Study Shows How Android Phones Still Track Users, Even When 'Opted Out'

from the words-mean-nothing dept

We’ve frequently noted that what’s often presented as “improved privacy” is usually privacy theater. For example researchers just got done showing how Apple’s heavily hyped “do not track” button doesn’t actually do what it claims to do, and numerous apps can still collect an parade of different data points on users who believe they’ve opted out of such collection. And Apple’s considered among the better companies when it comes to privacy promises.

Android is notably worse. One of my favorite privacy and adtech reporters is Shoshana Wodinsky, because she’ll genuinely focus on the actual reality, not the promises. This week she wrote about how researchers at Trinity College in Dublin took a closer look at Android privacy, only to find that the term “opting out” often means absolutely nothing:

“According to the researchers, ?with little configuration? right out of the box and when left sitting idle, these devices would incessantly ping back device data to the OS?s developers and a slew of selected third parties. And what?s worse is that there?s often no way to opt out of this data-pinging, even if users want to.”

So called “system” apps in many Android variants by the likes of Samsung, Xiaomi, and Huawei often come pre-installed, and can’t be removed without rooting your device (which the majority of users can’t or won’t do). These apps are pretty constantly hoovering up handset data and sending it back not only to the parent company, but to third party data brokers. So even when you think you’re “opting out” of data collection and sales, you’re not really:

“On their own, none of these data points can identify your phone as uniquely yours, but taken together, they form a unique ?fingerprint? that can be used to track your device, even if you try to opt out. The researchers point out that while Android?s advertising ID is technically resettable, the fact that apps are usually getting it bundled with more permanent identifiers means that these apps?and whatever third parties they?re working with?will know who you are anyway. The researchers found this was the case with some of the other resettable IDs offered by Samsung, Xiaomi, Realme, and Huawei.”

Some of Google’s developer rules prohibit the worst sorts of behavior, but they often only restrict how the data can be sold, not what can be collected. And it’s also hard to think they’re being effectively policed at any scale. Meanwhile, Google tried to brush aside the researchers’ concerns over at Bleeping Computer by claiming this is just how phones work now:

“While we appreciate the work of the researchers, we disagree that this behavior is unexpected ? this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds.”

Except it’s not how cell phones have to work. Case in point: phones using /e/OS, a privacy-focused open-source operating system that promises users a “de-Googled” device, don’t mindlessly and endlessly chirp back to the monitor mothership. You can make devices that actually don’t phone home constantly, and genuinely opt users out of all tracking when asked. Companies just don’t want to do it. Most usually because apathy and tap dancing is more profitable.

Again, much of this occurs because the U.S. still lacks a real privacy law for the internet era. While people often talk about how passing a good privacy law is just too damn hard to get right, a good first step is requiring absolute transparency into what’s being collected and sold, and providing working opt out tools. And also we could probably actually fund and staff U.S. privacy regulators while we’re at it, so there’s somebody competent actually watching the henhouse. Meanwhile, the full study can be found here (pdf) for those interested.

Filed Under: , , ,
Companies: google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Study Shows How Android Phones Still Track Users, Even When 'Opted Out'”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Google tried to brush aside the researchers’ concerns … by claiming this is just how phones work now

Interesting… imagine if AT&T had got away with that in the ’80s? "Sure, you’re gonna pay through the nose if you call long distance, and there’s no competition, but that’s just how phones work" (…because that’s how we decided they would work).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...