Google secretly collects and stores large amounts of data from Android device owners. This applies even to those who have never used the company’s apps.
A study by Professor D.J. Leith of Trinity College Dublin documents for the first time how the company’s Google apps track personal data without warning users, without even giving them the opportunity to opt out.
The study analyzed cookies, identifiers and other information stored on mobile devices running on the Android operating system. Google Play services and the Google Play store itself, as well as other Google applications, collect information from users’ devices without warning.
The analysis was conducted using Google Pixel 7 mobile device based on Android 14 with the latest versions of Google Play Services and Google Play Store.
The study found that Google’s servers send and store multiple tracking identifiers on mobile devices immediately after a factory reset, even before users start interacting with any Google app.
Among these identifiers are cookies used for advertising analytics, links to track views and clicks on ads, and persistent device identifiers that can identify both the device and the user. The biggest concern is that no prior consent is sought from users before any of this data is stored.
The authors of the study emphasize that this violates EU rules on ensuring the confidentiality of information. In particular, The e-Privacy Directive and possibly the GDPR
The General Data Protection Regulation is the EU's regulation on information privacy.
How Google’s tracking mechanisms work
Researchers have identified several specific tracking technologies, including Google Android ID — the device’s postal ID, which is stored in several places at once, including shared_prefs/Checkin.xml, and is transmitted during most connections to Google servers. It is stored for the purpose of factory reset and is linked to the user’s account in Google when you log in.
The advertising analytics cookie DSID is sent by googleads.g.doubleclick.net and stored in the data folder of the Google Play services. When a user performs a search in the Google Play store, «sponsored» results contain tracking links that, when clicked inform Google about links that exclude search results with embedded ad tracking links
The study also documented Google’s use of NID cookies in several applications, server tokens for A/B testing, and various authorization tokens that virtually invisibly register users in numerous Google services.
We also noticed a connection to Firebase Analytics servers that transmit data on user interaction.
Spelling error report
The following text will be sent to our editors: