Google Has Started Tracking Your Phone Silently And How You Can Stop It

You are being tracked—and it can’t be stopped

Updated on March 4 with Google’s response to the new tracking warning.

Google Chrome is about to make a huge tracking change. We await a global prompt to say no to cookies  within the world’s most popular browser — albeit we will need to use private browsing for some of the new protections. But while all that’s going on, here’s a nasty new surprise for Android users who it seems will be tracked anyway.

A new Trinity College Dublin study warns Google starts tracking your phone as soon as it’s powered on, through “cookies, identifiers and other data that Google silently stores on Android handsets,” through the default apps that are pre-installed. The researchers warn “no consent is sought for storing any of this data and there is no opt out.” They also claim “this study is the first to cast light on the cookies etc stored by pre-installed Google apps.”

This tracking starts even if you don’t open the apps, and the report claims no opt outs — which clashes with the direction being taken with Chrome’s tracking cookies. The default apps in question include Google’s Play Store and Play Services, which is particularly timely given the furor around the Safety Core photo scanning app that has been “secretly installed” on all almost all Android phone in the last few months. This issue is the same — transparency.

The bad news here is that unlike Safety Core, according to the researchers there’s no way to entirely stop this. You need to disable or reset your advertising ID regularly, and you should check your app permissions on a fairly regular basis as well. That will limit the tracking that’s taking place. But it cannot be stopped entirely. To do that you will need to switch OS, which is the only way to kill this kind of data leakage.to kill this kind of data leakage.

The Trinity study caught cookies counting ad views and clicks alongside the Android ID which is as a “persistent device and user identifier” — albeit plenty of warnings say reset or disable this, plus usual tracking cookies. The team says “no consent is sought or given for storing any of these cookies and other data, the purposes are not stated and there is no opt out from this data storage. Most of this data is stored even when the device is idle following a factory reset and no Google apps have ever been opened by the user i. e. they are not set in response to services explicitly requested by the user.”

It’s important not to overplay these findings. I have warned for years that our phones are designed to track almost everything we do, and we need to change settings to add a modicum of privacy. The issue here is awareness. There’s also a question around how we restrict tracking from the OS itself and its core services, not just third-party apps.

The university’s Professor Doug Leith told Irish Tech News that “we all know that our consent is needed before a website stores advertising and tracking cookies when we visit it,” but that “cookies stored by apps have received far less attention than web cookies, partly because they are harder to detect, and a closer look at them is long overdue.”

This report comes just days after Google’s controversial decision to allow device fingerprinting again, after vanquishing the practice in 2019. At that time, Google said that “developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.wrong.”

It’s hard to see this, with its lack of control, as being much different — surely then it must be equally wrong. Google’s return to fingerprinting was justified based on new “privacy preserving” technologies that give us more optionality as to what our phones can and cannot do. It’s critical that we know what to restrict, of course.

The Trinity study delves into the murky waters of data legislation and regulations, albeit the report is a “ technical study, not a legal one, and [they] are not legally qualified.” Nevertheless, it says, the data storage that we observe by Google raises obvious questions regarding the EU e-Privacy Directive and perhaps also the GDPR data protection regulations.” This stems from the fact that all data measurements were carried out in Ireland, which falls under those protections.

“The e-Privacy Directive,” the report notes, “is sometimes referred to as the ‘cookie law’. It ‘recognizes that the devices of users of electronic communications networks and any information stored on their devices are part of their ’private sphere’ and that they require protection,” which “restricts storage of data on a handset, stating that ‘a person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless (a) the subscriber or user has given his or her consent to that use, and (b) the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which (i) is both prominently displayed and easily accessible, and (ii) includes, without limitation, the purposes of the processing of the information.’ Exceptions are allowed when the storage is ‘for the sole purpose of carrying out the transmission of a communication over an electronic communications network’ or ‘strictly necessary in order to provide an information society service explicitly requested by the subscriber or user’.”

In response to this, Google told me “this report identifies a number of Google technologies and tools that underpin how we bring helpful products and services to our users.technologies and tools that underpin how we bring helpful products and services to our users. The researcher acknowledges in the report that they are not legally qualified, and we do not agree with their legal analysis. User privacy is a top priority for Android and we are committed to complying with all applicable privacy laws and regulations.”

This isn’t the first time Trinity and Leith have reported on Google’s data practices. In 2022, they warned that “data sent to Google by the Google Messages and Google Dialer apps [tells]

Google when message/phone calls are made/ received… The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”

And in 2021, the team studied “the telemetry traffic sent by modern iOS and Android devices back to Apple and Google servers and found that Google collects around 20 times more telemetry data from Android devices than Apple from iOS.” Somewhat alarmingly, as reported by The Record at the time, “both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this [option]."

In the study, Leith notes that “the Google Play Services and Google Play store apps studied here are in active use by hundreds of millions of people. We informed Google of our findings, and delayed publication to allow them to respond. They gave a brief response, stating that they would not comment on the legal aspects (they were not asked to comment on these). They did not point out any errors or mis-statements (which they were asked to comment on). They did not respond to our question about whether they planned to make any changes to the cookies etc stored by their software.”

This is a tricky time for Google on the tracking front, and the latest report will highlight some of what’s going on below the surface on the devices and platforms we all use.As I’ve commented multiple times recently, it’s critical that Google and the other mainstream platform providers increase the levels of transparency as the balance is currently pivoting back in the wrong direction. We had been making good privacy strides, but that seems to have started to wobble, and not just for Google.

According to Leith, this latest research is a “wake-up call” for data regulators to “start properly protecting” users of Android phones. “Google Play Services and the Google Play store are pre-installed on almost every Android phone. This study shows that they silently store advertising and other tracking cookies and data on people’s phones. No consent for this is sought by Google, and there is no way to block these cookies.”