Even if GPS is disabled, the location of the phone is sent by using Wi-Fi networks to determine the location of the device. Security researcher Aras Nazarovas says, “The Pixel 9 Pro XL repeatedly uses PII for authentication, configuration, and logging. This practice doesn’t align with the industry’s best anonymization practices and appears excessive. The smartphone transmits the user’s email address, location, and phone number, even when utilizing a variety of other identifiers for the user and the device.”
The report adds that the device requests a check-in every 40 minutes listing the firmware version, whether the phone is using Wi-Fi or mobile data, the carrier whose SIM card is being used on the phone, and the email address of the user. Additionally, while Cybernews did not open the Photo app on the Pixel 9 Pro XL, the phone occasionally contacted endpoints connected to Google Photos’ Face Grouping feature without asking for consent.
“The amount of data transmitted and the potential for remote management casts doubt on who truly owns the device. Users may have paid for it, but the deep integration of surveillance systems in the ecosystem may leave users vulnerable to privacy violations.”-Aras Nazarovas, security researcher
Researcher Nazarovas explains that this is concerning. “These services are especially sensitive as the endpoints are used for processing of biometric data, such as facial recognition. Since there were no photos on the test device, we did not observe any personally identifiable information being sent to these endpoints,” he said. The Voice Search feature on the Pixel also connected with Google servers. Sometimes this took place multiple times within a few minutes, sometimes the connection wouldn’t take place for hours.
Google responds to security researcher’s Pixel 9 Pro XL concerns. The Pixel 9 Pro XL is on the right. | Image credit-Google