back to article Android OS vendor variants transmit data with no opt-out

Google Android devices transmit telemetry data while idle, even when users have opted out, according to study conducted earlier this year by Trinity College Dublin computer scientist Douglas Leith. Handset vendors like Samsung that install proprietary versions of Android on their devices have the opportunity to offer better …

  1. bombastic bob Silver badge
    Mushroom

    there's no way to opt-out of this data collection.

    maybe sue them for THEFT OF BANDWIDTH???

    (and then a method of opt-out, or better, opt-IN, may present itself in a subsequent update)

    And then there's GDPR... any takers?

    1. EricB123

      Re: there's no way to opt-out of this data collection.

      USA doesn't even have GDPR, for what little that's worth. How much money you have in the bank, every fetish, everything is monitozed.

      I so wish government, by the corporation, for the corporation, would perish from the earth.

      1. ZeroPete

        Re: there's no way to opt-out of this data collection.

        Europe doesn't have GDPR either. They've included the concept of 'legitimate interest'. These are 'default on', every time, sometimes you *can* disable them, but some websites then require you to individually disable 100's of 'partners'.

        There's websites that ignore the whole GDPR thing, 'accept or leave'.

        It was a good idea, but it was a gamable system and thus it gut gamed. Right quick.

        Pete

        1. Anonymous Coward
          Anonymous Coward

          Re: there's no way to opt-out of this data collection.

          I think the intention was noble (as in: not intentionally to let the system be circumvented), because they figured that a watertight system would have broken 'everything', so better something, than nothing. But, in the end, as always, the net result is that businesses do their best (and succeed) in circumventing the GDPR. So, in essense, it became a temporary obstruction they found way around, and passed the cost of their 'trouble' to their customers.

      2. This post has been deleted by a moderator

        1. This post has been deleted by a moderator

    2. Snake Silver badge

      Re: there's no way to opt-out of this data collection.

      "maybe sue them for THEFT OF BANDWIDTH???"

      I tried that with Amazon, placing a complaint directly with my state's Attorney General's office regarding their bandwidth "sharing" for their Ring Sidewalk technology.

      Got a form letter, about 2 months later, from the AG saying that their office receives many complaint filings in general, and will look into it.

      Got a form letter from Amazon, about 3 months after that, saying that...they would take it into consideration.

      Silence has since ensued.

      -------------------------------------------------

      So we shouldn't hold our breath about ANYONE caring, especially when Big Money has a dealing in it???

  2. Anonymous Coward
    Anonymous Coward

    LineageOS misrepresented?

    From what I can see the researchers installed GApps on LineageOS, so no surprise that it reported home to Google. They explain that e/OS/ avoids this by using MicroG, but didn't mention that you can install MicroG on LineageOS. (That's how I use LineageOS, with the Aurora Store from F-Droid.) In fact they go so far as to state "On LineageOS it is necessary to install GApps to use the Google Play store" which is not correct.

    See Section V.A.3 of the full report.

    It is true that installing MicroG on LineageOS requires a little work, because it isn't the default configuration as it is on e/OS/. But it is also true that by default LineageOS has no GApps / Google Play Store presence at all, unlike e/OS/. If you are a de-Googling purist you can run LineageOS solely with stock apps, or supplemented with open source apps from F-Droid.

    As to the vendor versions of Android: to hell with them.

    1. nagyeger

      Re: LineageOS misrepresented?

      Yes. Hardly surprising that google apps send data back to google when you install them on something.

    2. Anonymous Coward
      Anonymous Coward

      Re: LineageOS misrepresented?

      Interesting that so many techy readers have upvoted you. You are wrong. This shows that people will upvote something even when they don't fully understand the topic.

      Your GPS location is sent to google during a-GPS lookup even when you try to deconfig this in LineageOS. The event takes places so low in the OS stack that you can't disable it. That's right, every time you use location services on LineageOS, the exact GPS location is sent to google.

      Other telemetry data is also sent to google that is nothing to do with the google Play store. It is obvious that people on TheRegister don't understand just how pervasive google is within LineageOS.

      If you use eOS at https://e.foundation then you can remove all these links and still have a decent OS. I use it now and it works well. I'm very impressed with the development that keeps my Samsung S9 going with regular security updates. It's important to support what you think is best and I did a LOT of research before settling on eOS. LineageOS is a good effort but you only have to look at some forums to realise that people don't understand how integrated google services are into LineageOS. If they produced a true de-googled LineageOS I would be interested.

      1. Anonymous Coward
        Anonymous Coward

        Re: LineageOS misrepresented?

        > Your GPS location is sent to google during a-GPS lookup even when you try to deconfig this in LineageOS. The event takes places so low in the OS stack that you can't disable it. That's right, every time you use location services on LineageOS, the exact GPS location is sent to google.

        Got a source for that? Or any of your other assertions?

        The poster who you claim "doesn't understand the topic" gave references and direct quotes from the very report on this topic. I see nothing in the report, or from a quick search, that corroborates your claims.

    3. IamAProton

      Re: LineageOS misrepresented?

      Had the same feeling about LineageOS. What's next, installing chinese apps and complaining it's sending data to the party?

      My main phone is a regular phone (aka a "smartphone" before smartphones) and I'm thinking about switching to an old 2G Nokia, so fast to start, tiny size and reliable.

      I do have an android device currently on ResurrectionRemix (= Lineage OS with a lot more settings. I like it). NO Gapps. Aurora Store + apkmirror/apkpure and a browser that blocks tracker is more than enough.

      I will never use another android device with 'commercial' OS, they are simply unusable rubbish.

      In addition, with LineageOS & co. old devices run much faster: get a flashable fancy phone from few years ago, get a new battery and you have a great like-new device for about 30$

      1. Martin an gof Silver badge

        Re: LineageOS misrepresented?

        We use a 2G Nokia as the 'batphone' at work. The battery lasts ages but apart from that it's a bit of a pain. It's not as good at pulling in weak signals as I remember of phones ten or fifteen years ago, the volume when making a call is dire and the keyboard is very small and fiddly and it's easy to hit 'enter' when you meant to press 'left' (or whatever).

        One of the children has a CAT phone running KaiOS and it has a much better keyboard, the battery lasts just as long and it can act as a 4G hotspot, but it is riddled with Google apps which can't be uninstalled. Oh, and I can't get it to talk to my IMAP server.

        Never tried e/OS but I'm a longtime user of Lineage (no GApps at all) not sure how it can report location data to Google if I have data turned off - which I do most of the time.

        M.

    4. Cuddles Silver badge

      Re: LineageOS misrepresented?

      "It is true that installing MicroG on LineageOS requires a little work"

      But on the other hand, installing LineageOS at all requires a fair bit of work. I have difficulty imagining someone who has both the knowledge and motivation required to install Lineage, but who then balks at the idea of installing MicroG. Anyone using Lineage uses Google apps through their own choice, not because it's too complicated to avoid them.

      The real problem is the difficulty for the average user in using anything other than what their phone happens to come with.

    5. Anonymous Coward
      Anonymous Coward

      Re: LineageOS misrepresented?

      Indeed! One of the LineageOS people has apparently contacted the authors and some media outlets with a statement/correction:

      https://old.reddit.com/r/LineageOS/comments/q6rb9f/why_does_lineage_send_data_to_google/hggbk99/

      > The study linked chose to install a third party package ("opengapps") on a LineageOS device (per page 6). Google Apps are not preinstalled on LineageOS. We have no control over what data is sent by third party applications a user chooses to install, including packages from Google. Those services are neither required nor recommended, and free open source alternatives (such as microG and F-Droid) exist.

    6. pc-fluesterer.info
      Thumb Up

      Re: LineageOS misrepresented?

      I completely second that. Cf. my post "multiple errors".

  3. krs360

    Shocked

    I'm shocked.

    Shocked, I tell you.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shocked

      Then either stop scuffing your feet on the carpet or wear something with leather soles.

      :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Shocked

        well, it made my hair stood on ends too, must be infectious...

  4. Pascal Monett Silver badge

    Ok, I have a question

    On my Galaxy A3, WiFi is disabled, BlueTooth is disabled, Mobile Data is disabled and Location is disabled. I activate those things only when I need them, and deactivate them again when I'm done.

    So, when exactly is all that telemetry happening on my phone ?

    I'm guessing it's when I have them activated. So, almost never then.

    1. Steve K Silver badge

      Re: Ok, I have a question

      You are assuming that it doesn't just buffer it all until connectivity is available again (subject to storage space)....

      1. ACZ

        Re: Ok, I have a question

        Or it might just temporarily enable wifi to phone home...

        1. Brewster's Angle Grinder Silver badge

          Re: Ok, I have a question

          It can't, yet, temporarily turn on my router...

        2. Martin an gof Silver badge
          Unhappy

          Re: Ok, I have a question

          I've just jad to 'sanitise' an Android 6 device for my wife ('new' work phone). By default (work did a factory reset) it has location tracking by WiFi and Bluetooth scanning turned on, even when you have WiFi and Bluetooth turned off!

          I can't imagine those abilities have been removed in later Android versions but I'm blowed if I know where the menu option to disable them has gone :-(

          M.

          1. Anonymous Coward
            Anonymous Coward

            Re: Ok, I have a question

            well, first you need to enable an option to enable a disable menu in order to disable the enable menu to enable menu disable options, elementary, isn't it.

    2. W.S.Gosset Silver badge

      Re: Ok, I have a question

      > Mobile Data is disabled

      I noticed recently that my android will quietly override the Mobile Data=disabled setting any time it feels like. Discovered accidentally when I absentmindedly checked a website despite having switched off wifi and forgotten to switch mobiledata back on -- site loaded up casually.

      1. Pascal Monett Silver badge

        Funny you mention that, it happens to my wife's phone regularly.

        Curiously, it has never happened to me.

        I have no explanation for that, apart from the fact that my operator is Luxembourgish and hers is French. We probably don't have the same version.

    3. Steve Graham

      Re: Ok, I have a question

      I have wifi "turned off" on my stock Android Nokia. Yet, somehow, my home router is showing it associated with the AP at 1Mbit/s. (No active DHCP leases, and yet it has an IP address?)

      1. Def Silver badge

        Re: Ok, I have a question

        I'm pretty certain most routers will cache device information so that when a device later reconnects it will be given the same IP address.

    4. Version 1.0 Silver badge

      Re: Ok, I have a question

      Do a little investigation Pascal, for example when I'm on my way home I text the wife, "Hive in a few minutes" ... What's a "hive"? It's a Bee Home ... and now, after a several months of fun I'm getting a few adverts that features bees - often requesting donations to support various things, and ads that suggest excellent honey is available.

    5. ThatOne Silver badge
      Unhappy

      Re: Ok, I have a question

      > [...] is disabled, [...] is disabled, [...] is disabled, [...] is disabled

      And you really believe it is disabled? As others said, Android disables disabling whenever it fells like it.

      I had already noticed this several years ago, back in v.4.4 times IIRC, when I observed that without WiFi, mobile data or Bluetooth enabled some (not all) apps managed to communicate nevertheless. Clearly user settings are but a non-binding suggestion.

      1. Pascal Monett Silver badge

        I understand what you're saying, and I am absolutely not contradicting anything.

        The only thing I can say for certain is that my mobile data usage as of the time of this writing (October 13th, 2021, 20:10:23 CEST) is 47MB out of 40GB.

        And I have been using some of my data allowance, for business purposes.

        What I will do is, in November, before activating any mobile data allowance, I will check on the usage numbers.

        That should clarify the situation.

        1. ThatOne Silver badge

          > 47MB

          You can exfiltrate a lot of (text!) information in those 47 MB! Not saying that it's the case, I obviously don't know your specific situation, my point is that stuff happens on the couple phones I keep an eye on. I'm not entirely sure what and how, but there are things happening which are hard to explain and, given the actor(s), seem potentially suspicious.

          (I don't entirely trust the phone's data usage numbers either, after all it is like asking the criminals to compile the crime statistics... I'm no developer, but I guess it would be terminally simple to filter out some usage from those statistics. The only data statistics I'd trust are those of my service provider, who wants to bill as much as possible.)

  5. AMBxx Silver badge
    Childcatcher

    Blockers?

    I have Blokado running on my phone. Seems to block plenty, but does anyone know if this stuff has a workaround to still send data?

    1. Anonymous Coward
      Anonymous Coward

      Re: Blockers?

      Yes. The things sent to google bypass Blockada and other firewalls. They happen low down the OS stack and are beyond the user level. It's a serious issue, as you can see from this thread. People think that they've got a firewall installed and all is well, while the same google telemetry data is being sent regardless, even on LineageOS.

      1. Billy Whiz

        Re: Blockers?

        Utter nonsense.

        I have LineageOS with neither Gapps nor MicroG apps. I have checked the traffic externally to the phone and I can say with absolute certainty that isn't true.

        The same same goes for for your earlier comment about a-GPS - it does not do what you claim.

        Your shilling for /e/ is neither required nor appreciated!

        1. Pascal Monett Silver badge
          Stop

          You're not using Android, you're using Lineage. What justification do you have to accuse Android users of shilling ?

  6. Anonymous Coward
    Anonymous Coward

    The LineageOS bit is a little misleading

    The bit leaking the data for 'LineageOS' appears to be the Google apps that aren't actually included in LineageOS - the user has to install them if they want them. In this case the researchers installed them via the opengapps nano bundle as listed in the 'hardware and software used' section of the report. If they'd gone with microG instead they would probably have got the same result as they did for /e/.

  7. Doctor Syntax Silver badge

    "phones are supposed to phone home with telemetry data, like modern cars do"

    One problem is supposed to excuse another?

    1. Splurg The Barbarian

      Exactly. Can someone tell me exactly why my car requires to phone home? It does after all have a perfectly good way of telling me when something is wrong, its called warning lights on the dashboard!!!

      Since when did we all have to be nannied and monitored by whoever makes devices we own? My device my data and no manufacturer has the right to any data from it.

      The first manufacturer to go back to the principle.of "make something sell it, wave it goodbye" to only make money from the sale of the item will have me supporting it far and wide.

      1. Doctor Syntax Silver badge

        Warranty would also be a good idea - providing the manufacturer stands over it. But that really shouldn't need data leeching.

      2. Martin an gof Silver badge

        Bought a second hand Dacia back in February. It was three years old and had 25,000 miles on the clock, an 18,000 mile / 12 month service interval and an MoT date of November. I do a lot more miles than that and knew that it would be up to 36,000 by late September / early October.

        As far as I'm aware the car has no telemetry so... How come back in August did the garage I bought it from, which sold the car from new, ring me up and tell me it was nearly time for its service? As far as they should have been concerned it was nowhere near 36,000 miles and still three months away from the 12 month service / MoT deadline.

        Hmmm...

        M.

        1. X5-332960073452
          Big Brother

          Three months before MOT / Service seems like the perfect time to contact owner, to get their business, that's the part I'd be worried about

        2. jtaylor Bronze badge

          "the garage I bought it from, which sold the car from new, ring me up and tell me it was nearly time for its service?"

          This is not a direct answer to your excellent question, but the dealer I bought from contacts me every few months because my car is "due for service." They calculate this by 1) estimating mileage, 2) how long since they last touched my car, and 3) their sales targets. (When I ask which service, they just tell me whatever is next in sequence, even if it's the next annual service 6 months after my last annual.)

    2. Michael Habel Silver badge

      Since when did a Car need to phone home?

      1. Anonymous Coward
        Anonymous Coward

        To let your partner know to put the kettle on

    3. ThatOne Silver badge
      Big Brother

      It's about redefining normality.

      The gist is "Everybody phones home, so get over it already and bend over".

  8. phuzz Silver badge
    Joke

    How do we find subversives? We just look for the ones who don't allow their phone to transmit telemetry, because they must have something to hide!

    1. The Dogs Meevonks

      I know you've used the joke icon... but that's actually far closer to the truth that you might think.

      I get looked at like I'm some kind of freak because I refuse to use 99% of all social media sites/apps out there. I have zero presence, I do my best to block google and farcebook... I sandbox certain sites in firefox. I use a phone that's as free from preinstalled 3rd party apps as possible, don't use google search for anything.

      Not conforming and letting every company who wants it... have free access to every single aspect of your life... Is considered subversive and freakish by the majority these days.

      That's why nothing will ever happen to stop it, because it's become the norm... the time to act on it was 10-15yrs ago. The GDPR isn't fit for purpose, it's so many loopholes that allow unfettered data collection through 'legitimate interest' without actually specifying exactly what is and isn't legitimate.

      The only way to win is not to play...

      So I'm now off to see if my Motorola One Vision can be rooted and /e/ installed...

      1. Splurg The Barbarian

        Its simple, there is no legitimate interest. That should be the basis for any device, be it a car, phone, games console, watch, television etc.

        The current "legitimate interest" GDPR loophole is absolute bollocks and is purely a way for organisations to effectively bypass the spirit & intentions of GDPR.

        1. ThatOne Silver badge
          Devil

          > Its simple, there is no legitimate interest.

          Actually, there is: Making money!

          Doesn't get any more legitimate than that...

          Seriously, GDPR might not be the silver bullet (some) people hoped for, but it's definitely better than nothing. Don't throw the baby out with the bathwater. If GDPR became the norm (including in the USA) humanity would already be way better off.

      2. Anonymous Coward
        Anonymous Coward

        metoo!

        sorry, couldn't resist, re. social media replacing life

  9. StrangerHereMyself Bronze badge

    Legislation

    I believe these privacy intrusions can only be solved with legislation, not technical solutions.

    The problem is, however, that governments themselves make use of the spying data to control and influence their citizens. Chances are therefore slim that they'll legislate against this kind of data collection.

  10. pc-fluesterer.info
    FAIL

    multiple errors

    The researchers used LOS *with* additional OpenGApps in the "nano" variant.

    Alas they were ill-informed.

    1. You can have LOS utterly clean without any Google crap.

    2. If you need GSF (Google Services Framework) because you want to use apps that require it, you can install the "pico" variant of OpenGApps or install MicroG, which both contain the essential GSF. The "pico" variant is only half of the size of the "nano" variant. Imagine what makes up for the difference ...

    3. You can have LOS with MicroG integrated as "LineageOS for MicroG" https://lineage.microg.org/ or as "System /e/" as in the paper.

    4. Even more privacy protection is available as "iodé". That is LOS, MicroG and additional amelioration of privacy protection. Only drawback is that it is available currently only for a restricted set of devices. https://iode.tech/en/iodeos-installation/

    I for one use it on my Sony Xperia XA2, perfectly satisfied. It even has a built-in Ad- and Tracking-Blocker. I have 99,9% of the functions I want available AND perfect privacy protection.

    1. pc-fluesterer.info
      Linux

      addendum

      instead of guessing you can see here the contents of the different variants of OpenGApps: https://github.com/opengapps/opengapps/wiki/Package-Comparison

  11. Lorribot Silver badge

    Why worry?

    If you use Google Chrome, Google search, gmail and any other G product why worry about a few more bits of info going to Google from your phone? Google know more about you and your life than you will ever remember. Microsoft removed 33 Google services when the Edgified Chromium, these were baked in to the core application. (MS not much better than Google, so not a recommendation just highlighting how this Open Source product is tied to Google services like Android)

    Get over it or vote with your feet and opt out.

    Alterntives may not be as good but you should ask do they function for your every day lives, ie are they good enough?

    Governments won't do anything about it as they don't care enough and it won't win votes for them and Google probably share the data with their security services so it is cheap tracking of undesirables for them.

    1. pc-fluesterer.info
      Coat

      Re: Why worry?

      "Google know more about you and your life than you will ever remember" - WRONG

      The chocolate factory has nothing to gain here. The majority of the spying services, including doubleclick, is blocked in my PI-hole. I don't accept any cookies from spies. With various add-ons I fight browser fingerprinting and other means of tracking. About me Google may know a little bit, but that is about 2% of the knowledge about average John Doe.

      "vote with your feet and opt out": Yes, that is exactly what I do and what I recommend. Replace Android by a clean custom-ROM.

      "Alterntives ... are they good enough": The answer is, YES. For me and a lot of other people. Well, true, you need to invest a small portion of brain 1.0

      "Governments": If you are target person of the state spies you can't escape them anyway. But you need not feed the Utah data centre of the NSA. It is ok to make their lives a little bit harder. ;-)

  12. martinusher Silver badge

    There's this small detail....

    In order to be a mobile device your phone needs to not just have a unique global identifier but to make your carrier aware at all times where you are. WiFi also needs to know who and where you are but in this case it doesn't need to know anything globally unique about you (your MAC address can be synthetic, it just needs to be unique-ish). Even so, everyone within earshot needs to know about you whether you're on 'their' network or not.

    Given that your handset is uniquely identifying you its not unreasonable to think that everything you do on the Internet is noted as well. What's surprising is the expectation that you have any privacy.

    ...and I'd guess that the reason why Apple handsets don't have the same kind of tracking mechanism that Android has is because its more of a closed ecosystem. Apple knows everything it needs to know about you from the moment you purchased that shiny new device.

  13. Anonymous Coward
    Anonymous Coward

    Google Android devices transmit telemetry data while idle

    Attack of the Clone Rogue Engineers Chapter 135363...

  14. KevinFanch

    /e/ is the best option if you want privacy

    It is apparent that all major brand mobile phones suck out a lot of private data. Even Lineage collects a lot of data, even without Google Apps installed.

    With /e/ you get privacy by default. I use it daily, and there is no reason even non-tech-savvy would not use it. I wish more people would use it.

  15. Nusrat

    Can't I block the destination IPs?

    #1: If the researchers told us what addresses are receiving the data -- if not by my Android firewall, then at least in my wifi router?

    #2: Similarly, does Android have anything equivalent to the Windows 'hosts' file, which I could use to remap the destination address to something harmless?

    1. JWLong Bronze badge

      Re: Can't I block the destination IPs?

      Sure you can, but you need to jailbreak it first because as the owner you don't have a right to access the host file.

    2. lemoce

      Re: Can't I block the destination IPs?

      Pi Hole can be your friend. Pi Hole is DNS based blocker. Maybe, you can configure telemetry hosts and block the connections.

  16. sylvainb

    This study is so misleading, why didn't the researchers use a clean LOS installation without installing GAPPS? /e/ is an outdated copy paste of LOS with microG...Probably one of the worst custom ROM you can find on xda. disappointing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021