Data-Sharing On Android Is Massive, With No Way To Turn It Off, Research Found


Almost everyone owns a smartphone. And almost all smartphones are either powered by Apple's iOS or Google's Android.

This is something that people need to choose. Do they want the "walled" ecosystem offered by a company known for its expensive devices, or do they wish to own a gadget powered by a flexible operating system provided by a tech giant known for its search engine.

While the experiences between using iOS or Android can be similar in some and different in others, iOS is showcased as the safest of them two, considering that Apple said that it is putting users' privacy at a more priority than Google, simply because Apple's business model does not depend on ads and tracking users.

Android on the other hand, is widely reported as the lesser of the two in terms of privacy.

This time, a research conducted by the researchers at University of Edinburgh and Trinity College Dublin have found the extent of data-sharing on the popular operating system from Google.

The researchers focused on Samsung, Xiaomi, Realme, and Huawei Android devices, and LineageOS and /e/OS, which are two forks of Android that aim to offer long-term support and a de-Googled experience.

Firefox Focus
The average volume of the network traffic generated on each handset by each data collector.

The conclusion of the study is worrying for those who concern their privacy:

"With the notable exception of /e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) that have pre-installed system apps."

"While occasional communication with OS servers is to be expected, the observed data transmission goes well beyond this and raises a number of privacy concerns. There is no opt out from this data collection."

Key findings also include:

  • The Xiaomi handset sends details of all the app screens viewed by a user to Xiaomi, including when and how long each app is used. This data appears to be sent outside Europe to Singapore.
  • On the Huawei handset, the Swiftkey keyboard sends details of app usage over time to Microsoft.
  • Samsung, Xiaomi, Realme and Google collect long-lived device identifiers, e.g., the hardware serial number, alongside user-resettable advertising identifiers.
  • There may exist a data ecosystem where data collected from a handset by different companies is shared/linked.

And these 'snooping' activities can also happen when the phones are idle, or when they are experiencing very limited user input

Firefox Focus
Potential for cross-linking data collection with different handsets: Samsung (left), Xiaomi (center), Realme (right). Red circles represent data collectors and green circles represent for what specific service instance the data is collected.

While it's certain that an amount of information is expected, and should be at least sent to app developers as well as Google, the researchers shared that the extent of data transmission taking place goes well beyond what people may have expected.

Professor Doug Leith, Chair of Computer Systems at the School of Computer Science and Statistics in Trinity College Dublin, said the study revealed the extent previous data regulations have missed the mark.

“I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out," he said. "We’ve been too focused on web cookies and on badly-behaved apps."

He said that "meaningful action" is required to give people control over the data that leaves their phones. And this study is hoped to sound the alarm for the public and regulators.

“I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones,” he said.

Dr Paul Patras, Associate Professor in the School of Informatics at the University of Edinburgh, said this was one of the most worrying aspects of the study.

"Although we’ve seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread. More worryingly, such practices take place 'under the hood' on smartphones without users’ knowledge and without an accessible means to disable such functionality. Privacy-conscious Android variants are gaining traction though and our findings should incentivize market-leading vendors to follow suit," he said.