A report Tuesday was a good reminder that no matter what you’ve done to keep your phone from tracking you, your phone is still tracking you.
Quartz discovered that Google has been relaying Android phone users’ locations to cellphone towers even when the user has turned off location services, isn’t using any apps, and doesn’t have a SIM card installed.
“It is really a mystery as to why this is not optional,” Matthew Hickey, a security expert and researcher at London-based Hacker House, told Quartz. “It seems quite intrusive for Google to be collecting such information that is only relevant to carrier networks when there are no SIM card or enabled services.”
Beginning in January, Google made a change that included cell tower information (known as a Cell ID code) in data the company uses to manage messages and push notifications. Google sent that data to cellphone towers even if the phone user had explicitly switched off location services. And, as Quartz found, the phones also transmitted that information if you’d taken other additional privacy measures, including if your phone had no SIM card—that is, if your phone wasn’t even connected to a carrier network.
The change affected all Android devices, regardless of brand or model, sending data to Google each time the device came in range of a new cellphone tower. A Google representative said the company included that information in order to improve the performance and overall speed of messaging. The data, which can be used to triangulate an Android user’s location within a quarter-mile radius, was encrypted but never stored. Google said that by the end of the month, it will stop transmitting Cell ID codes.
The revelation is troubling, but not at all surprising. Earlier this year, we learned that the Uber app had found a way to fingerprint iOS users even after they’d deleted the Uber app, and up until late August, would track your location even after your ride was over. There are also ways for apps to track your location even if you haven’t given them permission to do so. According to a Danish research team, back in 2015, apps such as Angry Birds, Pandora, and Candy Crush had this capability.
And apps that do collect your location data aren’t necessarily keeping it secret. Using a service called SafeGraph, smartphone apps are selling your geographic data to third parties for money. According to a study that used SafeGraph to track how long we spend at Thanksgiving dinner, SafeGraph tracks data from more than 10 million smartphones in the U.S. And in November 2016 alone, SafeGraph collected 17 trillion smartphone movement data points.
It’s not surprising then that those with knowledge of smartphone security (or its lack thereof) have taken extreme measures for covert meetings. Before the journalist Glenn Greenwald met with Edward Snowden, for example, documentary filmmaker Laura Poitras requested that Greenwald either remove the battery from his phone or leave the phone in his hotel room. “It sounds paranoid,” Poitras said to Greenwald at the time, before explaining that the government can activate cell phones and laptops remotely to eavesdrop. Snowden also famously requested that his lawyers place their phones in the refrigerator to prevent eavesdropping.
Quartz said that Google’s Cell ID location tracking went “beyond a reasonable consumer expectation of privacy.” But if history is any indicator, expecting any reasonable amount of privacy on your smartphone is borderline delusional. On a routine basis, we discover that apps have been hacked, that they’re using our data unethically, or that more information is being shared or tracked than initially realized. Companies—even if they are genuinely well-meaning—cannot be trusted at their word. If you want to ensure you’re truly protected against unwanted data tracking, your only guaranteed option is to turn your phone off, take out the battery, and leave it at home.