Android devices ‘sharing sensitive data, with no opt-out’

mobile_phone2Android mobile phones are secretly collecting and sharing highly sensitive consumer data – including health, religious, dating and even web browsing information – with no opt-out available to users.

That is the damning conclusion of a new study by academics at Trinity College Dublin and the University of Edinburgh which they insist must be seen as “a wake-up call to the public, politicians and regulators”.

Professor Doug Leith at Trinity College Dublin along with Dr Paul Patras and Haoyu Liu at the University of Edinburgh examined the data sent by six variants of the Android OS developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS.

They found that even when minimally configured and the handset is idle, with the notable exception of e/OS, these vendor-customised Android variants transmit substantial amounts of information to the OS developer and to third parties including Google, Microsoft, LinkedIn, and Facebook that have pre-installed system apps. There is no opt-out from this data collection.

While the researchers highlight that occasional communication with OS servers is to be expected, the study claims the observed data transmission goes well beyond this and raises a number of privacy concerns.

Prof Doug Leith, chair of Computer Systems at the School of Computer Science & Statistics in Trinity College Dublin, said: “I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out.

“We’ve been too focused on web cookies and on badly-behaved apps. I hope our work will act as a wake-up call to the public, politicians and regulators.

“Meaningful action is urgently needed to give people real control over the data that leaves their phones.”

Among the key findings from the study were, with the exception of e/OS, all of the handset manufacturers examined collect a list of all the apps installed on a handset.

This is potentially sensitive information since it can reveal user interests. As Apple’s famous TV advertising strapline stated “there an app for that”, with mobile apps for virtually everything from combating mental health to every kind of dating site and booking a holiday to getting fit. There is no opt out from this data collection.

The Xiaomi handset sends details of all the app screens viewed by a user to Xiaomi, including when and how long each app is used. This reveals, for example, the timing and duration of phone calls.

The effect is the same as the use of cookies to track people’s activity as they move between web pages. This data appears to be sent outside Europe to Singapore.

On the Huawei handset the Swiftkey keyboard sends details of app usage over time to Microsoft. This reveals, for example, when a user is writing a text, using the search bar, searching for contacts.

While, Samsung, Xiaomi, Realme and Google collect long-lived device identifiers, including the hardware serial number, alongside user-resettable advertising identifiers.

This means that when a user resets an advertising identifier the new identifier value can be trivially relinked back to the same device, potentially undermining the use of user-resettable advertising identifiers, the researchers claim.

Third-party system apps, from the likes of Google, Microsoft, LinkedIn and Facebook, are pre-installed on most of the handsets and silently collect data, again with no opt out.

There may exist a data ecosystem where data collected from a handset by different companies is shared/linked. Notably, the privacy focused e/OS variant of Android was observed to transmit essentially no data.

Dr Paul Patras, Associate Professor in the School of Informatics at the University of Edinburgh, said: “Although we’ve seen data protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread.

“More worryingly, such practices take place ‘under the hood’ on smartphones without users’ knowledge and without an accessible means to disable such functionality.

“Privacy-conscious Android variants are gaining traction though and our findings should incentivise market-leading vendors to follow suit.”

One of the most high profile – and longest running – data collection legal cases is currently before the Supreme Court, which is set to rule on whether a class action against Google for its alleged secret tracking of millions of iPhone users can go ahead.

Related stories
Let Google off and all will be denied justice, judges told
‘Landmark’ Google data case opens in Supreme Court
Here we go again: Google back in dock for data tracking
High Court blocks class action over Google tracking
Google faces £3bn High Court battle over data tracking
Google summoned to High Court to defend data tracking