“And remember… don’t be evil, and if you see something that you think isn’t right — speak up!” — Google Code of Conduct before April, 2018
When I heard that Google removed the famous "Don't be evil" from their code of conduct, I was disappointed. But, even worse, researchers recently proved that the phrase is not just a slogan but crucial for protecting our privacy, considering that Google is everywhere for everyone now.
In May, Google announced that it would follow industry standards concerning privacy obligations. By Q2 of 2022, developers will be required to disclose:
These requirements complement other elements, such as new security practices, enforcement of data deletion upon uninstallation of the app, etc. That's excellent news, and android users, at least those who install apps via the Google Play store, are less likely exposed to malicious apps.
If you use an Android phone and are concerned about privacy, you should probably read my "Keep Trackers and Advertisers at Bay with these Browser Privacy Tips" and take care of the unnecessary digital footprints. Even better, you may want to keep your digital self clean and tidy, so you follow my steps in "The KonMari Method for Your Digital Footprint."
The bad news is that none of the measures above are enough to make you "tracker-free." Yeah, I know, it is very frustrating. But, sadly, according to a recent research paper from Trinity College in Dublin, "Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets":
…even when minimally configured and the handset is idle these vendorcustomized Android variants transmit substantial amounts of information to the OS developer and also to third-parties (Google, Microsoft, LinkedIn, Facebook etc) that have pre-installed system app.
Hardware manufacturers preinstalled apps on devices to offer more "customizations" and "features," such as replacing the stock camera app with the branded one or messages app. Unfortunately, Android usually packages these apps into what's called "read-only memory" (ROM), which means you can't delete or modify these apps directly.
Everything inside the ROM is "untouchable" by normal users since they can only work with the devices outside the system files. However, to change the system structure, you need higher permission, i.e., root. Thus, if "system apps" track users, you can only stop them by rooting the device.
And until you do, the researchers found they were continually transmitting device data back to their parent company and more than a few third parties — even if you never opened the app at all. According to the report, the built-in apps on the Samsung, Xiaomi, Huawei, and Realme phones sent many data to the OS developers. But not everyone would agree they also send data to third parties, including Google, with the Google Mobile Services and Google Play Store apps being the most comprehensive data sources.
Moreover, Facebook, Microsoft (in the SwiftKey keyboard or OneDrive cloud storage), and LinkedIn are other data destinations, depending on which preinstalled "system apps" were present on the device.
Advanced users may think Android provides a platform for them to customize their operating system. But that doesn't necessarily mean the problem doesn't exist.
A Google spokesperson has provided BleepingComputer the following comment on the findings of the study:
While we appreciate the work of the researchers, we disagree that this behavior is unexpected — this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services uses data on certified Android devices to support core device features. Collection of limited basic information, such as a device’s IMEI, is necessary to deliver critical updates reliably across Android devices and apps.
Unfortunately, as an android user, you can't do much if you are annoyed by this. As mentioned before, there's no way to opt-out of the system-app data acquisition. Even though you can reset any identifiable data, they can easily be "re-identified" by cross-referencing them with IDs you can't reset, such as the phone's IMEI number.
Findings in the report are concerning. Luckily we still have things we can do like Installing a custom OS like /e/. But getting it to work needs more effort than the ordinary. Alternatively, you could always switch to an iPhone, but while Apple highlights the importance of user privacy, it's still impossible to escape all tracking with iOS.
Meanwhile, as I mentioned in my last article, iPhone apps were just as snoopy as Android apps, with 60% of iOS apps sharing data with Google. So, to conclude, as Google told us that it is normal to have our data collected without a way out, we need to, ultimately, choose between privacy and convenience again.