Android Data Collection

This article addresses the manner in which Android phones share personal user information with Google, usually in a complete user unaware and unapproved way, and the legal consequences Google has endured for deceptive practices in users' location tracking.

Background

Android, the global top mobile operating system,^[1] is used to power billions of devices globally. Tests have shown that Android phones transmit user data to Google on multiple occasions even when users try to restrict sharing of data via settings. This has encouraged increasing alarm over user privacy, transparency, and personal data control.

Data sharing with Google

A research examined the frequency of data sharing between Google and Android phones.^[2] The research showed that even if an Android phone is set to minimal setting and left on its own, it shares data with Google on average every 4.5 minutes. The shared data includes sensitive information like:

• IMEI (International Mobile Equipment Identity)

• Hardware serial number
• SIM serial number and IMSI (International Mobile Subscriber Identity)
• Handset phone number

In addition, Android sends telemetry data to Google even when customers directly decline to have their data collected. For instance, each time a SIM card is inserted into the device, Android sends its information to Google automatically.

Data exchanged with Google by Google Messages and Google Dialer applications on an Android smartphone was also researched.^[3] These applications report to Google whenever messages are being sent/received or calls are being received/made. Precisely:

• Google Messages sends a message text hash so Google can match the sender and receiver in a message exchange.
• Google Dialer also transmits call time and call duration to Google for linking both devices for a call.
• Both of the apps forward phone numbers to Google.
• Both user interaction timing and duration with both apps are also forwarded to Google in addition to the above.

No exemption option exists in the data transmission. Data comes through two pathways:

1. The Google Play Services Clearcut logger.
2. Google/Firebase Analytics.

Location History Lawsuit

Google misled some Android users into thinking that the setting titled “Location History” was the only Google account setting that affected whether the company collected, kept and used personally identifiable data about their location. In fact, another account setting titled “Web & App Activity” also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.

For this, Google was sued in the United States^[4] and in Australia.^[5]

Privacy respecting alternatives

Not many, if any, alternatives are available to users for completely avoiding this data sharing. Even attempts to disable data collection via settings, Android integration with Google services does make it impossible to fully discontinue the passing on of person and device details.^[2]

This is a serious cause of concern as far as user privacy and control over one's own data are concerned. Though some measures, such as the use of custom ROMs or privacy-focused applications, do cut down on sharing data, these are likely to require technical know-how and are not necessarily in the hands of the average user.

French non-profit Murena sells devices pre-flashed with their de-googled Android version /e/ OS, making privacy friendly Android phones accessible to non-technical users. However, the project has a history of not always addressing security vulnerabilities in a timely manner^[6] and thus the user is required to make a certain tradeoff between privacy and security, though the situation is still much better than the millions of phones in active use that no longer get manufacturer support.

References