Android devices seen covertly sending location data to Google

An investigation by Quartz has revealed that Android devices send cell tower location data to Google even if the user has disabled location services for apps in their device settings.

Quartz also said it observed location data being sent even if devices had been reset to factory default settings. Android devices with a cellular data or a wi-fi connection were seen to send the data to Google each time they came within range of a new cell tower — including devices with no SIM cards installed (these offloaded the location data via wi-fi, where available).

It says there is currently no way for Android users to prevent their location data from being sent to ad targeting giant Google — short of removing SIMs from their devices and disabling wi-fi (or else leaving the devices inside a faraday cage).

After raising its findings with Google, Quartz reports that a company spokesperson told it the cell tower location data harvesting has been going on for the past 11 months, and that cell tower addresses were included in information sent to the system it uses to manage push notifications and messages on Android devices.

The spokesperson further claimed the location data was never used or stored. And Google added that it intends to end the practice by the end of November, having had the location tracking issue flagged to it by Quartz.

“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,” the Google spokesperson said. “However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.”

Whatever the reason Google was experimenting with harvesting Android users’ location info, it’s another troubling instance of the company slurping up sensitive user data without making people explicitly aware it’s doing so — let alone giving users controls to opt out of another major invasion of their privacy.

Back in October, for example, a number of Google Home Mini devices were shown to have malfunctioned and been persistently recording audio in the background in their owners’ homes, instead of only waking up when a specific trigger word was used.

After that snafu gained press attention, Google said it would remove the touch top function on the device — blaming that hardware for a malfunction that had triggered near continuous recording of users’ domestic goings on. As it’s now blaming engineering experimentation for Android covertly harvesting location data.

Location data is highly sensitive personal data from which much can be inferred about a person’s life and lifestyle, especially given the rule for mobile devices is to accompany the user wherever they go. And while cell tower location data isn’t necessarily hugely precise, triangulation of multiple cell towers can be used to calculate a more exact location.

So even if message speed and performance could be enhanced by the Android OS knowing a user’s cell tower location, Google should at least be asking people to opt in to that location-tracking enhancement and/or providing them with a way to opt out.

Google’s privacy policy does include the following section on “location information” (below) which states that users of “Google services” may have their location data collected, including cell tower data — though the linked examples Google uses refer to specific Google apps, like Google Maps, rather than to the Android OS itself; while the linked example on wi-fi access points and cell towers talks only in terms of location data being collected for users who have enabled Google’s Location Services (not persistently, because you are using the Android OS):

When you use Google services, we may collect and process information about your actual location. We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points and cell towers.

According to Quartz’s findings, the location tracking did not appear limited to particular Android phones or tablets. It says Google was apparently collecting cell tower data from all modern Android devices.

It further cites a source familiar with the matter specifying that the cell tower addresses were being sent to Google after an early 2017 change to the Firebase Cloud Messaging service that’s owned by Google and runs on Android phones by default.

While this is notable as an instance of Google itself, Android’s platform controller, apparently caught covertly tracking users’ location via the OS, this time last year a range of budget Android smartphones sold in the US were found to be secretly sending personal data to a third party company based in China — including information about users’ locations.

Albeit in that case the culprit was commercial firmware pre-installed on the devices, rather than the Android OS itself, as here.