This is bad. Google actively receives location data from Android users even when location services have been switched off.
Starting from early 2017, Android phones have been gathering addresses of nearby cellular towers and sending this data back to Google, Quartz reports. The most troubling part is that this has been going on even when users have disabled location services.
According to the publication, Android handsets collected location data pretty much all the time and subsequently relayed all stored information back to Google once connected to the internet. Quarts claims that all modern Android phones are affected by this vulnerability.
Cell tower addresses were collected by the same system that Google uses to manage push notifications and messages, a spokesperson for the company told Quartz. While this has been going on for 11 months so far, the spokesperson insisted none of the data has been stored or used.
Following the coverage, the Mountain View heavyweight has vowed to take measures to prevent this from happening in the future, promising the issue will be fully eliminated by the end of November.
“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,” the Google spokesperson said. “However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.”
While location data from a single cell tower will only reveal an approximation of where a device is, pulling data from multiple towers could be used to triangulate a handset’s location to within a quarter-mile radius.
Curiously, Google does indeed mention it gleans location data, but does not state whether this is the case when location services have been disabled.
When you use Google services, we may collect and process information about your actual location. We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points and cell towers.
This marks the second time in recent months the search giant has been caught collecting user data under questionable circumstances.
Earlier in October, numerous distressed netizens took to Reddit to warn fellow Android users that Google has an Activity Recognition API that allows third-party apps to track your physical activity – even when your device is offline.
“You cannot disable the Play services as they have system-privileges on stock Android, but basically all devices not sold within China use them.” Smarter:Time CTO Anis Fehri told TNW over email.
“We can confirm that the ActivityRecognition algorithms work offline, but do not know if any of that data is sent to Google servers (they probably do not need it, they already have access to our geolocation, again through the Play services).”
Unlike the location data received by cell towers though, there is a way to stop Google from collecting your activity data.