critical
Professor Douglas Leith at Trinity College Dublin found your Android phone sends device identifiers and telemetry to Google every 4 minutes — even after you turn off all data sharing options. An idle Android sends 20 times more data to Google than an idle iPhone sends to Apple. Google collects your IMEI, hardware serial number, SIM serial, phone number, and advertising ID. You cannot stop it. There is no toggle. The data flows to Google every 240 seconds whether you consent or not. A billion Android users have no opt-out from continuous surveillance by the company that makes their phone's operating system.
critical
Google offers you a "Reset advertising ID" button — implying you can break free from tracking. But Google also collects your permanent hardware serial number, IMEI, and SIM serial number with every telemetry transmission. Resetting your advertising ID is like changing your hat while wearing a name tag. The new ID is immediately re-linked to your permanent identifiers. Google built the privacy control. Google also built the system that makes the privacy control meaningless. The reset button exists so Google can say you have a choice. The permanent identifiers exist so the choice doesn't matter.
critical
Google told 2 billion Android users that turning off "Location History" would stop tracking their movements. It didn't. Google kept recording your location through a separate setting called "Web & App Activity" that most users didn't know existed. The Associated Press investigation (2018) proved it. Google settled for $391.5 million with 40 state attorneys general — at the time, the largest privacy settlement in US history. Arizona's AG called it "deceptive and dishonest." Google's response: rebrand the feature and bury the real off switch deeper in settings.
ChromeOS
Operating System · 13 contradictions
Serious concerns
critical
In 2015, Google signed the Student Privacy Pledge — a promise not to collect children's data for non-educational purposes. The same year, EFF caught Chrome Sync silently uploading every student's browsing history, passwords, and bookmarks to Google's servers. Google promised to fix it. In 2020, New Mexico sued over the same thing. In 2025, another federal lawsuit alleged the same thing. Three lawsuits in ten years. The pledge is a decade-old broken promise Google renews every time it gets caught.
critical
Google tells schools it never uses student data for advertising. A 2025 federal lawsuit alleges Google builds a unique digital fingerprint of every student — what they browse, what apps they use, what they search — then uses those profiles to sell more Google products to schools. Seventy percent of American schools use Google Workspace. That's potentially 50 million children profiled to help Google sell more Google.
critical
Google claims COPPA compliance. COPPA requires parental consent before collecting data from children under 13. In Denmark, schools created Google accounts for children without telling parents. In New Mexico, Google collected voice recordings, location data, and browsing history from seven-year-olds — no parent ever said yes. Google settled for $3.8 million. Their annual revenue is $300 billion. That's like fining a millionaire twelve cents.
critical
Google says you can control what data they collect, but the most important data collection software on your Pixel phone — Google Play Services — has access to your location, texts, call history, contacts, camera, microphone, and body sensors, and you cannot turn it off or remove it. The "choice" they advertise does not apply to the biggest data collector on your phone.
critical
Even if you go through every privacy setting on your Pixel 8 and turn off everything you can find, your phone still sends data to Google every 4 minutes. It sends your phone number, device ID, location, and the WiFi networks near you — whether you are logged in or not. Academic researchers proved this happens even after you opt out.
critical
Google was fined $60 million in Australia because they tricked people about location tracking. When you turned off "Location History" thinking Google would stop tracking your location, a hidden second setting called "Web & App Activity" kept collecting your location data anyway. This hidden setting was turned on by default. A court found Google deliberately designed it this way.
critical
Google says your voice recordings won't be used for ads, but they convert your voice to text and then use that text to target ads at you. They technically keep the audio file separate from ads, but everything you said still gets used to sell you things.
critical
Google promises your Nest Mini only listens after you say "Hey Google," but it has been caught recording when nobody said the wake word. Google admitted a software bug caused speakers to record everything. A security researcher also showed someone nearby could hijack the microphone and listen to you remotely.
critical
Google says Nest devices get regular security updates and independent security reviews, but two of the most severe vulnerabilities possible (scored 10 out of 10) were found in these devices. One let anyone nearby spy on you through WiFi. These bugs existed in devices that were supposed to have been professionally checked for security.
critical
Chrome tags you with a permanent ID on install. If you sign in — which it pushes hard — every site you visit is linked to your real name and fed into Google's $265B advertising machine.
critical
Google spent 5 years promising to kill tracking cookies. The entire industry rejected their alternatives. In 2025 they gave up. The cookies are still there. Five years of your browsing data that could have been protected wasn't.
critical
Standard Safe Browsing checks a local list — relatively private. But Google pushes users toward Enhanced Safe Browsing, which sends every URL you visit to Google's servers in real time. It's presented as the recommended option during setup with a big blue button. Once you click it, Google receives a complete log of your browsing: every site, every page, every download. Google's own docs confirm Enhanced mode "sends URLs to Safe Browsing" and "temporarily links this data to your Google Account." The upgrade path from privacy to surveillance is designed as a one-click security improvement. Most users click the blue button.
critical
Google promises you can see and delete your camera footage, but when the FBI needed footage from a disabled camera with no cloud subscription, Google engineers found it hidden in their backend systems. There is video data Google keeps that you cannot see or delete.
critical
Google says they only share your camera footage with your permission, but they can actually give your videos to police without a warrant and without telling you, if they decide it's an emergency. Texas fined them $1.375 billion for exactly this kind of deception with Nest devices.
high
Google says your camera data won't be used for ads, but they admit voice transcripts CAN be used for ad targeting. The companion app has analytics trackers and permissions to read your contacts and phone accounts — data that feeds Google's advertising profile.
critical
Google says your doorbell processes video locally on the device for privacy. But all the event clips still get uploaded to Google's cloud servers. The local processing just decides what to send — your footage still ends up on Google's computers.
critical
Google says you can always access and delete your doorbell footage. But when the FBI needed video in the Nancy Guthrie case, Google recovered footage from behind-the-scenes systems that the user couldn't even see in the app. Your video doesn't truly disappear when you think you've deleted it.
critical
Google advertises strong TLS encryption to protect your doorbell video. But a critical security flaw (rated 9.8 out of 10) meant the doorbell wasn't actually checking if it was talking to a real Google server. Anyone on your Wi-Fi network could have intercepted your video — the encryption was basically useless because the doorbell would trust any impersonator.
critical
Google says your doorbell video stays separate from advertising, and promotes on-device AI as a privacy feature. But all your video still gets uploaded to Google's cloud, and your doorbell is linked to the same Google account as your search history, YouTube, and Gmail. Asking your doorbell questions through Google Assistant can directly influence the ads you see.
critical
Google tells you that you can access, review, and delete your doorbell video at any time. But when the FBI needed footage in a criminal case, Google recovered video from their backend systems that the user could no longer see in the app. Your "deleted" video may still exist on Google's servers.
critical
Google's privacy page says they only share your video if you give explicit permission. But Google has confirmed they will hand your doorbell footage to police without a warrant — and without your knowledge — if they decide it's an emergency. They won't even tell you how often this happens.
critical
Google promises your Nest sensor data won't be used for ads. But there's a loophole: when you talk to your thermostat ('Hey Google, set it to 72'), the text of what you said CAN be used to target ads at you. Google was fined $1.375 billion in Texas for exactly this kind of deceptive privacy practice — collecting voice data from Nest devices without properly telling users.
critical
Google says your Nest thermostat's microphone only listens after you say 'Hey Google.' But a maximum-severity security flaw (CVE-2023-48419) let attackers nearby eavesdrop on any Nest device without the owner knowing. A class action lawsuit says these devices record conversations even without the wake word — and Google admitted one update made speakers record everything all the time.
high
To control your thermostat's temperature, Google's app demands access to your camera, microphone, phone contacts, phone dialer, precise GPS location, and a list of every app on your phone. A thermostat app should need WiFi and temperature data — not the ability to read your contacts and make phone calls on your behalf.
critical
Google says their WiFi router doesn't track which websites you visit. But the router is set up to send every website lookup to Google's own DNS servers by default. So while the router itself might not keep a list, Google's servers still see every website every device in your home tries to reach. It's like saying "I don't read your mail" while routing all your mail through your own post office.
critical
Google promises your WiFi data won't be used for advertising. But the app you must use to manage the router includes Google's advertising analytics tracker and requests access to your camera, microphone, contacts, phone calls, and precise location — none of which have anything to do with managing a WiFi router. Google's own privacy policy says they combine data across all their services, which directly contradicts the promise to keep WiFi data separate from ads.
critical
Google's WiFi router had a maximum-severity security flaw that let attackers take complete control of the device and read all internet traffic for every device in your home. The flaw existed because Google wasn't encrypting sensitive data on the router — the very device they promise has "built-in security." Since this router IS your internet connection, a compromised router means everything you do online is exposed. Google fixed it with an automatic update, but you had no way to know you were vulnerable or verify the fix.
critical
Google says your smoke detector data stays separate from advertising, but your Nest Protect's occupancy sensor feeds into Google's Home/Away system, which tracks when you're home and which rooms you're in. Texas sued Google for $1.375 billion partly because it lied about how it collected data from Nest devices.
critical
Your smoke detector has motion sensors, ultrasonic presence detectors, light sensors, temperature sensors, and a microphone in every room of your house — including bedrooms and bathrooms. These sensors form a mesh network that maps which rooms are occupied and when. It's sold as a smoke detector but it's actually a whole-home surveillance system.
critical
Security researchers found that the wireless protocol your smoke detectors use to talk to each other had a critical flaw (severity 9 out of 10) that could let an attacker take full control of the device. Someone could potentially disable your smoke alarm remotely. For a device you trust with your family's safety, that's terrifying.
critical
Google was fined nearly $400 million because it kept tracking people's locations even after they turned location tracking off. The same location system powers your Chromecast. Even now, Google admits it can still figure out where you are through your internet connection even with location turned off.
critical
Google was fined $170 million for illegally tracking children on YouTube and using their data to sell ads. The Chromecast uses the same Google account system. Children watching content on Google TV can still have their viewing habits, voice commands, and app usage collected, with only Family Link as a control — the same type of tracking approach that got Google fined on YouTube.
critical
The Chromecast remote has a microphone that Google says only listens when you say "Hey Google." But security researchers found critical flaws that let anyone with brief physical access take full control of the device — including potentially turning on the microphone remotely — while the Chromecast still tells you everything is secure. If you bought a used or refurbished Chromecast, it could already be compromised.
critical
Google promised not to use your health data for ads when it bought Fitbit, but the promise has loopholes. Your location data, device info, and app usage data are NOT protected — Google can still use those for advertising. And Fitbit's own privacy policy says it shares data with advertising partners anyway.
critical
Fitbit promised 'nothing changes' after Google bought them. But now Google is forcing everyone to migrate their health data to Google accounts or lose it forever. Your intimate health data — heart rate, sleep patterns, stress levels, menstrual cycles — will be governed by Google's privacy rules, not Fitbit's original promises.
high
The Fitbit app asks for permission to make phone calls, read your text messages, access your contacts, record audio with your microphone, use your camera, and read your calendar. None of these are needed for a fitness tracker to count your steps or monitor your heart rate.
critical
Google built a cursor that watches everything on your screen. Point at a bank statement, and Gemini reads it. Hover over a private email, and Gemini ingests it. Open a medical document, and Gemini knows your diagnosis. You don't even have to ask — it just reads. The feature is called "Magic Pointer," built by DeepMind. Google says it "comes alive with Gemini." What comes alive is a continuous feed of your screen contents to Google's servers. Every private thought you type, every sensitive document you open, every photo you view — the cursor is watching, and Google is processing.
critical
Before Googlebook even ships, Google already showed its hand. Chrome quietly downloaded a 4GB AI model onto hundreds of millions of computers — no warning, no consent, no opt-out. Delete it? It re-downloads itself. Security researcher Alexander Hanff caught it by creating a fresh Chrome install and watching the logs. Snopes confirmed it. The kicker: Chrome shows an "AI Mode" button that makes you think your queries stay on your device. They don't. Every query goes to Google's cloud. If this is how Google treats a browser, imagine what they'll do when they control the entire operating system.
critical
Google handed free Chromebooks to schools, then used them to harvest children's data. The EFF caught Google collecting browsing histories, search results, and YouTube habits from 40 million K-12 students — through a sync feature turned on by default. New Mexico's Attorney General sued, alleging Google collected locations, voice recordings, passwords, and contact lists from children under 13. Google settled for $5.5 million — pocket change for a company worth $2 trillion. A class action alleged Google collected children's face templates and voiceprints without parental consent. Now the same company wants to replace those Chromebooks with Googlebooks running full Android plus an AI that reads every pixel on screen.
critical
Google told the world it stopped reading your emails in 2017. It didn't. It just changed the reason. "Smart Features" scan every email, attachment, and chat using AI — on by default outside the EU. To fully opt out, find and disable two separate settings. Miss one and scanning continues. In the EU and UK, these ship turned off — telling you everything about what Google thinks of the privacy risk. The machine reading your love letters doesn't care whether it's reading them for ads or "features."
critical
Google says Gemini doesn't train on your Workspace data. But Gemini reads your emails, documents, and chats for "features" — turned on without asking. From September 2025, Google started training AI on user chats and uploads unless you explicitly opt out. Court testimony from a Google VP revealed the company used publisher content for AI even when those publishers opted out — internal docs showed they kept 80 billion tokens of supposedly excluded material. The line between "accessing" and "training" is wherever Google draws it on any given day.
critical
Eighty million students use Google Workspace for Education. Google says student data is never used for ads or AI. New Mexico's AG found Google was collecting children's locations, voice recordings, YouTube habits, and saved passwords — extending surveillance from classrooms into homes via syncing. Denmark banned it after finding Google uses children's data for its own purposes. Norway declared it flat-out illegal. Twenty-four Danish municipalities had been handing children's data to Google for years without ever conducting a single risk assessment.
critical
Every Google search is stored and linked to your identity by default. Google uses this to sell $300 billion in ads. The delete option exists but you have to find it.
critical
Google's own employees called Incognito mode a lie. Internal emails from 2019 (revealed in a class action) showed engineers saying "we need to stop calling it Incognito" because Google tracked users the whole time. In 2024, Google settled for $5 billion. The judge called the tracking "intentional." Chrome's Incognito icon — a hat and glasses — is the most recognisable privacy symbol on Earth, and it meant nothing.
critical
€2.95 billion fine — with a 60% surcharge for being a repeat offender. Google has been fined so many times the EU charges extra for recidivism. Plus €325 million for Gmail cookies. Google treats fines as a cost of doing business. The EU treats Google as a repeat offender. Both are right.
critical
Google tells free Gemini users not to type anything confidential — it's in the terms. Human reviewers read your conversations and keep them for three years, even after you delete them. When Italian journalist Federico Leva asked Google what data it held on him, the response included Gemini conversations he'd deleted months earlier. "Delete" removes it from your screen, not from Google's.
critical
In May 2024, Google rolled out AI Overviews to every US search user. Within days, Gemini told people to add glue to pizza (it read an 11-year-old Reddit joke as fact), eat rocks for minerals (it cited The Onion as a source), use gasoline to cook spaghetti faster, and that running with scissors is safe. Screenshots went viral. Google called the errors "generally very rare" while quietly reducing AI Overviews' appearance by 45%. The world's dominant search engine — used by 90% of the planet — replaced reliable links with an AI that can't tell a joke from a fact or satire from science.
critical
Google turned on Gemini inside your Gmail without asking. If you had Smart Compose enabled — most people do — Google took that as consent to read your emails with AI. No new prompt. No separate toggle. Your old "yes" to autocomplete became a "yes" to AI analysis of every email. In Europe they had to ask. In America they didn't bother.
YouTube
Streaming · 8 contradictions
Serious concerns
critical
In 2019 YouTube paid $170 million for tracking children. In 2025, a federal judge said Google knowingly "engaged in highly offensive conduct" collecting kids' data — and approved another $30 million settlement. Disney got fined $10 million for mislabeling kids' videos on YouTube, which let Google's trackers follow children anyway. Six years and $210 million in penalties later, the same fundamental violation keeps happening. The children whose data was collected in 2019 are now teenagers — and their younger siblings are being tracked too.
high
Alexander Hanff, a privacy researcher, filed a formal complaint that YouTube's ad-blocker detection qualifies as spyware under EU law. The Irish Data Protection Commission agreed and opened a formal probe in 2025. YouTube's scripts reach into your browser to detect what extensions you've installed — the exact behavior the ePrivacy Directive was written to prevent. If you refuse to let YouTube scan your browser, YouTube blocks you from watching videos entirely. The choice is: let us surveil your browser, or leave.
high
Caleb Cain told the New York Times that YouTube's autoplay recommendations gradually pulled him from self-help videos into white supremacist content over several years. A PNAS study tested 100,000 fake accounts and confirmed: the deeper you follow recommendations, the more extreme they get. YouTube's own leaked internal research showed the company knew but prioritized watch time. In 2026, researchers in Turkiye found the algorithm could radicalize young conservatives "in a very short time." YouTube calls it a "discovery engine." Researchers call it a rabbit hole.
critical
You opened Google Maps settings and turned off Location History. Google kept tracking you anyway. The Associated Press discovered that Google Search, Chrome, and even the Weather app continued recording your location after you turned off the setting Google told you controlled location tracking. Google's own engineers told the AP it was "practically impossible" to stop Google from tracking your location. Forty US states sued. Google paid $391.5 million. Arizona added $85 million more. The "off" switch was theater. Google always knew where you were.
critical
Google built a database called Sensorvault. It contained the precise location history of hundreds of millions of people going back a decade. Police discovered they could get a warrant and ask Google: who was near this crime scene at this time? Google received 11,554 of these "geofence warrants" in 2020 alone. Jorge Molina spent six days in jail for a murder he didn't commit -- his Google location data was the only evidence. A Florida man was accused of burglary because he biked past the scene. A Virginia man was jailed for a week and cleared. Google collected your location to "improve your experience." Police used it to arrest innocent people.
critical
$1.4 billion. Google told users turning off Location History would stop tracking. It didn't. A second toggle — "Web & App Activity" — kept tracking your location through Search, Maps, and other apps. Two switches that look independent but both track location. Turn off one, the other keeps watching. Google designed the confusion. Texas charged $1.4 billion for it.
Gmail
Email · 7 contradictions
Fail
critical
Google said they stopped reading your email in 2017. They didn't — they just changed what they read it for. Now their AI reads it too, enabled by default. The machine scanning your inbox got an upgrade, not a removal.
critical
Gmail encrypts your email in transit — then decrypts it on Google's servers where they can read everything. There is no end-to-end encryption for regular users. 'Confidential Mode' is a lie — Google can still read those emails too.
critical
In 2018, journalists discovered that Google let hundreds of outside companies read your Gmail. Human employees at those companies were reading private emails. Google's response: it was in the fine print.
critical
Google can read your passwords. By default, your saved passwords are encrypted with keys Google holds. A rogue employee, a government order, or a breach could expose every password you've saved. The 'on-device encryption' toggle exists but almost nobody finds it.
critical
The company that makes $265 billion selling ads stores every password you own. Their privacy policy lets them use your data to 'improve services and develop new ones.' Your banking password lives next to their ad targeting engine.
critical
Your password manager shares a process with Google Play Services — the same app that tracks your location, reads your SMS, accesses your camera, and serves ads. It has the AD_ID permission. No other password manager is bundled with an advertising SDK.
Fitbit
Wearables · 7 contradictions
Serious concerns
critical
Google told the European Commission it would keep Fitbit health data walled off from its advertising machine for 10 years. That was the deal -- the only reason regulators approved a $2.1 billion acquisition that gave Google 30 million people's heart rates, sleep patterns, and menstrual cycles. Two years later, Google required every Fitbit user to migrate to a Google account. Your heart rate data now lives in the same account as your search history, your YouTube habits, your Gmail, your location history. The silo Google promised? It's a policy document, not a technical wall. And Google already paid $170 million for breaking its promise to protect children on YouTube. A promise from Google to regulators is a press release with an expiration date.
critical
Richard Dabate told Connecticut police an intruder killed his wife Connie. Her Fitbit said otherwise -- it showed her walking around for an hour after he claimed she was dead. He was convicted of murder in 2022. Karen Navarra's Fitbit recorded the exact moment she was killed -- a heart rate spike, then nothing. Insurance companies subpoena Fitbit data to prove you're not as injured as you claim. Divorce lawyers request it to prove infidelity -- your heart rate and GPS location during those unexplained evenings. Fitbit markets a private wellness journey. The courts see a 24/7 surveillance device that records your heart rate, your location, and the exact time you stopped moving. Every step you log is evidence waiting for a subpoena.
high
Fitbit had a web dashboard. You could check your steps in a browser without installing anything. Google killed it in 2025. Now you must use the mobile app. The web dashboard needed a browser cookie. The mobile app needs your advertising ID, your precise GPS location, your installed app list, your Bluetooth devices, your Wi-Fi networks, and persistent background sensor access. Google called this a "more streamlined experience." It's a more streamlined data collection pipeline. Users who deliberately avoided the app to limit tracking were forced into it. Six new categories of data collection, disguised as a UX improvement.
high
Google says your DNS queries are kept separate from everything else Google knows about you. Google has never let an independent auditor verify this. Cloudflare hired KPMG. Google hired nobody. This is the same company that paid $391.5 million for secretly tracking users' locations after they turned location tracking off. The same company that paid $5 billion for tracking Chrome Incognito browsing it promised was private. Google asks you to trust that it walls off DNS data from ad data. The company's track record on "trust us, we don't track that" is worth exactly $5.4 billion in settlements.
high
Google says you choose to use 8.8.8.8 for faster, more secure DNS. Billions of people never chose anything. Google DNS is the default on Android phones, Chromebooks, and Chrome's Secure DNS. With 72% of the world's phones and 65% of browsers, Google made the choice before you did. Most people don't know what DNS is, let alone which one their phone uses. Google's "opt-in" DNS service is opt-out on Google's own platforms -- and almost nobody opts out of defaults.
high
Google says your DNS data is deleted in 24 to 48 hours. Read the fine print. That's only for the logs that include your IP address, and only under "normal" circumstances. Google can keep your IP address longer for "security and abuse" with no time limit defined. The permanent logs -- which record what domains were queried, when, and from which city -- are kept forever. "24 to 48 hours" is technically true for one data category. The rest of your DNS history has no expiration date.
critical
Google built YouTube Kids and called it "a safer online experience for kids." The FTC found Google was tracking children with persistent identifiers and serving them targeted ads -- the exact thing COPPA exists to prevent. The $170 million fine was the largest COPPA penalty ever. FTC Commissioner Chopra said it was "a fraction of what YouTube earned from the illegal conduct." Nobody at Google went to jail. Nobody was personally fined. A $170 million parking ticket for a company worth a trillion dollars.
critical
YouTube Kids promised a "contained environment filled with family-friendly videos." Parents found their toddlers watching Peppa Pig being tortured, Spider-Man injecting Elsa with needles, and cartoon characters being kidnapped -- all recommended by YouTube's algorithm. The BBC found this content within 10 clicks from the YouTube Kids homepage. Content farms churned out thousands of these videos daily because the algorithm rewarded them with views. The algorithm didn't care that the viewers were three years old. It cared about watch time.
high
Google said it didn't track children. University of California researchers found the YouTube Kids app contacted seven different advertising and tracking domains. DoubleClick -- Google's own ad network -- was embedded in an app for five-year-olds. Every video a child watched was logged, profiled, and used to serve targeted ads. Google built surveillance infrastructure into a product with cartoon characters on the icon.
Waze
Travel · 6 contradictions
Notable issues
critical
You chose Waze instead of Google Maps. Maybe you wanted something different. Maybe you didn't trust Google with your location. Waze is Google. Has been since 2013, when Google paid $1.1 billion for it. Your Waze location data feeds Google's advertising system. Your commute, your route, your destination -- it all goes to the same company that built the Sensorvault database and handed location data to police 11,554 times in 2020. In 2023, Google merged Waze's engineering team into Google Maps. The app in your pocket still says Waze. The data goes to Google.
high
Waze shows you as a cartoon avatar on the map. Cute. Researchers at UC Santa Barbara watched those avatars and tracked individual users. They figured out where people lived -- the avatar stops at the same place every night. They mapped daily commutes, work locations, shopping habits. All from watching cartoon icons on a public map. You can set yourself to "invisible." That hides you from other users. Waze and Google still track you. The cartoon disappears. The surveillance doesn't.
high
Waze lets you report police locations. The NYPD demanded the feature be removed, calling it a threat to officer safety. But the feature works both ways: researchers showed that police reporting data could identify which users are monitoring police activity. The app that helps you avoid speed traps also reveals that you're avoiding speed traps. Meanwhile, Waze shares traffic data with city governments through its Connected Citizens Program. Waze is a surveillance tool that works in every direction -- users watching police, police watching users, cities watching everyone.
critical
When you read a news article on Google News, the reading doesn't stay in Google News. It joins your Google Search history, your YouTube viewing, your Gmail contents, your Maps location, your Android app usage, and your Chrome browsing -- all feeding one advertising profile. Google knows you read an article about diabetes. Google knows you searched for diabetes symptoms. Google knows you watched a diabetes management video on YouTube. Google knows you drove to an endocrinologist (Maps). Google knows your pharmacy sent you an email (Gmail). No other news platform has this power. Google News isn't a newspaper. It's a data intake valve for the most comprehensive surveillance infrastructure ever built. Reading the news on Google doesn't inform you. It informs Google.
critical
Google launched a $1 billion programme to "support journalism." Google also launched AI Overviews that summarise news articles without anyone clicking through to the publisher. The AI reads the journalism, synthesises it, and presents it under Google's brand. The publisher who paid the reporter, the editor, and the fact-checker gets nothing -- no click, no ad revenue, no reader relationship. When Australia and Canada passed laws requiring Google to pay for news, Google threatened to remove news from search entirely. That's the power dynamic. Google can survive without publishers. Publishers cannot survive without Google. A billion dollars to "support journalism" from the company building the AI that makes journalism clicks unnecessary. The support and the destruction come from the same company.
critical
Google gave you a setting called "Location History." You turned it off. Google kept tracking you anyway. The California Attorney General proved it. $93 million settlement. Google used GPS, Wi-Fi, Bluetooth, and cell towers to follow you after you explicitly told it to stop. That location data fed into Google News personalisation and ad targeting. Google promised to fix it in December 2023 -- store data on-device, auto-delete after 3 months. EPIC noted Google had already broken previous privacy promises. The $93 million fine sounds large. Google made $238 billion in advertising revenue in 2023. The fine is 0.04% of ad revenue. Less than four hours of earnings. The setting says off. The tracking is on. The fine is a rounding error.
critical
Google can read every file on your Drive. They scan them for policy violations, their Gemini AI processes them, and they complied with government data requests 80% of the time in 2023 — 209,000 requests globally. A Minnesota teacher was arrested after Google automatically scanned his Drive photos and reported them to NCMEC. Google isn't a filing cabinet. It's a filing cabinet with an employee who reads everything you put in it.
high
Files encrypted against outsiders but not against Google. They license themselves to modify your content and can suspend your entire Google account over a scanner false positive.
high
Varonis research found the average company on Google Drive has 700,000 sensitive files accidentally exposed to anyone with the link. No native option exists for end users to encrypt files so Google can't read them. If you're a journalist, lawyer, or doctor using Google Drive, your files are readable by Google, indexable by its AI, and one sharing mistake away from being public.
high
Calls aren't encrypted end-to-end. Recordings go to Drive where Google can read them. Meeting data feeds your ad profile and responds to 80% of government requests.
high
Free because you pay with data. Who you meet, when, how often -- it all feeds the ad profile. Gemini AI processes your meetings too.
medium
Google Meet recordings are saved to Google Drive — where Google scans, indexes, and can hand them to law enforcement. In 2023, Google received 209,000 government requests for user data across its services and complied with 83% of them. Your meeting with your lawyer, your doctor, your therapist — it sits in Google Drive, readable by Google, subpoenable by police.
critical
The EU let Google buy Fitbit for $2.1 billion based on a pinky promise: "We won't use health data for ads for 10 years." Now your Pixel Watch heart rate, sleep, blood oxygen, and stress levels sit in the same Google account as your search history and YouTube watches — same privacy policy. The EU's enforcement? Google reports on itself. This is the same company the EU has fined over $8 billion for antitrust violations. They paid every fine and changed almost nothing.
high
The Pixel Watch app claims "no data shared with third parties." Google isn't a third party. Google IS the first party. Your heart rate, sleep cycles, and stress levels flow to a $307 billion ad company. Google has over 200 subsidiaries — none count as "third parties." The claim is true the way "I didn't give your diary to strangers" is true when you read it yourself and told all your subsidiaries about it.
high
Twelve million people bought Fitbit to track health without Google. Then Google bought Fitbit and announced: migrate to a Google account by May 2026 or your device stops working. Miss July and Google deletes years of health records permanently. This isn't a choice. It's a hostage situation. You built a health history over years — and now a company making 80% of revenue from advertising says "give us your heart rate data or we destroy it all."
critical
Google told schools it would not use student data for ads. New Mexico's Attorney General found otherwise — Google was collecting children's personal data through school Chromebooks without parental consent. YouTube watch history, search queries, location data — all fed into the same profile Google uses for advertising. The classroom became a data collection pipeline.
high
Human Rights Watch examined 146 educational apps in 49 countries. 89% could surveil children outside school hours. Google Classroom was everywhere. Children doing homework at 10pm were being tracked by ad-tech companies. The school assigned the app. The parents trusted the school. Google collected the data.
medium
A child gets a Google account at age 6 for school. By age 12, Google has six years of search history, YouTube watches, and documents. When the child changes schools, nobody deletes the account. Schools lack the technical staff to manage it. Google keeps the data. A first-grader's digital footprint follows them to adulthood because an underfunded school never clicked "delete."
critical
Google Family Link protects your child. It also creates your child's Google account. That account collects your child's search history, location, YouTube viewing, app usage, and browsing data. Google paid $170 million to settle allegations it illegally collected children's data and used it for targeted advertising on YouTube -- the largest COPPA fine in history. Family Link is the tool Google built after getting caught. It gives parents control over screen time. It gives Google a data pipeline that starts at age 5 and runs for life. By the time your child turns 18, Google has 13 years of their search history, their location history, their YouTube viewing habits, and every app they've ever used. Family Link protects your child from the internet. Nobody protects your child from Family Link.
high
Google doesn't show personalised ads to children. Google waits. Every search your 8-year-old makes, every YouTube video they watch, every place they go with location tracking enabled -- collected and stored. When they turn 13, the account transitions from "supervised" to standard. The ad-free promise expires. The data doesn't. Years of childhood search history, viewing habits, and location data become the foundation of an advertising profile Google has been building since before your child could read. Google's promise is precise: no personalised ads for supervised accounts. The promise says nothing about what happens to a decade of childhood data when the supervision ends.
high
Family Link isn't an app you install. It's Android itself. You can't uninstall it. You can't bypass it. Google is simultaneously the phone's operating system, the data collector, the parental control tool, and the advertising company. There is no independent party anywhere in this system. A 16-year-old who wants to delete embarrassing searches from when they were 10 can't -- not without their parent's permission. The child has no independent data rights within Google's system. No privacy from their parents. No privacy from Google. And when they turn 18, the data Google collected since childhood is already in the system. Google didn't just build a parental control tool. Google built the surveillance into the operating system and called it a feature.
critical
You uploaded baby photos. Google scanned every face and built a biometric profile for your child before they could consent to anything. Google Photos contains the largest facial recognition training dataset on Earth — billions of labelled faces, contributed by parents who thought they were backing up memories. Your family album is Google's AI training data.
critical
$100 million settlement. Google scanned the faces of millions of Illinois residents through Google Photos without getting written consent — a violation of BIPA. They had the technology to ask permission. They chose not to. One hundred million dollars later, the faces are still in the database.
high
Google said photo storage was free forever. A billion people deleted their local copies and trusted Google. Then Google said actually, you're running out of space — pay $3/month or your photos stop syncing. The original copies are gone. The backup is now the only copy. And the free promise has a price tag.
high
You tap Google Pay at a pharmacy. Google now knows what you bought, where, and when. It already knew you searched for symptoms last night, watched a health video on YouTube, and emailed your doctor through Gmail. The payment is the final piece. Google connects your health anxiety to your purchase to your search history. No bank can do that. Google can.
high
Google Pay holds your credit cards, loyalty cards, boarding passes, transit passes, and government ID. In India, it processes 40% of all digital payments. Google knows what you buy, where you travel, which stores you frequent, and where you work. All of this feeds a $237 billion advertising business. The wallet is the ad platform.
high
Google put a radar sensor in a bedside device that tracks your breathing, movement, coughing, and snoring all night. They said radar is more private than a camera. It is more intimate. A camera sees your face. The radar measures your respiratory rate and knows when you toss and turn. Google now has your sleep data alongside your search history. It knows what keeps you up at night — literally and figuratively.
high
Google put a microphone in the original Nest Hub and forgot to mention it. Not in the specs. Not in the marketing. Not on the box. They called it a documentation error. A microphone in a bedroom device, accidentally undisclosed. Google paid $5.4 million to settle the lawsuit. The microphone is still there in every unit sold.