A range of popular Android mobile phones engage in significant data collection and sharing with third parties such as Google, Microsoft, LinkedIn, and Facebook with no opt-out available to users, according to an academic study.
Prof Doug Leith at Trinity College Dublin and Dr Paul Patras and Haoyu Liu of the University of Edinburgh examined data sent by six variants of the Android OS developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and e/OS.
The study found that even when minimally configured and the handset is idle, with the exception of e/OS, they transmit “substantial amounts” of information to the OS developer and to third parties that have pre-installed system apps.
While occasional communication with OS servers is to be expected, the authors of the study said the observed data transmission goes “well beyond this” and raises a number of privacy concerns.
With the exception of e/OS, all of the phones examined collect a list of all the apps installed on a handset. This included potentially sensitive information that could reveal user interests.
The Xiaomi handset sends details of all the app screens viewed by a user to Xiaomi, including when and how long each app is used. This reveals, for example, the timing and duration of phone calls.
The effect is akin to the use of cookies to track people’s activity as they move between web pages. This data “appears to be sent outside Europe to Singapore”, the study found.
No opt-out
On the Huawei handset, the Swiftkey keyboard sends details of app usage over time to Microsoft. This reveals, for example, when a user is writing a text, using the search bar, or searching for contacts.
Samsung, Xiaomi, Realme and Google collect long-lived device identifiers, such as the hardware serial number, alongside user-resettable advertising identifiers.
Third-party system apps from Google, Microsoft, LinkedIn and Facebook are pre-installed on most of the handsets and silently collect data, with no opt-out.
There “may exist a data ecosystem where data collected from a handset by different companies is shared or linked”, the study found. The privacy-focused e/OS variant of Android was observed to transmit essentially no data.
“I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt-out,” said Prof Leith. “We’ve been too focused on web cookies and on badly behaved apps.
“I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones.”
Dr Patras added: “Although we’ve seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread.
“More worryingly, such practices take place under the hood on smartphones without users’ knowledge and without an accessible means to disable such functionality.
“Privacy-conscious Android variants are gaining traction, though, and our findings should incentivise market-leading vendors to follow suit.”