University of Edinburgh: Extensive scale of phone data sharing revealed

The research, led by the University of Edinburgh and Trinity College Dublin, found that six Android devices collect and share extensive amounts of data with third parties, with no opt-out available for users.

Data transmission
The team examined the Operating Systems (OS) developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and e/OS and the data that these collect.

With the notable exception of e/OS, scientists found that even when the mobiles were minimally configured and the handsets idle, they transmitted substantial amounts of information to their OS developer and to third parties such as Google, Microsoft, LinkedIn and Facebook.

Privacy concerns
Researchers said they expected some communication with the OS developers, but the surprising volume of data transmission they observed raises a number of privacy concerns.

All the devices examined, aside from those running e/OS, collect a list of every app installed on their handsets. This potentially sensitive information can reveal user interests, including the use of mental health apps, religious faith apps, dating apps and political news apps. Users have no opt-out from this data collection.

No opt-out
The Xiaomi handset sends details of all the app screens viewed by a user to Xiaomi, including when and how long each app is used.

On the Huawei handset, the Swiftkey keyboard sends details of app usage over time to Microsoft. This reveals, for example, when a user is writing a text, using the search bar or searching for contacts.

Samsung, Xiaomi, Realme and Google collect long-lived device identifiers, such as the hardware serial number, alongside user-resettable advertising identifiers.

Third-party system apps from Google, Microsoft, LinkedIn and Facebook are pre-installed on most of the handsets and silently collect data, with no opt-out.

Wake-up call
Researchers say they hope their findings will serve as a wake-up call to politicians and regulators. They called for meaningful action to give the public real control over the data that leaves their phones.

Although we’ve seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread. More worryingly, such practices take place “under the hood” on smartphones without users’ knowledge and without an accessible means to disable such functionality. Privacy-conscious Android variants are gaining traction though and our findings should incentivise market-leading vendors to follow suit.

Professor Paul Patras
Associate Professor, School of Informatics , University of Edinburgh

I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out. We’ve been too focused on web cookies and on badly-behaved apps. I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones.

Professor Doug Leith
Chair of Computer Systems , School of Computer Science and Statistics, Trinity College Dublin