- 3,002
- 280
- 1,730
Researchers from Trinity College Dublin have found that Android users are exposed to advertising cookies and other trackers even before they launch the first app on their device.
In his report , Trinity Professor and Chair of Computer Systems Doug Leith says that no one asks users for their consent to use various identifiers, and people simply cannot opt out of using them.
Leith found various mechanisms in Android that transmit data to Google through pre-installed applications (Google Play Services and the Google Play store), even if the user has never opened the Google apps themselves.
One such tracker is the DSID cookie. According to Google documentation , it is used to identify “an authorized user on non-Google websites so that the user’s personalized advertising preferences are taken into account accordingly.” The DSID file “lives” for two weeks.
The expert notes that Google’s documentation of this mechanism has proven vague and largely unhelpful, but the main problem is that Google doesn’t ask for a person’s consent to install the cookie at all and doesn’t provide an option to opt out.
The advertising DSID is created immediately after a user signs in to their Google account (as part of the Android startup process), along with a tracking file that is placed in the Google Play Service app data folder.
Leith says the DSID cookie is “almost certainly” the primary way Google connects analytics and advertising events, such as ad clicks, to specific users.
Another tracker that can’t be deleted once created is the Google Android ID, a device identifier associated with a Google account and created immediately after the device first connects to Google Play Services.
It transmits device data to Google’s servers even after the user signs out of their Google account. And the only way to get rid of the Google Android ID and the data associated with it is to reset the device to factory settings.
Leith writes that he has not been able to determine the exact purpose of the identifier, but he cites a comment he found in the code, presumably made by a Google developer, that classifies the identifier as personal data and is likely covered by the General Data Protection Regulation (GDPR) in Europe.
Leith's research also details other trackers and identifiers that Google installs on Android devices without user consent. According to the expert, in many cases this could be a potential violation of the law.
At the same time, the Trinity College professor describes his communication with Google representatives as follows:
[td]"They gave a short answer, saying they would not comment on the legal aspects (which they were not asked to do). They did not point out any errors or misstatements in the report (which is what they were asked to comment on). They did not answer our questions about whether they planned to make any changes to how they handle cookies and other data stored by their software."[/td]After the study was published, company representatives told the media that the report described “Google’s technologies and tools that underpin the company’s delivery of useful products and services to our users.”
[td]"In the report, the researcher acknowledges that he is not a legal expert, and we disagree with his legal analysis. User privacy is a top priority for Android, and we are committed to complying with all applicable privacy laws and regulations," Google said.[/td]It’s worth noting that Google was recently at the center of a controversy surrounding the Android System SafetyCore app , which suddenly appeared on all devices running Android 9 and above.
The app scans all images a user sends and receives (but not the device’s photo gallery itself) for explicit content and displays content warnings before the user views the image.
Google claims that “content classification happens entirely on your device and the results are not shared with Google.” Similar technology is expected to appear in Google Messages in the future to prevent users from being exposed to inappropriate images.
Google began rolling out SafetyCore to users’ devices in November 2024, and people were not given the option to opt out or control the installation. The app simply appeared on devices.
While SafetyCore can be uninstalled or image scanning can be opted out, the app’s Google Play store page is littered with negative reviews, and many people are upset that the app was installed without their consent.
[td]"In short, it's spyware. We were not informed. It feels like privacy is secondary to Google's corporate interests," wrote one angry user.[/td]
In his report , Trinity Professor and Chair of Computer Systems Doug Leith says that no one asks users for their consent to use various identifiers, and people simply cannot opt out of using them.
Leith found various mechanisms in Android that transmit data to Google through pre-installed applications (Google Play Services and the Google Play store), even if the user has never opened the Google apps themselves.
One such tracker is the DSID cookie. According to Google documentation , it is used to identify “an authorized user on non-Google websites so that the user’s personalized advertising preferences are taken into account accordingly.” The DSID file “lives” for two weeks.
The expert notes that Google’s documentation of this mechanism has proven vague and largely unhelpful, but the main problem is that Google doesn’t ask for a person’s consent to install the cookie at all and doesn’t provide an option to opt out.
The advertising DSID is created immediately after a user signs in to their Google account (as part of the Android startup process), along with a tracking file that is placed in the Google Play Service app data folder.
Leith says the DSID cookie is “almost certainly” the primary way Google connects analytics and advertising events, such as ad clicks, to specific users.
Another tracker that can’t be deleted once created is the Google Android ID, a device identifier associated with a Google account and created immediately after the device first connects to Google Play Services.
It transmits device data to Google’s servers even after the user signs out of their Google account. And the only way to get rid of the Google Android ID and the data associated with it is to reset the device to factory settings.
Leith writes that he has not been able to determine the exact purpose of the identifier, but he cites a comment he found in the code, presumably made by a Google developer, that classifies the identifier as personal data and is likely covered by the General Data Protection Regulation (GDPR) in Europe.
Leith's research also details other trackers and identifiers that Google installs on Android devices without user consent. According to the expert, in many cases this could be a potential violation of the law.
At the same time, the Trinity College professor describes his communication with Google representatives as follows:
The app scans all images a user sends and receives (but not the device’s photo gallery itself) for explicit content and displays content warnings before the user views the image.
Google claims that “content classification happens entirely on your device and the results are not shared with Google.” Similar technology is expected to appear in Google Messages in the future to prevent users from being exposed to inappropriate images.
Google began rolling out SafetyCore to users’ devices in November 2024, and people were not given the option to opt out or control the installation. The app simply appeared on devices.
While SafetyCore can be uninstalled or image scanning can be opted out, the app’s Google Play store page is littered with negative reviews, and many people are upset that the app was installed without their consent.