An investigation has revealed that Android phones have been collecting and sending location back to Google even when location services are disabled. Google confirmed that it has been doing this since the beginning of 2017, and say that it will end the practice by the end of this month.
Google says that Android phones collect the addresses of nearby cellular towers and transmit the information back to its servers, but claims that the data is ‘never used or stored’ …
The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months, according to a Google spokesperson. The were never used or stored, the spokesperson said, and the company is now taking steps to end the practice after being contacted by Quartz.
Even if Google didn’t use the data itself, security commenters say that collecting it without permission is potentially risky.
The practice is troubling for people who’d prefer they weren’t tracked, especially for those such as law-enforcement officials or victims of domestic abuse who turn off location services thinking they’re fully concealing their whereabouts. Although the data sent to Google is encrypted, it could potentially be sent to a third party if the phone had been compromised with spyware or other methods of hacking. Each phone has a unique ID number, with which the location data can be associated.
There appears to be no way for a user to switch off the data collection.
Even devices that had been reset to factory default settings and apps, with location services disabled, were observed by Quartz sending nearby cell-tower addresses to Google. Devices with a cellular data or WiFi connection appear to send the data to Google each time they come within range of a new cell tower. When Android devices are connected to a WiFi network, they will send the tower addresses to Google even if they don’t have SIM cards installed.
However, Google said that apps would not have access to the data.
According to the Google spokesperson, the company’s system that controls its push notifications and messages is “distinctly separate from Location Services, which provide a device’s location to apps.”
Google does allow advertisers to target consumers based on their location.