal part of their business model. And the FBI uses that surveillance infrastructure to conduct its own about searches. Here’s an arson case where the FBI asked Google who searched for a particular street address:

Homeland Security special agent Sylvette Reynoso testified that her team began by asking Google to produce a list of public IP addresses used to google the home of the victim in the run-up to the arson. The Chocolate Factory [Google] complied with the warrant, and gave the investigators the list. As Reynoso put it:

On June 15, 2020, the Honorable Ramon E. Reyes, Jr., United States Magistrate Judge for the Eastern District of New York, authorized a search warrant to Google for users who had searched the address of the Residence close in time to the arson.

The records indicated two IPv6 addresses had been used to search for the address three times: one the day before the SUV was set on fire, and the other two about an hour before the attack. The IPv6 addresses were traced to Verizon Wireless, which told the investigators that the addresses were in use by an account belonging to Williams.

Google’s response is that this is rare:

While word of these sort of requests for the identities of people making specific searches will raise the eyebrows of privacy-conscious users, Google told The Register the warrants are a very rare occurrence, and its team fights overly broad or vague requests.

“We vigorously protect the privacy of our users while supporting the important work of law enforcement,” Google’s director of law enforcement and information security Richard Salgado told us. “We require a warrant and push to narrow the scope of these particular demands when overly broad, including by objecting in court when appropriate.

“These data demands represent less than one per cent of total warrants and a small fraction of the overall legal demands for user data that we currently receive.”

Here’s another example of what seems to be about data leading to a false arrest.

According to the lawsuit, police investigating the murder knew months before they arrested Molina that the location data obtained from Google often showed him in two places at once, and that he was not the only person who drove the Honda registered under his name.

Avondale police knew almost two months before they arrested Molina that another man ­ his stepfather ­ sometimes drove Molina’s white Honda. On October 25, 2018, police obtained records showing that Molina’s Honda had been impounded earlier that year after Molina’s stepfather was caught driving the car without a license.

Data obtained by Avondale police from Google did show that a device logged into Molina’s Google account was in the area at the time of Knight’s murder. Yet on a different date, the location data from Google also showed that Molina was at a retirement community in Scottsdale (where his mother worked) while debit card records showed that Molina had made a purchase at a Walmart across town at the exact same time.

Molina’s attorneys argue that this and other instances like it should have made it clear to Avondale police that Google’s account-location data is not always reliable in determining the actual location of a person.

“About” searches might be rare, but that doesn’t make them a good idea. We have knowingly and willingly built the architecture of a police state, just so companies can show us ads. (And it is increasingly apparent that the advertising-supported Internet is heading for a crash.)

Chinese-made drone app in Google Play spooks security researchers

A DJI Phantom 4 quadcopter drone.

Enlarge / A DJI Phantom 4 quadcopter drone.

The Android version of DJI Go 4—an app that lets users control drones—has until recently been covertly collecting sensitive user data and can download and execute code of the developers’ choice, researchers said in two reports that question the security and trustworthiness of a program with more than 1 million Google Play downloads.

The app is used to control and collect near real-time video and flight data from drones made by China-based DJI, the world’s biggest maker of commercial drones. The Play Store shows that it has more than 1 million downloads, but because of the way Google discloses numbers, the true number could be as high as 5 million. The app has a rating of three-and-a-half stars out of a possible total of five from more than 52,000 users.

Wide array of sensitive user data

Two weeks ago, security firm Synactive reverse-engineered the app. On Thursday, fellow security firm Grimm published the results of its own independent analysis. At a minimum, both found that the app skirted Google terms and that, until recently, the app covertly collected a wide array of sensitive user data and sent it to servers located in mainland China. A worst-case scenario is that developers are abusing hard-to-identify features to spy on users.

According to the reports, the suspicious behaviors include:

  • The ability to download and install any application of the developers’ choice through either a self-update feature or a dedicated installer in a software development kit provided by China-based social media platform Weibo. Both features could download code outside of Play, in violation of Google’s terms.
  • A recently removed component that collected a wealth of phone data including IMEI, IMSI, carrier name, SIM serial Number, SD card information, OS language, kernel version, screen size and brightness, wireless network name, address and MAC, and Bluetooth addresses. These details and more were sent to MobTech, maker of a software developer kit used until the most recent release of the app.
  • Automatic restarts whenever a user swiped the app to close it. The restarts cause the app to run in the background and continue to make network requests.
  • Advanced obfuscation techniques that make third-party analysis of the app time-consuming.

This month’s reports come three years after the US Army banned the use of DJI drones for reasons that remain classified. In January, the Interior Department grounded drones from DJI and other Chinese manufacturers out of concerns data could be sent back to the mainland.

DJI officials said the researchers found “hypothetical vulnerabilities” and that neither report provided any evidence that they were ever exploited.

“The app update function described in these reports serves the very important safety goal of mitigating the use of hacked apps that seek to override our geofencing or altitude limitation features,” they wrote in a statement. Geofencing is a virtual barrier that the Federal Aviation Administration or other authorities bar drones from crossing. Drones use GPS, Bluetooth, and other technologies to enforce the restrictions.

A Google spokesman said the company is looking into the reports. The researchers said the iOS version of the app contained no obfuscation or update mechanisms.

Obfuscated, acquisitive, and always on

In several respects, the researchers said, DJI Go 4 for Android mimicked the behavior of botnets and malware. Both the self-update and auto-install components, for instance, call a developer-designated server and await commands to download and install code or apps. The obfuscation techniques closely resembled those used by malware to prevent researchers from discovering its true purpose. Other similarities were an always-on status and the collection of sensitive data that wasn’t relevant or necessary for the stated purpose of flying drones.

Making the behavior more concerning is the breadth of permissions required to use the app, which include access to contacts, microphone, camera, location, storage, and the ability to change network connectivity. Such sprawling permissions meant that the servers of DJI or Weibo, both located in a country known for its government-sponsored espionage hacking, had almost full control over users’ devices, the researchers said.

Both research teams said they saw no evidence the app installer was ever actually used, but they did see the automatic update mechanism trigger and download a new version from the DJI server and install it. The download URLs for both features are dynamically generated, meaning they are provided by a remote server and can be changed at any time.

The researchers from both firms conducted experiments that showed how both mechanisms could be used to install arbitrary apps. While the programs were delivered automatically, the researchers still had to click their approval before the programs could be installed.

Both research reports stopped short of saying the app actually targeted individuals, and both noted that the collection of IMSIs and other data had ended with the release of current version 4.3.36. The teams, however, didn’t rule out the possibility of nefarious uses. Grimm researchers wrote:

In the best case scenario, these features are only used to install legitimate versions of applications that may be of interest to the user, such as suggesting additional DJI or Weibo applications. In this case, the much more common technique is to display the additional application in the Google Play Store app by linking to it from within your application. Then, if the user chooses to, they can install the application directly from the Google Play Store. Similarly, the self-updating components may only be used to provide users with the most up-to-date version of the application. However, this can be more easily accomplished through the Google Play Store.

In the worst case, these features can be used to target specific users with malicious updates or applications that could be used to exploit the user’s phone. Given the amount of user’s information retrieved from their device, DJI or Weibo would easily be able to identify specific targets of interest. The next step in exploiting these targets would be to suggest a new application (via the Weibo SDK) or update the DJI application with a customized version built specifically to exploit their device. Once their device has been exploited, it could be used to gather additional information from the phone, track the user via the phone’s various sensors, or be used as a springboard to attack other devices on the phone’s WiFi network. This targeting system would allow an attacker to be much stealthier with their exploitation, rather than much noisier techniques, such as exploiting all devices visiting a website.

DJI responds

DJI officials have published an exhaustive and vigorous response that said that all the features and components detailed in the reports either served legitimate purposes or were unilaterally removed and weren’t used maliciously.

“We design our systems so DJI customers have full control over how or whether to share their photos, videos and flight logs, and we support the creation of industry standards for drone data security that will provide protection and confidence for all drone users,” the statement said. It provided the following point-by-point discussion:

  • When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website. In future versions, users will also be able to download the official version from Google Play if it is available in their country. If users do not consent to doing so, their unauthorized (hacked) version of the app will be disabled for safety reasons.
  • Unauthorized modifications to DJI control apps have raised concerns in the past, and this technique is designed to help ensure that our comprehensive airspace safety measures are applied consistently.
  • Because our recreational customers often want to share their photos and videos with friends and family on social media, DJI integrates our consumer apps with the leading social media sites via their native SDKs. We must direct questions about the security of these SDKs to their respective social media services. However, please note that the SDK is only used when our users proactively turn it on.
  • DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim it did so. We have not been able to replicate this behavior in our tests so far.
  • The hypothetical vulnerabilities outlined in these reports are best characterized as potential bugs, which we have proactively tried to identify through our Bug Bounty Program, where security researchers responsibly disclose security issues they discover in exchange for payments of up to $30,000. Since all DJI flight control apps are designed to work in any country, we have been able to improve our software thanks to contributions from researchers all over the world, as seen on this list.
  • The MobTech and Bugly components identified in these reports were previously removed from DJI flight control apps after earlier researchers identified potential security flaws in them. Again, there is no evidence they were ever exploited, and they were not used in DJI’s flight control systems for government and professional customers.
  • The DJI GO4 app is primarily used to control our recreational drone products. DJI’s drone products designed for government agencies do not transmit data to DJI and are compatible only with a non-commercially available version of the DJI Pilot app. The software for these drones is only updated via an offline process, meaning this report is irrelevant to drones intended for sensitive government use. A recent security report from Booz Allen Hamilton audited these systems and found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party.
  • This is only the latest independent validation of the security of DJI products following reviews by the U.S. National Oceanic and Atmospheric Administration, U.S. cybersecurity firm Kivu Consulting, the U.S. Department of Interior and the U.S. Department of Homeland Security.
  • DJI has long called for the creation of industry standards for drone data security, a process which we hope will continue to provide appropriate protections for drone users with security concerns. If this type of feature, intended to assure safety, is a concern, it should be addressed in objective standards that can be specified by customers. DJI is committed to protecting drone user data, which is why we design our systems so drone users have control of whether they share any data with us. We also are committed to safety, trying to contribute technology solutions to keep the airspace safe.

Don’t forget the Android app mess

The research and DJI’s response underscore the disarray of Google’s current app procurement system. Ineffective vetting, the lack of permission granularity in older versions of Android, and the openness of the operating system make it easy to publish malicious apps in the Play Store. Those same things also make it easy to mistake legitimate functions for malicious ones.

People who have DJI Go 4 for Android installed may want to remove it at least until Google announces the results of its investigation (the reported automatic restart behavior means it’s not sufficient to simply curtail use of the app for the time being). Ultimately, users of the app find themselves in a similar position as that of TikTok, which has also aroused suspicions, both because of some behavior considered sketchy by some and because of its ownership by China-based ByteDance.

There’s little doubt that plenty of Android apps with no ties to China commit similar or worse infractions than those attributed to DJI Go 4 and TikTok. People who want to err on the side of security should steer clear of a large majority of them.

Google fixes Android flaws that allow code execution with high system rights

Google fixes Android flaws that allow code execution with high system rights

Google has shipped security patches for dozens of vulnerabilities in its Android mobile operating system, two of which could allow hackers to remotely execute malicious code with extremely high system rights.

In some cases, the malware could run with highly elevated privileges, a possibility that raises the severity of the bugs. That’s because the bugs, located in the Android System component, could enable a specially crafted transmission to execute arbitrary code within the context of a privileged process. In all, Google released patches for at least 34 security flaws, although some of the vulnerabilities were present only in devices available from manufacturer Qualcomm.

Anyone with a mobile device should check to see if fixes are available for their device. Methods differ by device model, but one common method involves either checking the notification screen or clicking Settings > Security > Security update. Unfortunately, patches aren’t available for many devices.

Two vulnerabilities ranked as critical in Google’s June security bulletin are indexed as CVE-2020-0117 and CVE-2020-8597. They’re among four System flaws located in the Android system (the other two are ranked with a severity of high). The critical vulnerabilities reside in Android versions 8 through the most recent release of 11.

“These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files,” an advisory from the Department of Homeland Security-funded Multi-State-Information Sharing and Analysis Center said. “Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Vulnerabilities with a severity rating of high affected the Android media framework, the Android framework, and the Android kernel. Other vulnerabilities were contained in components shipped in devices from Qualcomm. The two Qualcomm-specific critical flaws reside in closed source components. The severity of other Qualcomm flaws were rated as high.

UK Ad Campaign Seeks to Deter Cybercrime

The United Kingdom’s anti-cybercrime agency is running online ads aimed at young people who search the Web for services that enable computer crimes, specifically trojan horse programs and DDoS-for-hire services. The ad campaign follows a similar initiative launched in late 2017 that academics say measurably dampened demand for such services by explaining that their use to harm others is illegal and can land potential customers in jail.

For example, search in Google for the terms “booter” or “stresser” from a U.K. Internet address, and there’s a good chance you’ll see a paid ad show up on the first page of results warning that using such services to attack others online is illegal. The ads are being paid for by the U.K.’s National Crime Agency, which saw success with a related campaign for six months starting in December 2017.

A Google ad campaign paid for by the U.K.’s National Crime Agency.

NCA Senior Manager David Cox said the agency is targeting its ads to U.K. males age 13 to 22 who are searching for booter services or different types of remote access trojans (RATs), as part of an ongoing effort to help steer young men away from cybercrime and toward using their curiosity and skills for good. The ads link to advertorials and to the U.K.’s Cybersecurity Challenge, which tries gamify computer security concepts and highlight potential careers in cybersecurity roles.

“The fact is, those standing in front of a classroom teaching children have less information about cybercrime than those they’re trying to teach,” Cox said, noting that the campaign is designed to support so-called “knock-and-talk” visits, where investigators visit the homes of young people who’ve downloaded malware or purchased DDoS-for-hire services to warn them away from such activity. “This is all about showing people there are other paths they can take.”

While it may seem obvious to the casual reader that deploying some malware-as-a-service or using a booter to knock someone or something offline can land one in legal hot water, the typical profile of those who frequent these services is young, male, impressionable and participating in online communities of like-minded people in which everyone else is already doing it.

In 2017, the NCA published “Pathways into Cyber Crime,” a report that drew upon interviews conducted with a number of young men who were visited by U.K. law enforcement agents in connection with various cybercrime investigations.

Those findings, which the NCA said came about through knock-and-talk interviews with a number of suspected offenders, found that 61 percent of suspects began engaging in criminal hacking before the age of 16, and that the average age of suspects and arrests of those involved in hacking cases was 17 years old.

The majority of those engaged in, or on the periphery of, cyber crime, told the NCA they became involved via an interest in computer gaming.

A large proportion of offenders began to participate in gaming cheat websites and “modding” forums, and later progressed to criminal hacking forums.

The NCA learned the individuals visited had just a handful of primary motivations in mind, including curiosity, overcoming a challenge, or proving oneself to a larger group of peers. According to the report, a typical offender faces a perfect storm of ill-boding circumstances, including a perceived low risk of getting caught, and a perception that their offenses in general amounted to victimless crimes.

“Law enforcement activity does not act as a deterrent, as individuals consider cyber crime to be low risk,” the NCA report found. “Debrief subjects have stated that they did not consider law enforcement until someone they knew or had heard of was arrested. For deterrence to work, there must be a closing of the gap between offender (or potential offender) with law enforcement agencies functioning as a visible presence for these individuals.”

Cox said the NCA will continue to run the ads indefinitely, and that it is seeking funding from outside sources — including major companies in online gaming industry, whose platforms are perhaps the most targeted by DDoS-for-hire services. He called the program a “great success,” noting that in the past 30 days (13 of which the ads weren’t running for funding reasons), the ads generated some 5.32 million impressions, and more than 57,000 clicks.

FLATTENING THE CURVE

Richard Clayton is director of the University of Cambridge Cybercrime Centre, which has been monitoring DDoS attacks for several years using a variety of sensors across the Internet that pretend to be the types of systems which are typically commandeered and abused to help launch such assaults.

Last year, Clayton and fellow Cambridge researchers published a paper showing that law enforcement interventions — including the NCA’s anti-DDoS ad campaign between 2017 and 2018 — demonstrably slowed the growth in demand for DDoS-for-hire services.

“Our data shows that by running that ad campaign, the NCA managed to flatten out demand for booter services over that period,” Clayton said. “In other words, the demand for these services didn’t grow over the period as we would normally see, and we didn’t see more people doing it at the end of the period than at the beginning. When we showed this to the NCA, they were ever so pleased, because that campaign cost them less than ten thousand [pounds sterling] and it stopped this type of cybercrime from growing for six months.”

The Cambridge study found various interventions by law enforcement officials had measurable effects on the demand for and damage caused by booter and stresser services. Source: Booting the Booters, 2019.

Clayton said part of the problem is that many booter/stresser providers claim they’re offering lawful services, and many of their would-be customers are all too eager to believe this is true. Also, the price point is affordable: A typical booter service will allow customers to launch fairly high-powered DDoS attacks for just a few dollars per month.

“There are legitimate companies that provide these types of services in a legal manner, but there are all types of agreements that have to be in place before this can happen,” Clayton said. “And you don’t get that for ten bucks a month.”

DON’T BE EVIL

The NCA’s ad campaign is competing directly with Google ads taken out by many of the same people running these DDoS-for-hire services. It may surprise some readers to learn that cybercrime services often advertise on Google and other search sites much like any legitimate business would — paying for leads that might attract new customers.

Several weeks back, KrebsOnSecurity noticed that searching for “booter” or “stresser” in Google turned up paid ads for booter services prominently on the first page of results. But as I noted in a tweet about the finding, this is hardly a new phenomenon.

A booter ad I reported to Google that the company subsequently took offline.

Cambridge’s Clayton pointed me to a blog post he wrote in 2018 about the prevalence of such ads, which violate Google’s policies on acceptable advertisements via its platform. Google says it doesn’t allow ads for services that “cause damage, harm or injury,” and that they don’t allow adverts for services that “are designed to enable dishonest behavior.”

Clayton said Google eventually took down the offending ads. But as my few seconds of Googling revealed, the company appears to have decided to play wack-a-mole when people complain, instead of expressly prohibiting the placement of (and payment for) ads with these terms.

Google told KrebsOnSecurity that it relies on a combination of technology and people to enforce its policies.

“We have strict ad policies designed to protect users on our platforms,” Google said in a written statement. “We prohibit ads that enable dishonest behavior, including services that look to take advantage of or cause harm to users. When we find an ad that violates our policies we take action. In this case, we quickly removed the ads.”

Google pointed to a recent blog post detailing its enforcement efforts in this regard, which said in 2019 the company took down more than 2.7 billion ads that violated its policies — or more than 10 million ads per day — and that it removed a million advertiser accounts for the same reason.

The ad pictured above ceased to appear shortly after my outreach to them. Unfortunately, an ad for a different booter service (shown below) soon replaced the one they took down.

An ad for a DDoS-for-hire service that appeared shortly after Google took down the ones KrebsOnSecurity reported to them.

Engineer says Google fired her for browser pop-up about worker rights

A 2018 walkout to protest Google's handling of sexual misconduct allegations was an early sign of increasing worker assertiveness at the company.

Enlarge / A 2018 walkout to protest Google’s handling of sexual misconduct allegations was an early sign of increasing worker assertiveness at the company.

Another former employee has accused Google of violating federal labor law by firing her for activities related to labor organizing. In a Tuesday blog post, Kathryn Spiers says Google terminated her after she created a browser tool to notify employees of their organizing rights.

It’s the latest sign of tension between Google and portions of its workforce. Last month, Google fired four workers who were involved in workplace organizing. Google said that the employees had violated company policies by accessing documents without authorization. The workers say that these charges were trumped up to justify purging employees who had been effectively organizing Google’s workforce. The National Labor Relations Board is investigating those firings.

Back in September, Google reached a settlement with the NLRB over earlier alleged violations of federal labor law. Under the settlement, Google was required to post a list of employee rights in its Mountain View headquarters.

Spiers says she worked on a Google security team that was focused on how Google employees used Chrome within the company. Part of her job was to “write browser notifications so that my coworkers can be automatically notified of employee guidelines and company policies while they surf the Web.”

So when Google hired a consulting company known for its anti-union work, Spiers wrote a notification that would appear whenever Google employees visited the firm’s website. The notification stated that “Googlers have the right to participate in protected concerted activities.” That’s a legal term of art for worker organizing efforts. It also included a link to the worker rights notification mandated by the NLRB settlement.

Google responded swiftly and harshly, according to Spiers. She was suspended from her job pending an investigation. Spiers writes that Google officials “dragged me into three separate interrogations with very little warning each time. I was interrogated about separate other organizing activities, and asked (eight times) if I had an intention to disrupt the workplace.” She says she wasn’t allowed to consult with a lawyer.

Two weeks later, on December 13, Spiers was fired. She was told that she had violated Google’s policies but couldn’t get more details about which policies she had violated.

The Communications Workers of America, a union active in the telecommunications industry, has filed an NLRB complaint on Spiers’ behalf. The complaint argues that her firing was an “attempt to quell Spiers and other employees from asserting their right to engage in concerted protected activities.”

Update: Google executive Royal Hansen explained Spiers’ firing in an email Google shared with several media outlets.

“She misused a security and privacy tool to create a pop-up that was neither about security nor privacy,” Hansen wrote. “She did that without authorization from her team or the Security and Privacy Policy Notifier team, and without a business justification. And she used an emergency rapid push to do it.”

Hansen argued that the firing had nothing to do with the content of the message. “The decision would have been the same had the pop-up message been on any other subject,” he argued.

Feds reap data from 1,500 phones in largest reported reverse-location warrant

You're not the only one looking at your phone's location history.

Enlarge / You’re not the only one looking at your phone’s location history.

Federal investigators trying to solve arson cases in Wisconsin have scooped up location history data for about 1,500 phones that happened to be in the area, enhancing concerns about privacy in the mobile Internet era.

Four Milwaukee-area arsons since 2018, as yet unsolved, have resulted in more than $50,000 of property damage as well as the deaths of two dogs, Forbes explains. In an attempt to find the person or persons responsible, officers from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) obtained search warrants to gather data about all the devices in the area at the time.

The two warrants Forbes obtained together covered about nine hours’ worth of activity within 29,400 square meters—an area a smidge larger than an average Milwaukee city block. Google found records for 1,494 devices matching the ATF’s parameters and sent the data along.

While this is far from the first search to demand a wide swath of data in a given geographic location, Forbes notes, this is the highest number of results such a geofenced search has so far produced. Not only is that a whole lot of potentially unrelated data for investigators to sort through, but it’s also possible that the search will prove entirely fruitless, as whoever committed the crimes may not have a phone, may not have brought it with them, or may have brought it with them in airplane mode or powered off.

The big net

The concept behind such a request is straightforward: you can’t track the phone of a suspect you don’t have, but you can start with the time and place the crimes were committed and look to see who was there. With that information in hand, they can drill down, as Forbes explains:

[T]he police give Google a timeframe and an area on Google Maps within which to find every Google user within. Google then looks through its SensorVault database of user locations, taken from devices running the tech giant’s services like Google Maps or anything that requires the “location history” feature be turned on. The police then look through the list, decide which devices are of interest to the investigation and ask for subscriber information that includes more detailed data such as name, email address, when they signed up to Google services and which ones they used.

While the ability to go through data that way might be handy for law enforcement, some privacy experts are not on board. Such a request “shows the unconstitutional nature of reverse location search warrants because they inherently invade the privacy of numerous people, who everyone agrees are unconnected to the crime being investigated, for the mere possibility that it may help identify a suspect,” Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society, told Forbes.

Google told Forbes it tries to protect individual users’ privacy when it receives such a request, saying, “We only produce information that identifies specific users when we are legally required to do so.” The company does have a history of trying to push back on overly broad reverse-location requests, Forbes notes. For example, when federal investigators wanted information on devices in a 400-meter radius around a bank robbery earlier this year, the company convinced them to drop that to a 50-meter radius.

Users who disable Google’s location history features should, in theory, not have data in Google’s SensorVault for the company to pass along to investigators. That said, Google is facing multiple lawsuits, including a potential class-action in the US and a suit by consumer protection regulators in Australia, alleging the company misled users and retained location data even if the setting was turned off.

Some Stadia games cost more than their downloadable counterparts

Since back in June, Google has been telling us that the publisher-set prices for games on its Stadia streaming service would be “competitive… to what you would see on other platforms.” While that’s been true of the vast majority of games on the service, fans were surprised to find a Stadia price premium for yesterday’s launch of Darksiders Genesis.

The new action-adventure title is currently on sale for $40 on Stadia, compared to a $30 price on other PC platforms (including Steam, GOG, and the Humble Store). Steam players could get an even better deal with a pre-order price of $25.50 for the game. Console versions, which aren’t due until next February, are currently listed at the higher $40 price point on various digital and retail storefronts.

A spokesperson for THQ told Polygon that “THQ doesn’t comment on their price policy.”

While most titles sell for the same price on Stadia and other platforms, there are a few others that currently see a streaming price premium. Just Dance 2020 goes for $50 on the service, compared to $40 on modern consoles (the Wii version has already been reduced to $30 at many retailers). Grid is currently available for $27 as part of a Steam “supersale,” down from the $60 standard price on Stadia (the “Ultimate Edition” of the game is $5 cheaper on Steam even without discounts). And the Platinum Edition of Farming Simulator 19 sold for $40 on Stadia, compared to a $25 to $35 Steam price, before Google added the game to December’s Stadia Pro freebies (and offered refunds to early purchasers).

But there are deals to be had on Stadia, too. Rise of the Tomb Raider: 20 Year Celebration sells for just $30 on the streaming service compared to $60 currently on Steam. Games like Assassin’s Creed Odyssey, Mortal Kombat 11, and Final Fantasy XV were briefly offered at steep discounts for Stadia Pro subscribers when the service launched (those discounts are inactive as of this writing, though. A Google spokesperson said there’s no set length for how long further “frequent” Stadia Pro deals will last going forward). And a $10/month Stadia Pro subscription (which is still the only way to access the service) also provides access to up to four free titles on Stadia.

Listing image by Kyle Orland