In its next release, Android plans to up its privacy game. But the operating system still caters to ad trackers at its users expense.
The newest release of Android, dubbed Q,
Many of the changes in Q are significant improvements for user privacy, from giving users more granular control over location data to randomizing MAC addresses when connecting to WiFi networks by default. However, in at least one area, Qs improvements are undermined by Androids continued support of a feature that allows third-party advertisers, including Google itself, to track users across apps. Furthermore, Android still doesnt let users control their apps access to the Internet, a basic permission that would address a wide range of privacy concerns.
One ID to rule them all
Q places new restrictions on non-resettable device identifiers like IMEI number and serial number. Apps will need to request a new Read privileged phone state permission to access them. These changes are good: they will help prevent apps from tracking users based on information they cant modify or reset, and they obey the principle of least privilege: apps that dont absolutely need access to potentially sensitive information shouldnt have it. Unfortunately, Android Q will still allow unrestricted access to its own, custom-made tracking identifier.
Android generates and exposes a unique device identifier, called an advertising ID, that allows tracking advertisers to link your behavior across different apps. The ad ID can be thought of as a tracking cookie, visible by default to every app on your device, that cant be restricted or deleted (though it can be reset). As of the latest release, Google encourages ad trackers to eschew other device identifiers, like IMEI, in favor of the ad ID. Facebook and other targeting companies allow businesses to upload lists of ad IDs that they have collected in order to target those users on other platforms.
Android includes an opt out of ad personalization checkbox, buried deep in the settings, that allows users to indicate that they dont want to be tracked by their ad ID. Checking it should delete the ID entirely, or at least restrict apps access to it, right? Wrong. Instead, the checkbox doesnt affect the ad ID in any way. It only encodes the users preference, so that when an app asks Android whether a user wants to be tracked, the operating system can reply no, actually they dont. Googles terms tell developers to respect this setting, but Android provides no technical safeguards to enforce this policy.
You can view your advertising ID on Android by heading to Settings > Google > Ads, and you can reset it by tapping Reset advertising ID. This will cause your phone to generate a new, unique ad ID that is unrelated to the old one. While its nice that Google gives you some control over your ad ID, neither a preference flag nor a simple reset will actually prevent anyone from tracking you. Apps on your device can access more than enough information to allow them to link your old ID to your new one if they so choose. Once again, Google politely instructs trackers respect the user's intention in resetting the advertising ID, but does not indicate how this is enforced.
Apples iOS has a nearly identical Identifier for Advertisers (IDFA), which is also available to developers without any special permissions. Like Google, Apples decision to make allow this kind of tracking by default conflicts with its privacy-focused marketing campaign. Unlike Google, Apple does give users the ability to turn off tracking completely by setting the IDFA to a string of zeros.
On Android, there is no way for the user to control which apps can access the ID, and no way to turn it off. While we support Google taking steps to protect other hardware identifiers from unnecessary access, its continued support of the advertising IDa feature designed solely to support trackingundercuts the companys public commitment to privacy.
Internet access: the permission that isnt
The advertising ID should not be enabled by default, and users should have a way to turn it off for good. But apps cant collect your advertising ID, or any other kind of personal information, without access to the Internet. Much of the most egregious tracking in the Play Store is performed by apps that have no business on the Internet at all, like single-player games, stopwatches, and flashlights.
This should be simple. If an app doesnt need access to the Internet, it shouldnt have it. And users should be able to decide which apps can and cant share data over the network. But neither iOS nor Android has an Internet permission that users can grant or revoke. Every developer of every app has access to as much data as it can gather whenever the device is online. Its time for Google to fix it already.