If you use an Android phone and are (rightly!) concerned about digital privacy, you probably already care about the basics. I’ve deleted Most intrusive snoopy apps, Withdrawn Keep track of whenever possible, and take all other common precautions Privacy Guidelines tell you that. The bad news – and you might want to sit down for this – is that none of these steps are enough to be completely tracker-free.
Or at least, that’s the motivation for a new paper From researchers at Trinity College Dublin who took a look at the data-sharing habits of some popular variants of the Android operating system, including those developed by Samsung, Xiaomi and Huawei. According to the researchers, “with a little configuration” once taken out of the box and when left idle, these devices would continue to send device data to operating system developers and a large number of select third parties. Even worse, there is often no way to opt out of this data transmission process, even if users want to.
Much of the blame lies here, the researchers point out, on the so-called “System apps. These are apps that are preinstalled by the device manufacturer on a specific device to offer a certain type of functionality: the Camera app or Messages are examples. Android generally packages these apps in what is known as the device’s “read-only memory” (ROM), which means that You can’t delete or modify these apps without, well, ROOT YOUR DEVICE. And until you did, the researchers found that they were constantly sending device data to the parent company and more than a few third parties — even if you never opened the app.
Here’s an example: Let’s say you own a Samsung device that happens to be packed with some Microsoft bloatware Pre-installed, including LinkedIn. Although there is a good chance for you Never open LinkedIn For whatever reason, this hard-coded app is constantly replying to Microsoft’s servers with details about your device. In this case, it’s called “telemetry data,” which includes details like your device’s unique identifier, and how many Microsoft apps you’ve installed on your phone. This data Moreover It is shared with any third party analytics providers that these apps may be connected to, which usually means Google, since Google Analytics is reigning king Among all the analysis tools available.
As for the hard-coded apps that you do may be It actually opens every now and then, and more data is sent with each interaction. The researchers discovered Samsung Pass, for example, by sharing details such as timestamps detailing when you’ve been using the app, and for how long you’ve used Google Analytics. The same for Samsung Game playerAnd every time you use the Samsung virtual assistant, Bixby.
Samsung is not alone here of course. Google Messaging App Pre-installed on Samsung Phones competitor Xiaomi was caught sharing timestamps from every user interaction with Google Analytics, along with logs of every time a user sent a text message. Huawei devices have been detected doing the same. And on devices with Microsoft SwiftKey preinstalled, logs detailing each time the keyboard was used in another app or elsewhere on the device were shared with Microsoft, instead.
We’ve barely scratched the surface here when it comes to what each app does on every device these researchers have looked at, which is why you should check out paper Or better yet, check out Useful guide About spying on Android data sharing practices on your own. But for the most part, you’ll see the data being shared looks pretty boring: event logs, details about your device’s hardware (like model and screen size), along with some kind of identifier, like your phone’s hardware serial number and mobile advertising ID, or “AdID.”
None of these data points can uniquely identify your phone as yours, but if collected together, they constitute “fingerprintwhich can be used to track your device, even if you try to opt out. The researchers point out that while the Android advertising identifier is Technically ResetThe fact that apps are usually bundled with more persistent identifiers means that these apps – and any third parties you work with – will know who you are anyway. The researchers found this to be the case with some other resettable identifiers offered by Samsung, Xiaomi, Realme and Huawei.
To her credit, Google Do She has a little Developer rules It is intended to hinder particularly invasive applications. It tells developers that they can’t connect a device’s unique advertising identifier to something more stable (like that device’s IMEI, for example) for any kind of advertising-related purpose. And while analytics providers be They are allowed to do that binding, they can only do so with the “explicit consent” of the user.
Google states that “in the event of a reset, you should not associate a new advertising identifier with a previous ad identifier or data derived from a previous ad identifier without explicit user consent” separate page detail these development policies. You must comply with the user setting “opt out of interest-based advertising” or “opt out of advertising personalization.” If a user has enabled this setting, you may not use the advertising identifier to create user profiles for advertising purposes or to target users with personalized ads. “
It should be noted that Google does not set any rules on whether developers can do this Collecting This information, is only what they are allowed to do with it after, after collected. And since these are pre-installed apps that often get stuck on your phone, researchers have found that they are often allowed to give up explicit opt-out settings for a user’s privacy by…that user hasn’t opened them. And with no easy way to delete it, this data collection will continue (and will continue to happen) even to the owner of this phone as well. get creative With rooting their device or throwing it in the ocean.
Google, when asked about the irrevocable data collection by people In BleepingComputer, he replied that this is simply “how modern smartphones work”:
As described in our Google Play Services Help Center article, This data is essential for essential hardware services such as push notifications and software updates across a diverse ecosystem of hardware and software architectures. For example, Google Play Services uses data on certified Android devices to support basic device features. Collecting limited basic information, such as a device’s IMEI, is essential to reliably deliver critical updates across Android devices and apps.
Which seems logical and reasonable, but the study itself proves that it’s not the whole story. As part of the study, the team looked at a device with /e/OS, a privacy-focused open source operating system that has been described as “deGoogleAndroid version. This system swaps out baked Android apps – including Google Play Store – with Free and open source rewards Users can access it without the need for a Google account. Wouldn’t you know that, when these devices were left idle, they sent “no information to Google or other third parties”, and “basically no information” to the developers themselves.
In other words, this aforementioned tracking is clearly inevitable unless you feel that having Google on your phones is also inevitable. Let’s be honest here – it kind of works for most Android users. So what should a Samsung user do, besides, you know, get tracked?
Well, you can get lawmakers to care, for starters. Our privacy laws are on books today – like General Data Protection Regulation In the European Union, the CCPA In the US – built almost exclusively to address the way tech companies do business get to know her Forms of data, such as your name and address. So-called “anonymous” data, such as your device’s hardware specifications or an advertising identifier, usually falls through loopholes in these laws, although it can usually used To get to know you regardless. And if we can’t successfully demand reform of our country’s privacy laws, maybe one Many massive antitrust lawsuits Staring at Google now will eventually cause the company to put an end to some of these invasive practices.