Research conducted by Doug Leith, professor and chair of computer systems at Trinity College Dublin, reveals that Android users are subject to a range of advertising cookies and tracking mechanisms that begin collecting data even before the first app is launched. According to Leith’s findings, these identifiers operate without seeking user consent, leaving individuals with no option to opt out.
Unveiling the Tracking Mechanisms
Leith’s study identifies multiple systems within the Android environment that relay user data back to Google through pre-installed applications such as Google Play Services and the Google Play Store, all occurring without any interaction from the user. Among these is the “DSID” cookie, which Google describes as a tool for recognizing signed-in users on non-Google websites, ensuring that their preferences for personalized advertising are honored. This cookie has a lifespan of two weeks.
While Google’s documentation provides some insight, Leith critiques it as “rather vague and not as helpful as it might be.” He emphasizes the critical issue: users are not asked for consent before the cookie is deployed, nor do they have the ability to opt out.
Shortly after logging into their Google account, users unwittingly become subject to the creation of the DSID cookie as part of the Android startup process. This tracking file is linked to the user’s account and stored within the Google Play Service’s app data folder. Leith posits that this cookie is likely the primary mechanism through which Google associates analytics and advertising events, such as ad clicks, with individual users.
Another persistent tracker is the Google Android ID, a device identifier tied to a user’s Google account that is generated upon the first interaction with Google Play Services. This identifier continues to transmit device data back to Google even after the user has logged out of their account. The only method to eliminate this identifier and its associated data is through a factory reset of the device.
Leith acknowledges that while he could not determine the specific purpose of the Android ID, a comment within the code suggests that it is regarded as personally identifiable information (PII). This classification potentially brings it under the purview of the European General Data Protection Regulation (GDPR), which remains largely intact in UK law.
Concerns Over Data Privacy
The paper meticulously outlines various other trackers and identifiers that Google installs on Android devices without user consent, raising questions about potential violations of data protection laws. Prior to publishing his findings, Leith sought a response from Google, allowing time for dialogue. He recounts the exchange, noting that Google provided a brief reply, refraining from commenting on the legal implications and failing to address any errors or misstatements he had highlighted.
A spokesperson for Google responded to The Register, stating, “This report identifies a number of Google technologies and tools that underpin how we bring helpful products and services to our users. The researcher acknowledges in the report that they are not legally qualified, and we do not agree with their legal analysis. User privacy is a top priority for Android, and we are committed to complying with all applicable privacy laws and regulations.”
Emerging Controversies
The findings come at a time when concerns are mounting over another feature, Android System SafetyCore, introduced in a recent update for devices running Android 9 and later. This feature scans users’ photo libraries for explicit content and issues warnings before viewing. Google asserts that the classification process occurs solely on the device, with no data shared with the company.
Despite assurances, users have expressed discontent regarding the installation of SafetyCore, which began rolling out in November 2024 without an option for users to manage or decline its installation. While some users can uninstall or disable the feature, reports indicate that in certain cases, the uninstall option is grayed out or the app reinstalls with subsequent updates.
The Google Play page for SafetyCore is filled with negative reviews, many of which highlight the lack of consent during its installation. One user encapsulated the sentiment, stating, “In short, it is spyware. We were not informed. It feels like the right to privacy is secondary to Google’s corporate interests.”
