If you’re worried your phone might be spying on you, sharing your data and location without you realizing, then a new report this week will make alarming reading.
“You can’t say no to Google’s surveillance,” the Cybernews research team warns, describing a secretive stream of data they say continually transmits from a new phone to Google’s servers. Even more “concerning,” they say, “the phone periodically attempts to download and run new code, potentially opening up security risks.”
The Cybernews team took a “brand-new [Pixel 9 pro XL] with a new Google account and default settings” and rooted it to enable a man-in-the-middle data interception. The team “proxied the inbound and outbound traffic and used a custom security certificate to decrypt and examine the communications,” albeit rooting the phone disabled some features and so the intercepted data was not complete.
Because the testing took place with a new, default account, the team did not test to see the effect that user changes to privacy and security settings might have. But just as we’ve seen with browsers and apps—given most users maintain broadly default settings, it’s imperative those offer a good degree of out of the box protection.
“Every 15 minutes,” they say, the “Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry.” This data, they found, is sent “to various Google endpoints, including Device Management, Policy Enforcement, and Face Grouping.”
There are clear sensitivities with contact details, device and network details, and other telemetry. But location data is especially sensitive, given the intrusive nature of such tracking data and the inferences this can provide about our lives.
We saw this sensitivity play out in Google’s welcome move to stop collating user timelines from Google Maps and instead maintain data on-device only. Worse, Cybernews says, “location data is included in the request even when GPS is disabled – the phone then relies on nearby Wi-Fi networks to estimate the location.”
There are multiple reasons why the collection of this data might be required to enable certain features, with Cybernews giving the example of the “newly introduced Car Crash Detection,” as one of these. There are also the diagnostic and services streams that flow from a device, and it’s unclear how this phone was setup. But the watchword is transparency and what users can reasonably be expected to know is taking place.
Cybernews also raises the concern that communication takes place “with services the user didn’t explicitly consent to.” The example given is the Photos app, which they say they did not open nor take photos, but “the Pixel periodically contacted endpoints associated with Google Photos’ Face Grouping feature without asking for consent.”
Beyond the location and other data collection, Cybernews also claims the device reached out to Google for new code to execute, opening up security risks. This security risk is much more of a stretch than than the data capture, and there is no evidence of any vulnerability to third-party code, especially with Play Protect enabled on the device. That said, one can never rule out the more sophisticated adversaries hijacking such openings for their own purposes.
The data egress is more tangible. The data Cybernews says it captured off-device, and the frequency with which that was being sent, certainly warrants some transparency. That said, this is a Google device in the hands of a user with a Google account, and there’s no suggestion any of this data was transmitted to any third-party. But given Google’s mixed record on privacy and data harvesting, users will likely have concerns. I have asked Google for their comments on the new report and its findings.
Meanwhile, the researchers warn that “the deep integration of surveillance systems in [Google’s] ecosystem may leave users vulnerable to privacy violations.” And while this test was specifically for the new Pixel Pro devices, it’s clearly a wider issue.