Researchers from Trinity College, Dublin and the University of Edinburgh analyzed six companies that use Android Operating System (OS) on their devices — including Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS. The authors of the study surveyed Data Transmissions between the phone devices and the developers of the operating system, concluding that the extent of the information exchanged raises a number of questions about users privacy.

While some communication and information exchange between the Device and the Operating System developers was expected, researchers say that the amount of Data that is given to the Corporations is much larger than what users are aware of.

The method chosen to analyze the amount of access was simple: The group chose to “emulate” the personality of a user concerned about their privacy, but has no technical knowledge about the device’s functions and is always busy, which, when requested, does not select options that share their data, but leaves the device settings with their default values. “Our focus is to define simple scenarios that can be applied uniformly to the studied devices (allowing direct comparisons) and can easily generate reproducible behavior,” the researchers stated.

The hypothetical user also does not choose to receive diagnostics, analysis or data collection to improve the “user’s experience”. It also does not resort to optional services such as cloud storage, “find my phone”, and other similar resources. In summary, the device would only be used for communication via text messages or links.

From this specific set of rules, with few settings and while in suspended mode, phones would still send the device’s Data to Operational Software Developers and some selected Third Parties. Although it sounds like it, that’s not even the worst thing: Generally, users don’t even control the Data Ping, even if they want to, which means that they can’t control the amount of data they (don’t) want to deliver — note: Data Ping is the time it takes for a small set of data to be transmitted from your device to an Internet server, and back to your device.

The researchers attributed most of the blame to “system apps,” essentially preinstalled apps provided by the smartphone manufacturer to ensure functionality, including, for example, the phone’s “camera app”. Most of these apps are stored in the phone’s “read-only memory” (ROM), which means that these apps cannot be deleted or modified without the user “root” their devices. — note: ROM memory is a category of nonvolatile memory, typically used to store systems and software that cannot be changed. In the case of mobile phones, ROMS usually load the operating system and basic software of the device.

Regarding the main points of the study, the first quoted by the scientists is the ability to link Advertising ID’s. On this note, it is stated that Samsung, Xiaomi, Realme and Google collect identifiers of long-lasting devices — such as the serial number of the equipment.

An “Advertising ID” is a unique user ID assigned to a mobile device to help personalize advertising services in your offerings. It can be shared with advertisers and third parties for the purpose of tracking user movements and habits in their phones — which certainly creates a conflict regarding users privacy. In the study, the researchers noted that even when a user resets their id, the previous data remain bounded to the device — that is, there is no way out.

The second aspect addressed is what they call the “Data Ecosystem”, also correlated with the Advertising Id. What they’ve noticed is that several companies collect data from each device, and that there’s a potential cross-link to data transmission between all of these companies — researchers also found out that on all devices, except those from /e/OS, Google collects an absurd amount of information.

On the Samsung devices, Google’s Advertising Id is sent to Samsung servers, where a number of Samsung system apps use “Google Analytics” to collect data, and “Microsoft OneDrive” uses Google’s “push” service — a push service or technology receives a network request, validates it, and delivers a push message to the appropriate browser; if the browser is offline, the message will be queued until the browser goes online. This data transmission between Google’s Advertising Id and the servers of the developers companies is a common fact in all of the researches, really generating a data ecosystem. When something is free, usually you are the product.

The next point raised was the user’s interactions with the device. It was noticed that system applications on multiple devices carry extensive details of user interactions with those applications— for instance, which applications are used and when, which screens are viewed, when, and for how long. The effect, according to the analysis, is analogous to the use of cookies to track users on the Internet.

To completely understand the analysis of this research, you need to know what “cookies” are. So, to summarize: Cookies are small packets of data that web pages load on their servers for a variety of reasons. Each time you enter the same site, the computer returns this small packet of information to the website’s server, which detects that you have entered the page again. When you access your email account or Facebook profile, cookies allow your username and password to be saved, so the next time you don’t have to re-type them. In addition to storing sequences of digits and letters, cookies can also use these tools to track internet user activity.

The main problem is: these “virtual spies” collect information about your internet habits: the pages you visit frequently and the topics you’re interested in. The problem is that they often share this information with data analytic companies or marketing companies that develop targeted campaigns. It is no fool that experts in the fields of technology and virtual advertising predict that “Advertising Id’s” will become a more powerful version of cookies for advertisers.

Regarding the Xiaomi devices, the system app carries a time-history of the application tabs viewed by the user of the device on Xiaomi’s servers. This reveals detailed information about the usage of the device over time, such as the dates and average duration of phone calls, for example. Similarly, in Huawei, the Swiftkey Keyboard records when the keyboard is being used in an application and sends Microsoft servers a history of usage over time. This data transmission includes, for example, text writing, use of the search bar, contact search, and more.

Several Samsung system applications use Google Analytics to record user interactions — viewed tabs, etc. Xiaomi and Huawei use Google’s messaging app — the system made to send and receive SMS texts — to record user’s interactions, such as when a message is sent.

During the research, it were also covered details of the installed applications. As the researchers note, these details are less worrisome than the potential for monitoring users with applications, discussed earlier, but still contain the capture of sensitive information, since it can lead to traction of a user profile. For example, depending on the news app you install on your device, companies can tell your policy orientation. Depending on the dating app you use, being, for example, an exclusive for non-straights, they also manage to determine your sexuality. These details can also be unique to a device or a small group of devices, and then act as a device’s “digital fingerprint” —the researchers also stated that this practice is even more dangerous when combined with device and system data, which are also widely collected.

Based on these frame-by-frame analysis, some concerns are raised. Among them is the fact that there is no way to not have your data tracked — as said, this data collection occurs even when privacy settings are enabled. Users have no way out — at least not an easy and simple one for ordinary people who don’t have the time or complete knowledge to understand modern technology.

If an individual does not have complete understanding about the kind of information that’s being collected — such as what their data mean, what can be done with the distribution of it, what technical terms and advertising identities are — there is no way to claim that there´s consent between user and company in this particular scenario.

Note: The back-end is the server that provides data on demand, in the application that channels it, and in the database that organizes the information.

Two main issues can also be pointed out: The release of sensitive data and the impossibility of anonymity of the device. Sensitive data can be used in problematic ways and metadata —information about information; an item of a metadata can tell what is given, usually information understandable by a computer — can also contain confidential information.

A potentially sensitive example of what this metadata is can be seen on the name, time, and duration of application tabs viewed by a user. As already said, this may reveal possible interests in drawing a detailed profile of the device’s owner —and, personally, I don’t believe that this kind of sensitive information could trusted to the hands of public entities and specially on private entities.

Data that is not dangerous or confidential in by themselves can become confidential when combined with each other, making it a harmful monitoring system for everyone’s privacy and security. As the researchers note: this is not a hypothetical concern, since large companies such as Google, Samsung, Huawei and Xiaomi operate mobile payment services and provide custom internet browsers with the devices they sell.