Digital Platforms and their Likely Use for Espionage Part II

Published in Hilal English

Written By: Dr. Fateh-ud-din B. Mehmood

Google’s new motto could be: “You Search Us, We Search You!” Funny? No, it isn’t!

In the previous article, we discussed in detail that espionage and employing spies/agents is a 5000 years old practice, which has been improved over thousands of years and in the modern digital age espionage does not necessarily require human agents to be deployed on foreign grounds, instead the technology is being used to do the job remotely. We also discussed that the digital gadgetries we use in our daily life such as laptops, desktops, smartphones, etc. are the tools that can be used to spy on us by foreign governments and the tech companies have had us sign intelligently crafted End-User-License-Agreements (EULA’s), which give them the legal right to do whatever they want with our data and our devices’ components like microphones, cameras, GPS sensors, etc.


digitalplatformlikelky.jpgWe also covered Microsoft as an example to explain how much data can be stolen (or legally taken) because Microsoft’s Windows is undoubtedly the most commonly used operating system on desktops and laptops that turns out to be more than 1.5 billion users.

In this part, we will focus on Google that is the search engine of choice for most users and their ‘Android’ operating system has crossed the number of 2 billion months ago.


Google User-base
A ‘billion’ is no more a milestone to reach for Google as according to the Google I/O-2017 (an annual developer conference held by Google) it has already achieved over one billion monthly active users on seven unique products more than a year ago and in case you are wondering, these products are Android, YouTube, Search, Maps, Chrome, Google Play and Gmail.

Here is an infographic of some more gigantic figures that Google has achieved based on the data revealed at Google I/O:

digitalplatformlikelky1.jpgGoogle is Watching
As we designed and showed a graphic in the first part of this article published last month, Google captures almost everything to profile and monitor its users: what they do, look up, watch, listen to, like or dislike, and where they go. If you have signed up for a Google/Gmail account and are using it, you can go to to find out a glimpse of what Google has stored about you and how it has profiled “you”.
We must keep in mind that this data is not everything Google has and knows about you but merely a prevue of it.

When, I visited my timeline on Google maps dashboard, I found out each and every place I ever visited with a very precise timestamp since I started using Android phone. For instance, I visited Hilal Magazine’s office on November 7, 2017 and here is what I found related to this visit on Google Maps:
Google knew the time of my visit, location of the meeting, the route I took and it also knew I was travelling in a vehicle.


 digitalplatformlikelky2.jpgTo boot, Google could also easily figure out who were the participants of the meeting through the GPS coordinates or cellular tower data that Android devices send regularly back to Google and if they find the participants “interesting” they “might” record the audio and take pictures or videos of that meeting… and that is “legal”. Why? Because, we have given them the permission to do so without our confirmation while we installed/updated Google Search on our phones. Simple!

Here are the excerpts of what “Record Audio” and “Take Pictures and Videos” mean according to the definitions when they ask for those permissions:
Record Audio: “Allows the app to record audio with the microphone. This permission allows the app to record audio at any time without your confirmation.”
Take Pictures and Videos: “Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.”

Turning Off GPS
We think that turning off the GPS on our phones would stop Google taking the device’s location data but we are wrong. Google keeps collecting Android users’ locations even when the location services are explicitly disabled, no apps are being used or even when the SIM cards are not installed into the phones.

There are a whole lot of other ‘strategies’ that Google has employed to gather data or in other words to spy on you that include capturing the nearest GSM cell IDs and Wi-Fi Access Points unique IDs, which Google then triangulates to pinpoint the device’s location.

For them who don’t know, a GSM Cell ID or a CID is a unique number used to identify each base transceiver station (BTS) or sector of a BTS in the world. There are a few databases containing hundreds of million unique CIDs and more than 1.5 billion Wi-Fi AP’s IDs worldwide and some of them are available publicly such as that tells the exact location of a GSM Cell Tower or a WiFi AP on the map with the unique ID.

digitalplatformlikelky3.jpgNote: Each red dot in the picture is a GSM cell tower.
How does Google know the accurate locations of Wi-Fi Access Points?
Your thoughts were read; you are right that Wi-Fi Access Points don’t have a GPS sensor… then how on earth can their locations be known and stored in databases? Do you remember Google’s Street View Cars?

These cars roam around the world to capture the street-view but as a by-product they also sniff and store the IDs of the Wi-Fi APs configured at the homes or office on those streets. Wi-Fi APs broadcast their IDs by default (that’s the reason when you visit your aunt and want to connect with her Wi-Fi, you see her Wi-Fi AP as well as some others in the neighborhood).

In case, your aunt did not have a smartphone and her Wi-Fi AP location was not known to Google yet, but as soon as you connected your Android device with that AP, Google got her APs location through your phone’s GPS service. You got her registered too… Bingo! Now, Google knows her old Pentium desktop location as well when she goes online.


Unfortunately, we know that some of our government organizations use Gmail as their unspoken official email service to communicate internally and externally. We MUST, at least in offices, shun this practice immediately.

By the way, this is NOT a conspiracy theory cooked in the backyard of a paranoid person’s house over a cup of tea, but rather when this malpractice was revealed by researchers and questioned, Google spokespersons confirmed the practice publicly a few times but they said they would stop it soon.
Yeah. Like we really believed them!

Searching Without Google ID
Some obsessed-with-privacy-
persons like I am, try to avoid googling (yes! ‘to google’ has become a verb that has been added in both Oxford and Merriam-Webster dictionaries in 2006) without signing in to their Gmail/Google IDs to prevent Google from saving their search history and adding it to their profiling. Google knew it so they decided to generate a Unique ID for the computer or device used for searching and assigning the search history to that UID. Not only that but Google also keeps record of which Google/Gmail IDs ever logged-on from that device or computer.

Although, the Media Access Control (MAC) address, that is a unique identifier similarly to an IMEI number assigned to every network device, is not transferred through browsers but if an app or software is installed on the device, that app or software can easily take, encrypt and transfer the MAC address. We have Google Chrome browser installed on our machines and who knows if the browser app does this as well.

Cloud Data Centers in India
A couple of months ago, I was teaching a digital forensic training workshop where I was demonstrating how to track an email ID. We made a test Gmail ID and employed some tracking techniques. We were not surprised that the IP address of the Gmail server appeared to be in India.

That is because we realized that Google recently launched three data centers in Mumbai to add to its worldwide cloud platform. Before this launch, the closest available Google data centers to Pakistan were located in Singapore. The closest Google data centers can be seen in the picture.
It is understood that these service providers, whether it is Google or Microsoft, have to accommodate the local laws concerning surveillance.

Unfortunately, we know that some of our government organizations use Gmail as their unspoken official email service to communicate internally and externally. We MUST, at least in offices, shun this practice immediately.

What Does Google Do With our Data?
Google's advertising revenue in 2017 alone amounted to almost USD 95.4 billion and it is rocketing every year. Without selling you (oh come on, I mean ‘your data’), Google could not achieve this colossal figure.

Why would the companies provide their users data to the U.S. government?
The simplest answer is the ‘legal requirements’ such as FISA Amendment Act of 2008 in the U.S.1
The Foreign Intelligence Surveillance Act (FISA) of 1978 Amendments Act of 2008 authorizes the government to require U.S. companies to provide information and the content of communications associated with the accounts of non-U.S. citizens or non-lawful permanent residents who are located outside the United States.

This act has not only been used as the legal basis for global surveillance disclosed by Edward Snowden in 2013, including PRISM and other surveillance programs but also used for gaining users/clients information and data from the U.S. based companies.

Last Words!
In the last article, we revealed some facts about Microsoft and in this article we have talked about Google. We will be discussing other giant tech platforms such as Facebook, Apple, etc. and how they are taking and treating our data.

This series of articles is not to point out malpractices of a specific tech company rather it is about how our privacy and information is being used and abused in the information-age or digital-age by almost every digital platform. The purpose is to secure ourselves and become a technologically independent country.

 (To be Continued.....)


The writer is an Information Security and Digital Forensic professional, a researcher and an entrepreneur.

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Read 32 times

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

Follow Us On Twitter