A recent study conducted by researchers at Trinity College Dublin has revealed that Google is silently tracking Android devices, even when no apps are actively in use.
The study highlights how pre-installed Google apps and services, such as Google Play Services and the Google Play Store, store cookies, identifiers, and other data on Android devices without user consent or the ability to opt out.
This practice raises significant privacy concerns and may potentially violate EU data protection regulations like GDPR.
Persistent Tracking Cookies and Identifiers
The research uncovered that several types of cookies and identifiers are downloaded to Android devices shortly after setup or during idle periods.
Among these is the DSID advertising cookie, which is directly linked to a user’s Google account and used for marketing analytics.
This cookie is stored on the device without user consent and transmitted during interactions with apps that use Google Firebase Analytics.
Another key finding is the storage of the Google Android ID, a persistent device identifier that remains unchanged unless the device undergoes a factory reset.
This identifier is transmitted in numerous communications with Google servers, even before a user logs into their Google account.
Once linked to an account, it becomes a tool for tracking user activity across services.
Unauthorized Data Collection by Pre-installed Apps
The study also revealed that pre-installed apps like Gmail, Google Docs, and Google Search are automatically logged into the user’s account after they sign in via the Play Store.
These apps begin transmitting user data without being explicitly opened or used.
Additionally, the research highlighted how advertising tracking links are embedded in search results within the Play Store app.
These links track user clicks on sponsored content and report them back to Google servers.
The researchers noted that no explicit consent is sought from users for storing these cookies and identifiers, nor are users given an option to opt out.
For instance, ServerLogs cookies and experiment tokens used for A/B testing of app updates are stored on devices without any notification to users.
These tokens link telemetry data from app usage back to specific devices and accounts.
The findings suggest that Google’s practices may conflict with EU privacy laws, including the e-Privacy Directive and GDPR, which mandate explicit user consent for storing information on devices.
The study raises questions about whether such data collection qualifies as “strictly necessary” under regulatory exemptions.
The researchers reached out to Google with their findings but received no substantive response addressing the legal or ethical implications.
While Google did not dispute the study’s results, it also did not indicate any plans to change its data collection practices.
This study sheds light on the pervasive nature of Google’s data collection mechanisms embedded within Android’s ecosystem.
Despite users’ efforts to maintain privacy by limiting app usage or disabling certain settings during device setup, pre-installed services continue to store and transmit personal data without transparency or consent.
The findings underscore the urgent need for stricter enforcement of privacy regulations and greater accountability from tech giants like Google.
