back to article Android, iOS beam telemetry to Google, Apple even when you tell them not to – study

Android and iOS phones transmit telemetry back to Google and Apple, even when users have chosen not to send analytics data. In a recent released research paper, titled "Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google" [PDF], Douglas Leith, chairman of computer systems in the school of …

  1. Fruit and Nutcase Silver badge
    Facepalm

    That Pesky Rogue Developer

    certainly gets around

  2. sreynolds

    What a revelation?

    Yeah, nothing tcpdump and wireshark haven't told me in ages. There should be serious punishment meted out for such flagrant violations of privacy and trust.

    I would even go along the lines of the French tax model where they pay for the judiciary to appoint offices to supervise their operations and ensure that they comply with the relevant laws. This bullshit it was a rogue developer or some misunderstanding or we were just "testing" is complete and utter bullshit. I am sick and tired of meaningless fines and/or orders for mandatory training. Change the law to allow the supervision from withing and you will see compliance immediately.

    1. oiseau
      WTF?

      Re: What a revelation?

      ... rogue developer ...?

      ... misunderstanding ...?

      ... just "testing" ...?

      Well, look at that.

      This type of thing is the reason I love my Blackberry Curve 9320 more and more each day.

      O.

  3. Hubert Cumberdale

    Surprised?

    I am not. This is one of the reasons I have a basic phone.

    1. Lord Elpuss Silver badge

      Re: Surprised?

      And you think your 'basic phone' doesn't share information like IMEI, SIM data and UUID?

      If you have a phone that uses the GSM protocol, it shares this data. It's literally how the network works.

      1. Dave 126 Silver badge

        Re: Surprised?

        I don't believe that the GSM protocol requires that any data be sent to to the original device manufacturers, only the networks.

        That said, many people might have more trust in Apple's business model (seeking to retain lucrative customers for decades by selling them hardware) than they do the confusopoly of the network operators.

        Also, a lot of people are glad of the Find My iPhone service that wouldn't work if a bag-snatcher could easily disable telemetry.

      2. Hubert Cumberdale

        Re: Surprised?

        Yes, it shares my IMEI and SIM information with my network provider: not Google or Apple. They already know exactly who I am and where I live, and they gave me the SIM, so there's no surprises for anyone there. Yes, they know which cell I'm in at any given moment, but I don't have a problem with that – if I want to use a mobile I have to accept that this (extremely basic) information will be shared with the network, and they will not be sharing it with anyone else (barring law enforcement requests) or using it to advertise at me. As for a UUID, no. It's a Nokia 105.

        So what's with the downvote hate, people? Are you objecting to my choices, or the fact that I'm not surprised at how much people's devices are tracked?

        1. Lord Elpuss Silver badge

          Re: Surprised?

          Not sure why the downvotes, but in my case I'm not differentiating between sharing with the manufacturer, and sharing with the network provider.

          In my case I trust Apple a hell of a lot more than my network providers, who between them have done everything they possibly can to destroy any concept of 'relationship' they ever had with me. Lock-in, dodgy billing, extra mandatory 'services' and 'value layers' that were neither needed nor wanted, sneaky-bastard handset customisation and firmware mods (then denying it was them when the manufacturer refused warranty*) and so on.

          *Dubai. Network provider modified the firmware on my new iPad to remove iMessage and FaceTime, no mention of this on the retail packaging, Apple said it was effectively a second-hand product as a result of the mods and initially refused a warranty replacement, but to give them credit they did eventually agree to replace as it was clearly a misrepresentation by the shop that sold it.

          1. Hubert Cumberdale

            Re: Surprised?

            Wow, okay. Living in Dubai, I guess you have way bigger surveillance issues to worry about than Google's or Apple's snooping. That sh#t is pretty f#cked up. And that's entirely aside from the UAE's ongoing general human rights abuses. Not a country I intend to ever live in. Or even visit.

            1. Lord Elpuss Silver badge

              Re: Surprised?

              Yup. The reason they had FaceTime and iMessage removed was because they couldn’t snoop on the encrypted connections...

            2. anothercynic Silver badge

              Re: Surprised?

              The whole Middle East is rife with this behaviour, because they're all shit scared that the Arab Spring that took down Tunisia, Algeria, Egypt and Libya will come home to roost in their own backwaters. Saudi Arabia keeps bribing its population with more and more things just to keep this pesky 'catching up to the West with personal freedoms' thing at bay, and various others (Qatar, Bahrain) try to buy their way out of any of their problems by spending *loads* of moola on Formula 1, World Cups and the like... "But look, we're civilised and nice and Western, honest!"

              Dubai in particular has managed to pull the wool over the eyes of the Western world with its glitzy, glam lifestyle theatre (including the Burj Khalifa and what not), and counts on all those people who visit and have a good time counteracting those who look behind the pretty picture to discover migrant labourers being treated like crap, and certain old habits still being very much present (including the ruler of Dubai keeping several of his daughters under lock and key after kidnapping them). It is interesting when a wife of said ruler shows up at Heathrow claiming political asylum and goes to court in London for a restraining order, and it all causes a massive stink in the circles of the British aristocracy and British horse racing. Suddenly the all-benevolent and all-magnificent ruler doesn't look so benevolent and magnificent after all.

              So yeah... I've avoided flying with any Middle Eastern airline (despite their absolutely fantastic on-board service) for at least a decade and a half (knowing what I do about how the Middle-Eastern staff treat their Western colleagues), I refuse to travel to or via Dubai, Doha or Abu Dhabi, and will avoid services/companies closely connected to the ruling regimes there. I'm sorry, not sorry, but I'll spend my money with companies and services closer aligned to my moral compass.

  4. Chris G

    Never mind the width feel the quality

    I note that Google does not deny the slurpage, only the alleged quantity; which still works out to double that of the fruity lot.

    1. Julz

      Re: Never mind the width feel the quality

      Just about to say the same thing.

    2. Pascal Monett Silver badge
      Trollface

      Re: Never mind the width feel the quality

      They said the estimate was "off by an order of magnitude" - but they didn't say in which direction.

      What I want to know is whether all this slurpage still takes place if mobile data is switched off.

      What really irks me is that mobile data is expensive - all this slurpage is being done without my consent and on my dime.

      1. John Brown (no body) Silver badge

        Re: Never mind the width feel the quality

        "They said the estimate was "off by an order of magnitude" - but they didn't say in which direction."

        The "off by an order of magnitude" seems to be referring to the 1.3TB. Up an order makes it 13TB. Down an order "only" takes it to 130GB. Even a 130GB per day is a not insignificant amount of slurpage.

        Also, what of those individuals on very low data tariffs? I'd expect those people in particular to want all slurpage turned off and will have actively hunted down all possible ways to turn off and refuse this wasted use of their limited data plan.

        I did especially like Googles justification of saying that car companies do this too. "Look sir, the other boys are doing it too!" isn't a good excuse for being a shit.

        1. Barry Mahon

          Re: Never mind the width feel the quality

          Slurpage = income for the telecoms?

          Probably a handy revenue sharing arrangement.

          Come to think of it unless the fruity and the big number have only paid for lines they get incoming for fee??

        2. Michael Wojcik Silver badge

          Re: Never mind the width feel the quality

          Even a 130GB per day

          Per 12 hours, according to the article. So double that for "per day".

          1. John Brown (no body) Silver badge

            Re: Never mind the width feel the quality

            Thanks. I forgot to include nights :-)

    3. Roland6 Silver badge

      Re: Never mind the width feel the quality

      >Google does not deny the slurpage, only the alleged quantity; which still works out to double that of the fruity lot.

      I suspect Google are just being lazy compared to Apple.

      Take that basic set of information: "The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number":

      IMEI: Globally unique 15-digit code

      Hardware s/n: variable, but Huawei it's 16-alphanumeric characters - assumed to be unique to manufacturer.

      SIM s/n: ICCID is 19 or 20 digit globally unique number

      IMSI: 15-digit number which uniquely identifies the subscriber.

      Given for the majority of people all of the above will remain constant for the duration of a contract, it makes sense to condense. There is only really a need to actually communicate one globally unique identifier and a flag to indicate no change to any of the others since last transmission. This measure on it's own has the potential to reduce the volume of data transmitted by 75%.

      I would not be surprised that applying similar considerations, lower frequency of status update and only report if changes since last report and you can quite quickly reduce that 1MB every 12 hours down to something approaching Apple's figures.

    4. Pseu Donyme

      Re: Never mind the width feel the quality

      Also worth noting that this is news*: Google (& Apple) haven't been exactly forthcoming with what they do which would seem a bit strange if this is supposed to be normal, expected, above board etc. as Google insists (now that they have been caught with hand in the cookie jar).

      * I suppose many of us suspected as much; I'd say confirmation is still news.

    5. Michael Wojcik Silver badge

      Re: Never mind the width feel the quality

      Yes, even if you believe Google's claims, it's still hoovering a quarter of a terabyte a day (the paper cited an estimate for a 12-hour period) just from US victimscustomers. Hard to believe that's all justified.

  5. Splurg The Barbarian

    It's this sense of entitlement that get's me

    Google said....

    "Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways," the company's spokesperson said. "This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently."

    A classic piece of whataboutery and entitlement. One we're speaking about phones not cars Google. And as far as I am concerned what car manufacturers do is not acceptable either! Car manufacturers take a damn sight more than that and in my view nothing should be sent back from my car full stop. The same as in a perfect world nothing would be sent back from my phone, computer, television, HiFi amp, Blu-Ray player etc.

    It does need knocked on the head, unfortunately too many members of the public give it "nothing to fear, nothing to hide" and cannot see what the fuss is about.

    As far as I am concerned once you have bought a product, the manufacturer loses all tie and rights to that product. My device, my data etc it is not there for a manufacturer (or OS creator) to use as a money making excercise, a way to avoid paying for test environments, or indeed global domination. Unfortunately its so ingrained in people now, they see it as normal, something that 15-20 years ago would have required covert surveillance, rifling through your possessions in secret, and any other activities that would have had a regular person convicted under current stalking laws, or at very least placing someone under fear or alarm. Its gone too far, can it ever be turned around now?

    1. cookieMonster Silver badge

      Re: It's this sense of entitlement that get's me

      I was talking to a coworker of my wife last week about this and he was totally oblivious of these issues, his attitude was “whatever.,, I don’t care, it’s nothing”. And that is exactly the attitude of the general public. They simply don’t give a sh$&. There is no hope of this changing while the general population really don’t give a fuck. It will take a massive data breach, globally, where there are severe financial consequences for the public before this becomes an “issue”, and even then, the guilty will just roll out the boilerplate bullshit of “we value your privacy...blah blah blah”. The only solution is regulation but that’s not going to happen any time soon unfortunately.

      1. Neil Barnes Silver badge
        Mushroom

        Re: It's this sense of entitlement that get's me

        >> “we value your privacy..."

        Yup. It's very valuable to us.

    2. Wade Burchette

      Re: It's this sense of entitlement that get's me

      Don't forget, we have the best government money can buy. And who has more money to bribe ... er "lobby" politicians? Not you or I. Who has enough money to hire many expensive lawyers? Not you or I. You don't bite the hand that feeds you.

      It would take an outrage so great that the politicians cannot ignore before anything will happen. But for the issue of privacy, far too many have the "meh" attitude. The best thing you can do block it, using Blokada or Pi-Hole.

      1. Roland6 Silver badge

        Re: It's this sense of entitlement that get's me

        >The best thing you can do block it, using Blokada or Pi-Hole.

        Neither do anything about the data being talked about that is being sent from mobiles over their mobile interface.

    3. Cuddles

      Re: It's this sense of entitlement that get's me

      "This report details those communications, which help ensure that iOS or Android software is up to date"

      If this data is so important for keeping the OS up to date, how come my phone is still running Android 8.1? For that matter, given that I get (or more accurately, don't get) OS updates from the phone manufacturer, exactly what use would this data be to Google?

      1. Anonymous Coward
        Anonymous Coward

        Re: how come my phone is still running Android 8.1

        you're so lucky! I run 6 point something and the phone's 3-4 years old or so (with a resounding "no!" from the provider, re. system updates beyond that 6.0.1), and on my other phone, android 4 point something (which is actually cool (looking).

    4. TRT Silver badge

      Re: It's this sense of entitlement that get's me

      Once you have bought the product...

      Yes... which is why I wonder about this "user not being signed in" thing in the methodology. Isn't that practically a must for the fruity phone?

      1. doublelayer Silver badge

        Re: It's this sense of entitlement that get's me

        Basically yes. You don't have to sign in if you want to use it as a phone. You'll get the Apple apps, including browser, can use it as a phone, get OS updates, all that. If you want to install apps though, you'll need to sign in. It could be worse, like Chrome OS, but it is limited without an account.

    5. Steve Davies 3 Silver badge
      Boffin

      Google collections are only going to get worse

      With Google getting into the CAR OS business (Volvo's etc) you can expect an awful lot more data collection. I would not put it past them to facial recog all occupants of the vehicle for each and every trip. They'll know all about you and them and then start sending targeted ads to the car.

      That's only the tip of the iceberg I'm afraid.

  6. alain williams Silver badge

    GDPR ...

    Is this not the sort of thing that the GDPR was supposed to stop.

    Why are Google, Apple, Facebook, ... just allowed to break privcay laws ? I suppose for much the same reason that they get away with not paying taxes!

    1. Pseu Donyme

      Re: GDPR ...

      Indeed it is. In practice it will take complaints to DPAs, meaningful action by them* and then the cases dragging trough courts for years. Apparently the potential fines - although substantially increased with the GDPR - still aren't large enough; otoh, I suppose consequences years in the future don't seem too bad especially when they don't affect those making the decisions directly (and when the same are likely to keep and enjoy whatever bounty they got as a result of said decisions even if shareholders eventually do suffer a loss).

      * unfortunately this is hardly guaranteed, case in point:

      https://noyb.eu/en/dpc-cancels-parliamentary-hearing-eu-us-transfers

      (latest in the Irish DPC's epic labours to avoid doing anything meaningful in the 7.5 year old Schrems vs Facebook case)

      1. ITS Retired
        Holmes

        Re: GDPR ...

        Fines means nothing. Fines come out of the corporation's petty cash. It is a line item on a spread sheet.

        What needs to be done is prison sentences for those responsible for the tomfoolery. If it means putting CEO's and Board members in prison for lengthily periods of time, so be it.

        After all corporations are persons and these people represent and control the corporation. Laws for corporation persons need to be the same as laws for you and me.

        1. Old Used Programmer

          Re: GDPR ...

          I will believe that corporations are persons when Texas executes one.

  7. Wolfclaw

    When my S8 started showing its age, jumped to iP12, one small reason, Apple slurps less private info, Google is just too nosey and sems to be unaccountable.

    1. Pascal Monett Silver badge

      Oh, so slurping less is acceptable to you ? You accept nosey, but too nosey is too far ?

      I'm sorry, for me just plain nosey is already too far.

      1. Dave 126 Silver badge

        > Oh, so slurping less is acceptable to you ? You accept nosey, but too nosey is too far ?

        It's a concept called nuance. Being dogmatic is bad for the head.

        We do it all the time - police officer is welcome to see my driving documents, but not my health records. Phone company by necessity can see my location, and can be subpoenaed in some jurisdictions.

        It would be impossible for companies to provide us with goods and services if they had zero data about their market.

        I agree that data slurping has gone too far, but the way out of it must include some sensible debate instead of knee-jerk absolutism. Because knee-jerk absolutism has achieved little in the last twenty years.

        1. My other car WAS an IAV Stryker
          Unhappy

          "Because knee-jerk absolutism has achieved little in the last twenty years."

          Or forty, most of which I can remember. (I'm not counting my first orbit for sake of a large, round number.)

          Trying to argue subtleties against knee-jerkers would make me lose ALL my social-media friends... if I paid more attention to social-media and actually tried to argue reason and nuance.

          We all understand communication is important to relationships, be they transactional/professional or deeply intimate and everything in between -- man is a social creature, after all. But technology is now creating, storing, and sharing information outside of our direct awareness at a speed too fast for our limited wetware (as an AI in one webcomic put it: "MEAT IS TOO SLOW"). That lack of direct awareness causes many to resign to apathy and others to paranoia -- both resorting to their own dogma -- and thus nuance dies.

        2. Greybeard_ITGuy
          Trollface

          And... only a Sith deals in absolutes. Anakin, is that you?

        3. Anonymous Coward
          Anonymous Coward

          Because knee-jerk absolutism has achieved little in the last twenty years.

          but but but, what has achieved A LOT is "lie back and think of England!" (or whatever country's masters you voted into power to fuck you alongside the corp).

    2. EnviableOne

      the only reason the fruity team slurp less data is they already know what the hardware is and how it handles the workloads, they made it and sold it to you

      the choc factory has to collect the info, as 90% of the time, you didn't buy the hardware from them, and have to sign your life away for a bit of shiny, hardware and software lock-in and a premium for old ideas.

      Apple hasn't had an original idea, since Jobs passed.

  8. ForthIsNotDead
    Flame

    Linux phone... here I come...

    See title.

    1. Lord Elpuss Silver badge

      Re: Linux phone... here I come...

      Good luck getting a phone that doesn't share any data. Hint: they all do, that's how the GSM protocol works.

      1. Pascal Monett Silver badge

        Sharing data so that the phone company can connect your call is more than okay, it's required. None of that data needs to get to the phone maker.

      2. Orv Silver badge

        Re: Linux phone... here I come...

        And that all happens inside a binary blob, so unless someone develops an open-source GSM modem chipset you may still be in trouble.

        1. doublelayer Silver badge

          Re: Linux phone... here I come...

          You mean like the one Pine64 is working on? They've gotten their phone's communications chip to run mainline and a few parts of the system work already. If you're willing to live with the blob on the chip, their device also isolates it so it can't access anything in system memory unless the main system sends it. But as said above, the information the GSM standard gives away is really tiny compared to what the phone manufacturers are getting. Also, the information the GSM standard requires is used to provide a service to me, I understand what it is, and most of it is actually required for the service to work. The data collected by manufacturers doesn't meet any of those requirements.

  9. Julz

    This

    Just confirms that having a phone and carrying around with you, pin points to anyone who's interested (pick your TLA or Corporation of concern) your exact location and that they can track your every move (and of those around you), even if you think your opting out. Nothing new in that revelation. The details mentioned in the article however did peak my interest.

    It mentioned that compete MAC and IP addresses (along with other such identifying data) where being returned. It goes on to say that the companies responded that they need this information to in general to monitor the performance (in a wide sense) of their product. It would seem to me that they could collect incomplete data for such items, such as a MAC address of 00-26-DD-XX-XX-XX, and it would fulfill that brief. It would confirm that the phone is connected (or any other monitored function) and that it is working nominally without sending to the mother ship any personally identifying data. Should we suggest this :) Pipe dream I know...

    1. Orv Silver badge

      Re: This

      I suspect they're collecting MACs to allow for the phone to get location data when it can't receive any GPS satellites. Google has been doing this for years -- their initial database came from wardriving, but now they just update it from people's phones as they move around. Sometimes if your GPS signal is weak you can see your position jump abruptly as you move out of one WiFi network's range and into another's.

    2. NATTtrash

      Re: This

      "It would seem to me that they could collect incomplete data for such items, such as a MAC address of 00-26-DD-XX-XX-XX, and it would fulfill that brief."

      I've been reading the comments up till here... and am kind of surprised that, even here, another, IMHO crucial and basic point is missed. To reuse a phrase known for another "intrusive" (please forgive me the huge understatement) societal problem:

      NO means NO.

      What is not clear about that? The user said no to telemetry to begin with. Made use of that so often referred to privilege: choice. Ticked the NO box...

      And thinking about where that phrase comes from, and the "sure, but a little is OK/ needed" comments here... So if I say NO, still doing it because you (think you) can justify it so well for your use case, makes it OK?

    3. jmch Silver badge

      Re: This

      Completely true. Nor, indeed, do they need to repeatedly send this information daily or hourly. Clearly the key is the mac addresses of other devices on the same network, as this is what can be used to estimate a location.

  10. Anonymous Coward
    Anonymous Coward

    I truly believe Apple are doing the right thing by its customers and Google is just evil.

    Or is it the other way around? Or are both utter shits?

    1. Dave 126 Silver badge

      The form of your post implies a symetry between the type and quantity of data collected by Apple and Google respectively, a symetry that might not be there in reality.

  11. Anonymous Coward
    Anonymous Coward

    Yawn!

    The mobile telcos collect all the basic shit anyway, so they can track your phone activity as part of the billing process. If the phonemakers of this world were banned from collecting it, they'd just do deals with the telcos along the lines of "spill us the shit or our next OS release will crash on your networks, here's some $$$ (a tenth of what we currently spend on spyware/exploitation dev) to help focus your minds. Oh, and you license us to sell it on, got that?"...

    ... OMG, they already have?

    1. Dave 126 Silver badge

      Re: Yawn!

      In the USA, some telcos were recently found to have been selling location data about their paying customers to other companies.

      1. ForthIsNotDead

        Re: Yawn!

        Indeed. I believe the Register reported on it some time back.

    2. SImon Hobson Bronze badge

      Re: Yawn!

      Err no.

      The phone must send some information to the phone network in order for things to work - but that's something you've contracted with the phone company.

      The phone company does NOT get all the information mentioned in the article.

  12. Anonymous Coward
    Anonymous Coward

    monitoring performance isn't a justification

    I work for a computer hardware company. I'd love every server we ship to dial home with telemetry about how reliable the product is. This would allow me to improve things. By default - zero information comes back, you can opt-in if you like. That's how it should be.

    Why should a mobile phone be any different, especially when it actually costs the poor user $'s to do so.

  13. Pseu Donyme

    Big Tech has become modern day Big Tobacco

    (as far as ethics and business practices go)

  14. Giles C Silver badge

    Find my?

    If you use the ios find my device feature how do you think it is going to work if it doesn’t transmit data back to the central servers with its location? I assume something similar is available on Android?

    And as others have said the your phone is constantly pinging location requests back to the telecoms provider otherwise you wouldn’t be able to receive any calls.

    If you don’t want to be tracked with a mobile, leave it at home. It always amazes me when watching crime documentaries that criminal go out with the intentions of committing a crime and with their mobile in a pocket broadcasting their location.

    1. doublelayer Silver badge

      Re: Find my?

      The article specifies that they were looking at collection when there is no account signed in. In order to use the feature that finds a lost device, you need to associate the device with an account and access that account to get the data. By definition, they did not have that feature enabled and it sent data anyway. If the data was only sent when people had requested that service, it would be different.

      1. Orv Silver badge

        Re: Find my?

        I hope they were careful enough to get a device retail instead of via their employer. Many companies and universities have automatic device enrollment set up when they purchase stuff from Apple, so those devices are going to start phoning home immediately.

  15. martyn.hare
    Facepalm

    Most of the data

    Is used to implement security features, stub app detection, wallet storage and anti-theft. In Apples case, even when Find My iPhone is disabled, there is still the supporting infrastructure needed for App Clips and such to work. In the case of Android, Google do a lot of processing off-device, like scanning installed APKs even if they’re built in, to ensure nothing has been tampered with. This paper doesn’t do a lot to find out why data is being sent and could have benefitted by doing more research with manufacturer involvement,

    1. FlippingGerman

      Re: Most of the data

      All those are excellent uses for telemetry. None of them are justifications for sending telemetry when it has been disabled, and without informing the owner (not "user") of the device.

  16. doublelayer Silver badge

    Can we mess with them?

    "iOS shares additional data: [...] the Wi-Fi MAC addresses of nearby devices, specifically other devices using the same network gateway."

    First problem: why in the world are they doing that? That's not helping with any of the device's features. Even if the device was communicating with those devices or detected them so the user can see them, there is no reason Apple has to know about them. There are several good reasons Apple should never know about them.

    Second question: what happens if I put an iPhone on a network device which also has a raspberry pi programmed to authenticate with different MAC addresses every ten seconds or so. How much crap can I send through Apple's servers before they discount the data from that iPhone? Time to crank up the random number generator--there are 2^48 addresses I need to cycle through and I don't want them catching me in a pattern until they've gotten most of them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Can we mess with them?

      Google(all 600+ addresses) is almost totally blocked by my firewall.

      Apple is blocked apart from Saturday Mornings between 06:00 and 11:59. Everything seems to work fine

      That's when I do my updates.

      As of today, my firewall has over 120,000 blocked domains and IP's.

      Pity that I can't take that firewall with me when I'm away from home.

      1. doublelayer Silver badge

        Re: Can we mess with them?

        You could VPN through your home network and get the firewall. There are a few other methods of doing that, but the VPN option is the one with the fewest security risks. I once considered just making my own blocklist a public though unadvertised DNS resolver, but since DNS resolvers can be used to DOS others, I didn't bother. Maybe I should set it up with DoT and DoH now.

      2. butmonkeh

        Re: Can we mess with them?

        Have you looked at DNS66 (from the FDroid appstore). It sets up a local VPN connection to itself with a DNS filter list (default is the same as PiHole uses, but you can add your own) and allows you to specify your own DNS server too. It doesn't require root, but it will increase your battery use.

  17. Lorribot

    GDPR requires clear and explicit consent for taking a storing personnally identifiable information. Google is takeing storing and processing personally identifiable information as it is actually going out of its way to track you where and however you go. What i would like to see is where is teh clear and explicit consent to this?

    The French had a nibble at Google to the tune of €50 million euros for some advertising thing but that really did not go far enough. The EU need to grow a pair and Tell them to stop doing it, the max fine is €20 Million but they can also

    Imposing a temporary or permanent ban on data processing

    Order the rectification, restriction or erasure of data

    Suspending data transfers to third countries

    Untill they do one of the above they will just ignore everyone and carry on doing their thing.

    Note the Linage 14.1 which can be as googleless Android 11 as you want it

    https://lineageos.org/Changelog-25/

    1. SImon Hobson Bronze badge

      Where's the consent ? Well Google would argue it's in the agreement you signed when you started using the phone. GDPR explicitly says that such shenanigans are no more valid than putting them in a locked cabinet in a disused lavatory with a sign on the door saying "Beware of the leopard".

      But, for anything to happen, as mentioned further up, there has to be a complaint to the data protection authority in an EU country AND for that authority to take action (rather than expend a lot of effort into trying to demonstrate why they are not legally able to). it then drags on for years and years and years and years and ... you get the picture.

      Just look at the Schrems cases to see what it takes.

    2. gzgweilo

      "Note the Linage 14.1......."

      I take it you meant 18.1............

      A number of other custom Roms can be pretty much without Google if you want it but you will still need some sort of firewall to stop the underlying firmware sending home - especially Xiaomi........

      I don't currently have a google account registered on my phone and using microG and or other location back ends gives a little more privacy but I know it is still not ideal.

  18. Mario Becroft

    The problem is, we all want the functionality of a smartphone. Until there is another game in town, consumers have no real power or choice to influence the situation, except to entirely opt-out of what's essentially modern society.

  19. jmch Silver badge

    plausible fine-print justification

    Leith notes that Google's analytics options menu includes the text, "Turning off this feature doesn’t affect your device’s ability to send the information needed for essential services such as system updates and security."

    Firstly, for system updates and security, my phone doesn't need to send any data at all to anywhere. It can, occasionally, ping a server to ask what the latest available version is. It can then ping another server (not necessarily Google, could be the manufacturer) saying this is my model number, can you please send me the latest security or OS update that is supported for the model. Any data sent to be deleted immediately the phone is updated.

    You can add advanced options at users choice, requiring more data to be sent. But that is exactly telemetry. There needs to be an option to send nothing at all, even if it is at some cost to security. My device, my risk but the choice has to be there.

  20. IGotOut Silver badge

    Google Statement.

    "We identified flaws in the researcher's methodology... claims that an Android device shares 20 times more data than an iPhone,"

    "We tested it ourselves and found out it to be at LEAST 1000 times more, so clearly the researcher can't be trusted."

  21. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    How much slurpage is there from LineageOS? It'd be good to know, before I overwrite the firmware...

    1. doublelayer Silver badge

      Very little. The OS itself has cut the packages from Google which phone home to them. If you log DNS requests, for example, you'll find there are orders of magnitude fewer while the phone is in standby. Flashing it also wipes out the manufacturer's installations, some of which likely send telemetry as well. The comparison between the two is striking. While there are ways for tracking to persist even after Lineage has been flashed, that's a possible mechanism where you already have several guaranteed ones.

      In all cases, it's a significant improvement. Of course, if you flash Lineage OS and then install Google's APKs so apps requiring Google Play Services work, they'll start to collect again. Also, you'll lose some of the Google-provided services. I value that in the pursuit of privacy, but it annoys people sometimes.

  22. AndyTempo

    I guess that it will transpire that the IMEI IMSI etc are used to register for push notifications or similar.

    The apple and google push notification servers must have a way to know which phone to send the notifications to, otherwise you would need to constantly poll the email servers etc.

  23. Sherrie Ludwig

    Non technical person has a question

    If one is either somewhere that one did not want known (for reasons varying from simple privacy to paranoia to criminality) can one simply turn the phone off until needed? Or, if that is not enough, is there a box analogous to a Faraday cage that could be used to store the phone in until needed? So, the phone would "stop showing up" on cell tower data, then "show up again" later? Or are people are too used to carrying the phone to simply leave it at home, do the crime/visit the secret paramour/just want to not be tracked, then come home and pick up the phone again?

    1. doublelayer Silver badge

      Re: Non technical person has a question

      Yes, just turning off the phone is probably good enough to drop you off the grid. If you're paranoid, you might not trust that and want to go further and remove the battery. The logging could show that you did that, indicating that you had taken a suspicious step, depending on how much analysis they wanted to perform on your data history.

      Most of the time, it's just criminals being stupid. A lot of people who commit basic crimes just don't know very much about the risks they're taking. Some people still get caught with fingerprint evidence even though everybody has known for a century that they are left everywhere and police know how to use them. Given that there are criminals who don't bother to put on some gloves, it's probably not surprising that there are criminals who don't bother to leave the phone at home.

  24. Anonymous Coward
    Anonymous Coward

    Anonymised data

    They need to be compelled to show us what the data actually looks like. They can anonymise it, but we need to see exactly what it is that they are collecting.

  25. Anonymous Coward
    Anonymous Coward

    Google however contends Leith's figures are off by an order of magnitude.

    I only stole 500 quid off him, your honour, not 5K, as the 'honourable' gentleman claims! And no, I didn't 'burgle the house' as the claim goes, only went through his phone number and a few other bits, I mean, you can't call it THEFT, can ya?!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like