Quartz has found that Android phones have been tracking user locations and sending them to Google throughout 2017:
Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they're connected to the internet, a Quartz investigation has revealed.
Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals' locations and their movements that go far beyond a reasonable consumer expectation of privacy. Quartz observed the data collection occur and contacted Google, which confirmed the practice.
The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months, according to a Google spokesperson. They were never used or stored, the spokesperson said, and the company is now taking steps to end the practice after being contacted by Quartz. By the end of November, the company said, Android phones will no longer send cell-tower location data to Google, at least as part of this particular service, which consumers cannot disable.
"In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery," the Google spokesperson said in an email. "However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID."
Also at TechCrunch and Engadget.
Related Stories
A lawsuit filed in federal court accuses Google of invading people's privacy by tracking the whereabouts of smartphones users despite "location history" settings being turned off.
The suit filed Friday by a California man seeks unspecified damages along with class-action status to represent all US iPhone or Android smartphone users who turned off location history in order not to have their movements logged by Google.
"Google expressly represented to users of its operating system and apps that the activation of certain settings will prevent the tracking of users' geolocations," the lawsuit read. "This representation was false."
The suit accuses Google of violating privacy law, and cites a news report last week confirmed by university researchers.
Related: Google Caught Tracking Android User Location Data
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @07:07AM (2 children)
Most ambitious data collector of all times caught cought collecting data, and lying about it to be able to collect even more! Promises to stop as soon as convenient. News at 11!
(Score: 3, Interesting) by maxwell demon on Wednesday November 22 2017, @07:58AM (1 child)
Actually, they were not really lying. To quote the summary, emphasis by me:
So they didn't really assert that the data won't be collected any more, they only asserted that it will no longer be done through this particular service.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @03:57PM
yes, and isn't it convenient that they already had a plan to stop it -- once it was pointed out to them it was happening on nearly all of their devices?
I expect then that the security model of android systems will allow for a software push to the android OSes in question, like those regular security updates they send out that the cell phone companies readily embrace and push to keep older hardware working on their network without the need to buy a new device?
Or by "stop collecting" do they mean that the phones will still transmit the location data because its not their responsibility to tell cell phone companies how to manage the devices connecting to their networks, but that they will not be looking at it except under a court order so that when people think their phone is off they are still trackable as required?
(Score: 5, Interesting) by edIII on Wednesday November 22 2017, @07:19AM (12 children)
Dear sweet holy fuck do we need to ditch Apple, Microsoft, and Google at least WRT phone software. This, right after their involvement with Quad9 DNS claiming the data would never be stored or used. Talk about a fucking technicality, "Oh it was just collected!". People think I'm nuts to use burner phones and keep switching them out.
Come on, Purism! We NEED an open phone based on Linux. I'll feel so much better, even if it has SystemD. That's how bad it is. It's the one area in life in which I would willingly subject myself to it. Well, that and my development laptop that can't work with anything but Win10 or Ubuntu. Technically I chose SystemD there too. I may be running into the arms of morons and poorly reviewed code, but at least it's not beholden to an organization that literally, for the life of it, can't stop invading our fucking spaces and shattering our privacy.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 22 2017, @07:27AM (11 children)
Why? Systemd also reports you to google :) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658 [debian.org]
(Score: 3, Interesting) by edIII on Wednesday November 22 2017, @07:46AM (6 children)
That's not entirely true, and entirely impossible.
My DHCP servers *always* point towards an internal resolver, and have been pretty much forever. Only exception was when I was dialing into University to get Internet when it started. I don't know where I was getting resolution from then. Once I created my own router with Windows NT, bonded a bunch of modems, I also had my own resolver IIRC. It's been awhile to remember the specifics of early networking when Ethernet was getting started (fuck I'm old), but Google didn't even exist yet. When Google did exist, commodity routers were already available, and they had DHCP too. That would've been the ISPs resolvers I used for many years, and not Google either.
Where I work, and at a home, has 4.4.4.4 and 8.8.8.8 blocked at the network level. Along with a ton of other shit. So if you come by with a weirdly defaulted Linux running SystemD contacting Google, you might find yourself asking me for networking support :)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @07:59AM
Might happen on a public network though due to connectivity issues, but hey
Might as well run a resolving server at localhost to make sure the "defaults" never get used.
(Score: 2) by Virindi on Wednesday November 22 2017, @07:59AM (3 children)
Clearly though, most people don't have this set up.
(Score: 2) by edIII on Wednesday November 22 2017, @08:09AM (2 children)
Yeah, but most people also have DHCP turned on, and most DHCP servers set DNS, and that is mostly sourced from the DHCP lease from the ISP, and that means ISP resolvers. According to the threads the SystemD Google default is not used if DHCP sets DNS.
It's really a non-issue beyond the policy itself as the fallback is highly unlikely.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @04:00PM (1 child)
guys android has always reported to 8.8.2.2 and 8.8.8.8 even when you set a different dns address- be it in the dhcp scope or statically.
do a packet capture and you'll see a request to your configured dns server, and one (sometimes more than one) to google dns servers.
the only way to stop it is to either not configure a gateway (not handy for applications requiring internet access), or to block it in the network somewhere, outside of the device.
you otherwise would need a software firewall on the android to prevent it, which is administratively more complicated to do and more clumsy than a device at the network edge. i mean its not like you can update the host file to point to a different dns server that is always defined by ip address anyway... i have seen people suggest that and that's clearly not how it works..
(Score: 2) by RS3 on Thursday November 23 2017, @12:52AM
How about
?
(Score: 2) by maxwell demon on Wednesday November 22 2017, @08:05AM
Probably from your university's own name server. Which likely also resolved names only valid inside the university network.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Virindi on Wednesday November 22 2017, @07:56AM (2 children)
People who care about things like privacy and security probably shouldn't be using SystemD-based services anyway. The whole project philosophy is that convenience is king.
For someone who wants things to "just work", it may be a good choice. But when you go looking for "just work", expect part of that to be that it works against your interests. That is the case with pretty much everything in life, not just software.
(Score: 2) by edIII on Wednesday November 22 2017, @08:15AM (1 child)
Yeah, well if you want modern hardware your stuck with Linux. Specifically, Ubuntu. Believe me. Aside from Windows 10, it was my last choice. All the BSDs couldn't even install, let alone work adequately on a live CD. It turned out that Ubuntu was literally my only non-Microsoft option that would support my hardware.
I want to do shit, and that means I can't deal with 4 year old hardware or however long I have to go back till BSD adequately supports it. I've seen people with the modified IBM thinkpads, but they're just not strong enough for me. I enjoy my 4K, multi-monitor lifestyle to much to quit it ;)
Not loving having to deal with SystemD, but in all fairness to SystemD, it's but an inconvenience compared to the oppression of Windows 10.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Virindi on Wednesday November 22 2017, @08:36AM
Nothing is forcing you to use SystemD on Linux! There are plenty of alternative init systems available, almost all of which have a design philosophy closer to "the unix philosophy" and most of which have far fewer bugs.
While projects like Gnome might "require" SystemD, there are plenty of usable desktop environments and programs which do not. I personally use XFCE; in the past I have used LXDE. The only thing you don't get, really, is eye candy menus. In exchange though, it is much faster, uses fewer resources, and allows you to run the init system of your choice.
But that is also a question of philosophy: do you want your window manager and desktop experience in general to be flashy? Or, do you want it to just provide basic menus and task switching functionality, but otherwise stay out of the way? Personally I desire the latter; I use my computer because I want to use programs such as browsers, file managers, terminals, IDEs, media players, etc, so I want those to be the focus. I do not use my computer because I want to use a desktop environment.
If you use your computer because you want to play with flashy menus, then yes you may be out of luck. :)
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @02:36PM
Well that was an interesting thread. That dickhead appears to just not want to do the work nor does he have any clear conception of privacy, defaults or software development.
Thanks :)
(Score: 2) by Virindi on Wednesday November 22 2017, @07:26AM (4 children)
I'm sure even if Google "immediately discarded" the data, the NSA didn't. Which was probably the entire point.
(Score: 2) by MostCynical on Wednesday November 22 2017, @07:43AM (1 child)
No no no.. The NSA never had the data.. They likely just "redirected" it to AWS, where they, and other TLAs can inspect it when required.
No data on *our* servers, no!
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by edIII on Wednesday November 22 2017, @07:48AM
Well, if it's on AWS, we have a decent chance of public access. So not to be a pedant, but we ALL have the data :)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by maxwell demon on Wednesday November 22 2017, @08:07AM (1 child)
The NSA probably already had the data directly from the cell towers.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Virindi on Wednesday November 22 2017, @08:54AM
That is surely possible. However, it requires a lot more cooperation and/or tapping than with a report-to-google mechanism.
(Score: 3, Funny) by Anonymous Coward on Wednesday November 22 2017, @08:46AM (5 children)
I'm not worried about Google, or even the government, tracking my location via my cellphone. My ankle bracelet already does that.
(Score: 4, Touché) by letssee on Wednesday November 22 2017, @10:42AM (4 children)
Pff, if you use a cell phone (even an old non-smart one) you are being tracked. Period. Your phone company knows where you are, and if the government need to know they can just ask. And the various secret services of the world probably pick the phone-company data off the web anyway.
Still, google and facebook are the two most scary companies in the world imho.
(Score: 2) by bob_super on Wednesday November 22 2017, @11:50PM (3 children)
> Still, google and facebook are the two most scary companies in the world imho.
Close, but not the top: They give you something for free, in exchange for the tracking.
Verizon and AT&T (and friends) track you, and still charge you. You kind of don't have the choice, courtesy of their anticompetitive actions.
At the pinnacle, I find it a scariest that people choose to shell out lots of cash for the privilege of being tracked by Apple.
(Score: 2) by letssee on Thursday November 23 2017, @08:55AM (2 children)
Apple is about the only company that does not sell your data to others. I think their hardware is overpriced and overdesigned and I don't like the hand-holding restrictiveness of their software, but they are more or less the last company whose business model is not 'big data'.
Still scary off course, the amount of data they send back to the mothership. You're one hack or company policy away from losing your privacy with Apple. But that's still better than Google/Facebook, where you don't have any privacy to begin with.
My nightmare news headline would be: "Google buys Microsoft as Facebook announces it's hostile takeover of Apple inc." Or swapped around.
(Score: 2) by bob_super on Saturday November 25 2017, @09:03AM (1 child)
*blinks*
*blinks*
*reads again*
*blinks*
You ... can't be seriously believing what you wrote, right? Poe's Law, whatever razor, someone, anyone, to the rescue of my sanity, please?
*reads again*
Oh shit, it IS there: "they are more or less the last company whose business model is not 'big data'."
*drinks*
(Score: 2) by letssee on Wednesday December 06 2017, @10:18PM
well, they need to do *something* different to justify their exorbitant pricing :-)
I'm not saying they won't change their stance, but atm they really are the lesser evil, compared to Google, Microsoft and (shudder) facebook.
Personally I use *only* linux. Usability be damned, I like my freedom.
(Score: 3, Interesting) by iWantToKeepAnon on Wednesday November 22 2017, @04:35PM
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 2) by darkfeline on Wednesday November 22 2017, @07:50PM
This is for push notifications, and apparently Google started collecting cell tower data to optimize delivery of push notifications, but they never followed through and left the code in place.
If
1. You're using a smartphone.
2. You enabled push notifications.
3. Cellular data/SIM card is on.
You're absolutely out of your mind if you expect your location data to be secret. I think it's gracious that Google will remove this code, since with 1 and 3 above your location data is still being collected by dozens of parties, one of which will still be Google probably.
Join the SDF Public Access UNIX System today!
(Score: 2) by letssee on Thursday November 23 2017, @08:59AM
the whole DNS system is one big gaping security hole. We're badly in need of something distributed a la blockchain.
On a side note: Why do we even *need* DNS in this day and age. Why can't a computer's address just be it's domain name? The translation to a numeric address is an optimization from the 70s, shirley we can do better now?