Researchers discovered that even if you turn off location tracking on your Android phone, it continues to track you

by -
Photo: Leon Neal (Getty Images) – This is one area where Apple has a distinct lead. If you have an Android phone and are concerned about your digital privacy (which you should be), you’ve probably already taken care of the fundamentals. You’ve removed the most snoopy of the snoopy applications, turned off tracking wherever feasible, and followed all of the other measures recommended by popular privacy guidelines. The bad news is that none of those measures will get you completely free of trackers.

Or at least, that’s the gist of a recent report from Trinity College in Dublin, which looked into the data-sharing practices of a number of prominent Android OS variations, including those from Samsung, Xiaomi, and Huawei. According to the researchers, these devices would continuously ping back device data to the OS’s developers and a slew of selected third parties “with minimal setup” straight out of the box and while left inactive. Worse, even if consumers wish to opt out of this data-pinging, there’s frequently no mechanism to do so.

As the researchers point out, so-called “system applications” bear a large share of the burden. These are programs that come pre-installed on a device by the hardware manufacturer in order to provide a certain type of functionality, such as a camera or a messaging app. These applications are often stored in the “read only memory” (ROM) of an Android smartphone, which means you can’t uninstall or alter them without rooting your device. Even if you never launched the app, the researchers discovered that they were continually transmitting device data back to their parent business and a few other parties until you did.

As an illustration, consider the following: Assume you have a Samsung device that comes pre-loaded with Microsoft crap, including (sigh) LinkedIn. Even if you’re unlikely to use LinkedIn for any reason, the hard-coded program is continually sending information about your device to Microsoft’s servers.

It’s “telemetry data” in this case, which includes information like your device’s unique identification and the amount of Microsoft programs you have on your phone. This information is also shared with any third-party analytics providers that these applications may have integrated, which is almost always Google, because Google Analytics is the king of all analytics tools.

The researcher’s breakdown of which devices were collecting what data, and where it was being sent.
Screenshot: Shoshana Wodinsky (Trinity College)

When it comes to hard-coded programs that you might use once in a while, each interaction sends much more data. Samsung Pass, for example, was captured by the researchers exchanging information with Google Analytics such as timestamps indicating when and how long you used the app. The same goes for Samsung’s Game Launcher and whenever you use Bixby, Samsung’s virtual assistant. Of course, Samsung isn’t alone in this.

The Google messaging software, which comes pre-installed on Xiaomi phones, was discovered exchanging timestamps from every user interaction with Google Analytics, as well as records of every time the user wrote a text. The same was discovered on Huawei smartphones. Instead, logs documenting every time the SwiftKey keyboard was used in another app or elsewhere on the device were shared with Microsoft on devices that come pre-installed with Microsoft’s SwiftKey.

We’ve just scratched the surface of what each app does on each device investigated by these researchers, which is why you should read the article or, better yet, use our helpful guide to spy on Android’s data-sharing habits for yourself. But, for the most part, you’ll see data that appears to be quite mundane: event logs, information on your device’s hardware (such as model and screen size), and some type of identifier, such as a phone’s hardware serial number and mobile ad identifier, or “AdID.”

None of these data points by themselves can identify your phone as yours, but when combined, they create a unique “fingerprint” that can be used to monitor your device, even if you try to opt out. While Android’s advertising ID is theoretically resetting, the fact that it’s frequently coupled with more permanent identifiers means that these apps—and any third parties they’re dealing with—will know who you are regardless, according to the researchers. This was also the case with several of the other resettable IDs supplied by Samsung, Xiaomi, Realme, and Huawei, according to the researchers.

To Google’s credit, it does have a few developer guidelines in place to prevent extremely intrusive applications. It informs developers that they cannot link a device’s unique ad ID to something more persistent (such as the device’s IMEI) for any ad-related reason. While analytics providers are permitted to link data, they must do so with the user’s “explicit authorization.”

“If a previous advertising identifier or data derived from a previous advertising identifier is reset, a new advertising identifier must not be connected to a previous advertising identifier or data derived from a previous advertising identifier without the explicit consent of the user,” Google explains on a separate page outlining these dev policies.

“You must respect a user’s decision to ‘Opt out of Interest-based Advertising’ or ‘Opt out of Ads Personalization.’” You may not use the advertising identifier to create user profiles for advertising purposes or to target users with customized advertising if a user has selected this setting.” It’s worth noting that Google has no restrictions on whether or not developers may gather this data, just on what they can do with it once it’s been collected.

Because these are pre-installed applications that are frequently left on your phone, the researchers discovered that they were frequently permitted to circumvent users’ privacy explicit opt-out settings by just running in the background, regardless of whether or not the user opened them. And because there’s no easy way to erase them, the data gathering will continue (and continue) until the phone’s user either gets creative with rooting or throws their gadget into the ocean.

When challenged by BleepingComputer about the unavoidable data gathering, Google stated that this is just “how contemporary cellphones work”:

This data is required for key device services like as push notifications and software upgrades across a wide ecosystem of devices and software releases, as detailed in our Google Play Services Help Center article. To enable essential device functionality, Google Play services, for example, needs data from certified Android devices. Limited fundamental data, such as a device’s IMEI, is required to properly distribute important updates across Android devices and apps.

Although this appears to be rational and acceptable, the study itself demonstrates that it is not the full picture. The researchers investigated a device running /e/OS, a privacy-focused open-source operating system billed as a “deGoogled” version of Android, as part of their research. This system replaces Android’s built-in apps, such as the Google Play store, with free and open source alternatives that may be used without a Google account.

When these devices were kept inactive, they sent “no information to Google or any third parties,” as well as “basically no information” to /e/’s developers. To put it another way, this aforementioned surveillance hellscape is only unavoidable if you believe Google’s presence on your phone is also unavoidable. Let’s be honest: it is for the vast majority of Android users. So, other from being monitored, what can a Samsung customer do?

For starters, you can persuade politicians to take notice. The current privacy regulations, such as GDPR in the EU and the CCPA in the US, are almost entirely designed to address how digital firms handle personally identifiable data, such as your name and address. So-called “anonymous” data, such as your device’s hardware characteristics or ad ID, frequently slips through the holes in these regulations, despite the fact that it may still be used to identify you. And if we can’t get our country’s privacy laws overhauled, perhaps one of the many large antitrust actions Google is facing right now will force the firm to put a stop to some of these intrusive tactics.