Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
October 13, 2021 02:17 pm GMT

Researchers Find Android Phones Still Track You, Even When You Opt Out

Photo:Leon Neal(Getty Images)

If you use an Android phone and are (rightfully!) worried about digital privacy, youve probably taken care of the basics already. Youve deleted the snoopiest of the snoopy apps, opted out of tracking whenever possible, and taken all of the other precautions the popular how-to privacy guides have told you to. The bad newsand you might want to sit down for thisis that none of those steps are enough to be fully free of trackers.

Or at least, thats the thrust of a new paper from researchers at Trinity College in Dublin who took a look at the data-sharing habits of some popular variants of Androids OS, including those developed by Samsung, Xiaomi, and Huawei. According to the researchers, with little configuration right out of the box and when left sitting idle, these devices would incessantly ping back device data to the OSs developers and a slew of selected third parties. And whats worse is that theres often no way to opt out of this data-pinging, even if users want to.

A lot of the blame here, as the researchers point out, fall on so-called system apps. These are apps that come pre-installed by the hardware manufacturer on a certain device in order to offer a certain kind of functionality: a camera or messages app are examples. Android generally packages these apps into whats known as the devices read only memory (ROM), which means you cant delete or modify these apps without, well, rooting your device. And until you do, the researchers found they were constantly sending device data back to their parent company and more than a few third partieseven if you never opened the app at all.

Heres an example: Lets say you own a Samsung device that happens to be packaged with some Microsoft bloatware pre-installed, including (ugh) LinkedIn. Even though theres a good chance youll never open LinkedIn for any reason, that hard-coded app is constantly pinging back to Microsofts servers with details about your device. In this case, its so-called telemetry data, which includes details like your devices unique identifier, and the number of Microsoft apps you have installed on your phone. This data also gets shared with any third-party analytics providers these apps might have plugged in, which typically means Google, since Google Analytics is the reigning king of all the analytics tools out there.

Data Collecting chart

As for the hard-coded apps that you might actually open every once in a while, even more data gets sent with every interaction. The researchers caught Samsung Pass, for example, sharing details like timestamps detailing when you were using the app, and for how long, with Google Analytics. Ditto for Samsungs Game Launcher, and every time you pull up Samsungs virtual assistant, Bixby.

Samsung isnt alone here, of course. The Google messaging app that comes pre-installed on phones from Samsung competitor Xiaomi was caught sharing timestamps from every user interaction with Google Analytics, along with logs of every time that user sent a text. Huawei devices were caught doing the same. And on devices where Microsofts SwiftKey came pre-installed, logs detailing every time the keyboard was used in another app or elsewhere on the device were shared with Microsoft, instead.

Weve barely scratched the surface here when it comes to what each app is doing on every device these researchers looked into, which is why you should check out the paper or, better yet, check out our handy guide on spying on Androids data-sharing practices yourself. But for the most part, youre going to see data being shared that looks pretty, well, boring: event logs, details about your devices hardware (like model and screen size), along with some sort of identifier, like a phones hardware serial number and mobile ad identifier, or AdID.

On their own, none of these data points can identify your phone as uniquely yours, but taken together, they form a unique fingerprint that can be used to track your device, even if you try to opt out. The researchers point out that while Androids advertising ID is technically resettable, the fact that apps are usually getting it bundled with more permanent identifiers means that these appsand whatever third parties theyre working withwill know who you are anyway. The researchers found this was the case with some of the other resettable IDs offered by Samsung, Xiaomi, Realme, and Huawei.

To its credit, Google does have a few developer rules meant to hinder particularly invasive apps. It tells devs that they cant connect a devices unique ad ID with something more persistent (like that devices IMEI, for example) for any sort of ad-related purpose. And while analytics providers are allowed to do that linking, they can only do it with a users explicit consent.

If reset, a new advertising identifier must not be connected to a previous advertising identifier or data derived from a previous advertising identifier without the explicit consent of the user, Google explains on a separate page detailing these dev policies. You must abide by a users Opt out of Interest-based Advertising or Opt out of Ads Personalization setting. If a user has enabled this setting, you may not use the advertising identifier for creating user profiles for advertising purposes or for targeting users with personalized advertising.

Its worth pointing out that Google puts no rules on whether developers can collect this information, just what theyre allowed to do with it after its collected. And because these are pre-installed apps that are often stuck on your phone, the researchers found that they were often allowed to side-step users privacy explicit opt-out settings by just... chugging along in the background, regardless of whether or not that user opened them. And with no easy way to delete them, that data collections going to keep on happening (and keep on happening) until that phones owner either gets creative with rooting or throws their device into the ocean.

Google, when asked about this un-opt-out-able data collection by the folks over at BleepingComputer, responded that this is simply how modern smartphones work:

As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services uses data on certified Android devices to support core device features. Collection of limited basic information, such as a devices IMEI, is necessary to deliver critical updates reliably across Android devices and apps.

Which sounds logical and reasonable, but the study itself proves that its not the whole story. As part of the study, the team looked into a device outfitted with /e/OS, a privacy-focused open-source operating system thats been pitched as a deGoogled version of Android. This system swaps Androids baked-in appsincluding the Google Play storewith free and open source equivalents that users can access with no Google account required. And wouldnt you know it, when these devices were left idle, they sent no information to Google or other third parties, and essentially no information to /e/s devs themselves.

In other words, this aforementioned tracking hellscape is clearly only inevitable if you feel like Googles presence on your phones is inevitable, too. Lets be honest hereit kind of is for most Android users. So whats a Samsung user to do, besides, yknow, get tracked?

Well, you can get lawmakers to care, for starters. The privacy laws we have on the books todaylike GDPR in the EU, and the CCPA in the U.S.are almost exclusively built to address the way tech companies handle identifiable forms of data, like your name and address. So-called anonymous data, like your devices hardware specs or ad ID, typically falls through the cracks in these laws, even though they can typically be used to identify you regardless. And if we cant successfully demand an overhaul of our countrys privacy laws, then maybe one of the many massive antitrust suits Googles staring down right now will eventually get the company to put a cap in some of these invasive practices.

Original Link:

Share this article:    Share on Facebook
View Full Article


TechCrunch is a leading technology blog, dedicated to obsessively profiling startups, reviewing new Internet products, and breaking tech news.

More About this Source Visit Techcrunch