June 2024: Security researcher Alexander Hagenah released TotalRecall, copying the Recall SQLite database (C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}\ukg.db) and extracting all screenshots and OCR text in under 2 seconds. Database stored in plaintext SQLite, completely unencrypted when logged in. One test captured 133 windows, 36 images, found 22 instances of "password" in extracted text. Kevin Beaumont confirmed: "stored in an SQLite plaintext database" readable by any process.

Nov 2022: Researchers Tommy Mysk and Talal Haj Bakry demonstrated Apple's own apps (App Store, Apple Music, Apple TV, Books, Stocks) continued sending detailed real-time analytics to Apple even when "Share iPhone Analytics" toggled off AND "Allow Apps to Request to Track" disabled. Mysk: "Opting-out or switching the personalization options off did not reduce the amount of detailed analytics." Tested on jailbroken iOS 14.6 and standard iOS 16. By comparison, Google Chrome and Microsoft Edge actually stopped when disabled.

Prof. Douglas Leith (TCD, Mar 2021): even with Usage & Diagnostics off, Pixel sends ~1.2MB telemetry to play.googleapis.com/log/batch at startup. android.googleapis.com/checkin transmits IMEI, hardware serial, SIM IMSI, WiFi MAC, AndroidId, Droidguard key — regardless of settings. Data sent every 255 seconds (4.25 min) on average when idle. Google's own toggle text admits: "Turning off this feature doesn't affect your device's ability to send information needed for essential services."

China's National Intelligence Law Article 7 (2017): "All organizations and citizens shall support, assist, and cooperate with national intelligence efforts." Article 14 grants intelligence agencies authority to "demand" cooperation. US DHS: law "compels all PRC firms to support, assist, and cooperate with PRC intelligence services." NYU law professor Jerome Cohen: "There is no way Huawei can resist any order from the Government or the Chinese Communist Party. The Party is embedded in Huawei and controls it."

University of Edinburgh and Trinity College Dublin researchers found that OPPO/Realme/OnePlus devices transmit IMEI numbers, MAC addresses, GPS coordinates, phone numbers, app usage, and call/SMS history to backend servers — even when users have opted out of all analytics and personalization, have not created an account, and are not using cloud services. Published in PLoS ONE (2023).

EFF's 2015 FTC complaint found Chrome Sync was enabled by default on school Chromebooks, uploading students' entire browsing history, bookmarks, saved passwords, and open tabs to Google servers. The 2020 New Mexico AG lawsuit and 2025 Schwarz v. Google lawsuit allege the same practice continues a decade later — three lawsuits over ten years for the same violation.

Trinity College Dublin researchers conducted a peer-reviewed study proving Samsung phones send telemetry (IMEI, serial numbers, installed app lists, analytics) even when users explicitly opt out of all diagnostic data sharing during setup. The researchers concluded: "there is no opt-out" and "this data collection occurs even though privacy settings are enabled."

Forbes investigation (May 2020): Cybersecurity researchers Gabriel Cirlig and Andrew Tierney found the Xiaomi Redmi Note 8 transmitted every URL visited, every search query, and every news article viewed — even in incognito mode — to servers in Singapore and Russia, with domains registered in Beijing. Tracking code found in firmware of Mi 10, Redmi K20, and Mi MIX 3. When confronted with video proof, Xiaomi denied it.