← Photo Video
F

Google Photos

Fail
Google · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: Google Photos
Manufacturer: Google

⚠️ The bottom line

You uploaded baby photos. Google scanned every face and built a biometric profile for your child before they could consent to anything. Google Photos contains the largest facial recognition training dataset on Earth — billions of labelled faces, contributed by parents who thought they were backing up memories. Your family album is Google's AI training data. $100 million settlement. Google scanned the faces of millions of Illinois residents through Google Photos without getting written consent — a violation of BIPA. They had the technology to ask permission. They chose not to. One hundred million dollars later, the faces are still in the database.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
3/4 HIGH
Is someone spying on me?
Kids at risk
Data Sharing
2/4 MODERATE
Who gets my data?
Kids at risk
Security
0/4 N/A
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
Kids at risk
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
3Contradictions
2Critical
1High
0Medium
3Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚠️ criticalmarketing vs third party research
You uploaded baby photos. Google scanned every face and built a biometric profile for your child before they could consent to anything. Google Photos contains the largest facial recognition training dataset on Earth — billions of labelled faces, contributed by parents who thought they were backing up memories. Your family album is Google's AI training data.

What they claim: Google Photos promotes itself as a safe, private place to store your memories

What we found: Google Photos uses facial recognition to automatically identify and group faces across your entire library — including children. This creates one of the largest facial recognition training datasets in history. Google has used Photos data to train its AI models, including Gemini's image understanding capabilities. Users who upload family photos are contributing to a biometric database they never explicitly agreed to build.

⚠️ criticalprivacy policy vs regulatory
$100 million settlement. Google scanned the faces of millions of Illinois residents through Google Photos without getting written consent — a violation of BIPA. They had the technology to ask permission. They chose not to. One hundred million dollars later, the faces are still in the database.

What they claim: Google Photos privacy policy describes photo analysis for search and organisation features

What we found: Google settled a $100 million lawsuit in Illinois for collecting facial recognition data through Google Photos without consent, violating the state's Biometric Information Privacy Act (BIPA). Google had scanned and categorised faces of millions of Illinois residents without obtaining the written consent required by state law.

Honesty 3/4 HIGH 1 finding
⚡ highmarketing vs regulatory
Google said photo storage was free forever. A billion people deleted their local copies and trusted Google. Then Google said actually, you're running out of space — pay $3/month or your photos stop syncing. The original copies are gone. The backup is now the only copy. And the free promise has a price tag.

What they claim: Google originally offered unlimited free photo storage to attract users

What we found: In 2020, Google ended unlimited free storage, retroactively applying storage limits to a service billions of people had used to store their entire photo libraries. Users who had deleted local copies — because Google said storage was unlimited — now faced paying for Google One or losing access. The bait-and-switch affected an estimated 1 billion users.

What happened to real people
Documented incidents involving Google products and user data.
Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed. [source]
PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses. [source]
Google received 180 geofence warrants per week by 2019. Each warrant searches tens of millions of accounts. Supreme Court hearing constitutionality (Chatrie v. United States). [source]
What your data is worth to governments
Google complied with 235,000 government data requests in H1 2024. That's +530% over 10 years. Google has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed.
Documented: PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources