Google Chrome is about to make a huge tracking change. We await a global prompt to say no to cookies within the world’s most popular browser — albeit we will need to use private browsing for some of the new protections. But while all that’s going on, here’s a nasty new surprise for Android users who it seems will be tracked anyway.
A new study warns that your phone is being tracked through “cookies, identifiers and other data that Google silently stores on Android handsets.” It does this through its default apps that come pre-installed. Researchers warn that “no consent is sought for storing any of this data and there is no opt out.” They also claim “this study is the first to cast light on the cookies etc stored by pre-installed Google apps.”
This tracking starts as soon as you begin using your phone, even if you don’t open the apps themselves, and the claim there are no opt outs will clash with the direction being taken with Chrome’s tracking cookies. The default apps in question include Google’s Play Store and Play Services, which is particularly timely given the furor around the SafetyCore photo scanning app that has been “secretly installed” on all almost all Android phone in the last few months. The issue here is the same — transparency.
The new study from Trinity College Dublin calls out cookies that count ad views and clicks, your Android ID which acts as a “persistent device and user identifier,” albeit there are already plenty of warnings around resetting or disabling this, plus the usual tracking cookies. The team says “no consent is sought or given for storing any of these cookies and other data, the purposes are not stated and there is no opt out from this data storage. Most of this data is stored even when the device is idle following a factory reset and no Google apps have ever been opened by the user i.e. they are not set in response to services explicitly requested by the user.”
I have reached out to Google for their comments on the study, and it’s important not to overplay these findings. I have warned for years that our phones are designed to track almost everything we do, and we need to change settings to add a modicum of privacy. The issue here is one of awareness. There’s also a question around how we restrict tracking from the OS itself and its core services, not just third-party apps.
The university’s Professor Doug Leith told Irish Tech News that “we all know that our consent is needed before a website stores advertising and tracking cookies when we visit it,” but that “cookies stored by apps have received far less attention than web cookies, partly because they are harder to detect, and a closer look at them is long overdue.”
This report comes just days after Google’s controversial decision to allow device fingerprinting again, after vanquishing the practice in 2019. At that time, Google said that “developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”
It’s hard to see this, with its lack of control, as being much different — surely then it must be equally wrong. Google’s return to fingerprinting was justified based on new “privacy preserving” technologies that give us more optionality as to what our phones can and cannot do. It’s critical that we know what to restrict, of course.
This isn’t the first time Trinity and Leith have reported on Google’s data practices. In 2022, they warned that “data sent to Google by the Google Messages and Google Dialer apps [tells] Google when message/phone calls are made/ received… The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”
And in 2021, the team studied “the telemetry traffic sent by modern iOS and Android devices back to Apple and Google servers and found that Google collects around 20 times more telemetry data from Android devices than Apple from iOS.” Somewhat alarmingly, as reported by The Record at the time, “both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this [option].”
According to Leith, this latest research is a “wake-up call” for data regulators to “start properly protecting” users of Android phones. “Google Play Services and the Google Play store are pre-installed on almost every Android phone. This study shows that they silently store advertising and other tracking cookies and data on people’s phones. No consent for this is sought by Google, and there is no way to block these cookies.”
