A recent technical study conducted by researchers at Trinity College Dublin has revealed that Google collects and stores extensive user data on Android devices, even when pre-installed Google apps are never opened.
The findings indicate that cookies, device identifiers, and tracking links are downloaded and stored without user consent, raising significant privacy concerns.
Persistent Tracking Without User Interaction
The study uncovered that Google Play Services, the Google Play Store, and other pre-installed apps silently store various types of data on Android devices.
This includes advertising analytics cookies, tracking links for advertisements, and persistent device identifiers such as the Google Android ID.
These identifiers are transmitted to Google servers even when the device is idle after a factory reset and without any explicit user interaction.
For instance, the DSID cookie, a key component of Google’s advertising analytics system, is downloaded immediately after a user logs into their Google account.
This cookie is linked to the user’s account and is used to track interactions across apps and services.
Similarly, the Google Android ID, a persistent device identifier, is assigned upon device setup and transmitted in multiple connections to Google servers.
Lack of Transparency and Consent
The study highlights that no consent is sought from users for storing this data, nor are users provided with an opt-out mechanism.
Most of the collected data is not strictly necessary for the functioning of services explicitly requested by users.
For example:
- Advertising tracking links stored by the Google Play Store app are used to monitor user clicks on sponsored search results.
- ServerLogs cookies, downloaded during app usage, tag user interactions with unique identifiers linked to their accounts.
- Experiment tokens used for A/B testing of app updates are stored and transmitted alongside telemetry data without user knowledge.
Even sensitive data related to advertising or app usage is collected without clear documentation or purpose statements from Google.
Potential Violations of Privacy Regulations
The findings suggest potential violations of European Union (EU) privacy laws, including the ePrivacy Directive and General Data Protection Regulation (GDPR).
Under these laws, explicit user consent is required before storing or processing personal data.
The study notes that much of the collected data can be used to uniquely identify devices and users, making it subject to GDPR regulations.
Users have minimal control over the data stored by Google apps.
While it is possible to clear app data via device settings, there is no option to selectively delete cookies or prevent their storage entirely.
Disabling Google Play Services or the Play Store app two primary sources of data collection is impractical for most users due to their dependency on third-party apps.
The researchers informed Google about their findings prior to publication.
However, Google declined to comment on the legal implications or address whether changes would be made to its data collection practices.
The company did not dispute any of the technical observations reported in the study.
This study sheds light on previously undocumented practices of pre-installed Google apps on Android devices.
It underscores the urgent need for greater transparency in how user data is handled and raises questions about similar practices on other platforms, such as Apple’s iOS.
The researchers call for further investigations into these issues and advocate stricter enforcement of privacy regulations globally.
This revelation serves as a reminder for users to remain vigilant about their digital privacy while prompting regulators to scrutinize tech giants’ compliance with privacy laws.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
