Professor Douglas Leith at Trinity College Dublin found your Android phone sends device identifiers and telemetry to Google every 4 minutes — even after you turn off all data sharing options. An idle Android sends 20 times more data to Google than an idle iPhone sends to Apple. Google collects your IMEI, hardware serial number, SIM serial, phone number, and advertising ID. You cannot stop it. There is no toggle. The data flows to Google every 240 seconds whether you consent or not. A billion Android users have no opt-out from continuous surveillance by the company that makes their phone's operating system. Google offers you a "Reset advertising ID" button — implying you can break free from tracking. But Google also collects your permanent hardware serial number, IMEI, and SIM serial number with every telemetry transmission. Resetting your advertising ID is like changing your hat while wearing a name tag. The new ID is immediately re-linked to your permanent identifiers. Google built the privacy control. Google also built the system that makes the privacy control meaningless. The reset button exists so Google can say you have a choice. The permanent identifiers exist so the choice doesn't matter.
What they claim: Google Privacy Policy: "You're trusting us with your information. We work hard to protect your information and put you in control." Android setup presents "Send usage and diagnostic data" as a user choice.
What we found: Prof. Douglas Leith (TCD, Mar 2021): even with Usage & Diagnostics off, Pixel sends ~1.2MB telemetry to play.googleapis.com/log/batch at startup. android.googleapis.com/checkin transmits IMEI, hardware serial, SIM IMSI, WiFi MAC, AndroidId, Droidguard key — regardless of settings. Data sent every 255 seconds (4.25 min) on average when idle. Google's own toggle text admits: "Turning off this feature doesn't affect your device's ability to send information needed for essential services."
What they claim: Google positions location data collection as improving user experience. States users can control their data.
What we found: Google maintained "Sensorvault" database with detailed location records from 592 million accounts. Location logged every two minutes from Android devices. Police used geofence warrants: 982 in 2018, 8,396 in 2019, 11,554 in 2020. By 2021, 25% of all law enforcement requests to Google were geofence. Jorge Molina wrongfully arrested for murder in Arizona, jailed one week after Sensorvault placed his phone near crime scene. US Fifth Circuit ruled geofence warrants "categorically prohibited by the Fourth Amendment."
What they claim: Google represented that Location History controls, Incognito mode, and biometric data handling provided meaningful privacy protections.
What we found: May 9, 2025: Texas AG Ken Paxton secured $1.375B settlement — largest single-state privacy settlement against Google ever. Alleged: Google collected geolocation via Maps even with Location History disabled; Chrome Incognito still tracked activity; Google Photos and Assistant captured voiceprints and facial geometry without consent violating Texas biometric law. Google did not admit liability.
What they claim: Google: "Collection of limited basic information, such as an IP address, is necessary to deliver content." Frames Android data collection as necessary for core functionality.
What we found: Leith (2021): During first 10 min of startup, Pixel sends ~3.6MB to Google (vs 42KB iPhone to Apple — nearly 100x more). Idle: ~1MB every 12 hours (vs 52KB iPhone). Scaled to 129M US Android users: ~1.3TB of handset data every 12 hours from idle phones alone. Pre-installed YouTube, Chrome, Docs, SafetyHub, Clock, Search bar all phone home without being opened.
What they claim: Google: "We never sell personal information" and gives users "transparency and control over their ad experiences."
What we found: Schmidt/Vanderbilt (2018): ad-related data comprised 46% of all requests to Google from Android. Idle Android with Chrome sent nearly 50x as many data requests/hour as iOS with Safari. Schmidt documented Google can identify specific users by combining "user-anonymous" advertiser data with collected data. Google monetizes through 00B+ annual ad business. As bipartisan senators noted, hundreds of firms in real-time bidding receive sensitive info including device IDs, cookies, location, demographics.
What they claim: Google markets Android as open platform with user choice and freedom.
What we found: Liu, Patras, Leith (PLOS ONE 2023): Samsung, Xiaomi, Huawei, Realme, LineageOS all transmit substantial data to Google and third parties even idle. All collect full list of installed apps (revealing mental health, religion, dating interests). Xiaomi sends details of all app screens viewed including call timing to Singapore servers. Samsung has pre-installed Microsoft/LinkedIn telemetry. Huawei connects to avast.com and 360safe.com. No opt-out from any of it. Only /e/OS (strips all Google) sent zero telemetry.
What they claim: Users expect turning off Wi-Fi stops Wi-Fi-based location tracking.
What we found: Android's "Wi-Fi scanning" (Settings > Location > Location Services > Wi-Fi Scanning) scans for networks even when Wi-Fi radio turned off. Enables location via Google's wardriving database. Enabled by default, buried in sub-menu most users never find. Google forced to create opt-out for network owners ("_nomap" SSID suffix) in 2011 after EU concerns.
What they claim: Google Maps Incognito: "When Incognito mode is on, Maps won't save your browsing or search history to your account or send notifications."
What we found: Incognito doesn't disable device-level location services. GPS, Wi-Fi, Bluetooth data continue flowing to Play Services and Maps. Norwegian Consumer Council (2023): 94% of mapping services transmit location metadata regardless of privacy mode. Google admits Incognito "does not affect how your activity is used by internet providers, other apps, voice search, and other Google services." Location from Incognito stored with session identifier instead of account name — still collected and stored.
What they claim: Google (Dec 2023): Location History moving to on-device storage, framed as giving users "more control over their data."
What we found: Migration (2024-2025) auto-deletes all location history older than 90 days if users fail to act before arbitrary deadline. Default auto-delete quietly shortened from 18 months to 3 months. Timeline no longer viewable on web — only single phone. Some users reported data deleted despite choosing to keep it. The Register noted timing coincided with mounting legal pressure over Sensorvault geofence warrants — conveniently making police database harder to access.
What they claim: Google developer guidelines: Android Advertising ID (GAID) is "user-resettable" and apps must not "bridge Advertising ID resets." Marketed as privacy protection.
What we found: Leith (2021): android.googleapis.com/checkin simultaneously transmits resettable RDID/Ad ID alongside hardware serial, IMEI, SIM IMSI, AndroidId (persistent, requires factory reset), WiFi MAC, Droidguard key. Re-linking a reset ad ID is trivial. Liu, Patras, Leith (PLOS ONE 2023) confirmed: "Samsung, Xiaomi, Realme and Google all collect hardware identifiers as well as resettable identifiers" — "This largely undermines the use of user-resettable advertising identifiers." Only 2.08% of users opt out globally (Singular).
What they claim: Google Android location settings implied that with location services disabled, the device would not transmit location data.
What we found: Nov 2017 (Quartz): since early 2017, all modern Android phones collected nearby cell tower addresses and sent to Google — even with location services completely disabled, no apps in use, no SIM card inserted. Even factory-reset devices transmitted when connected to Wi-Fi. Mechanism: change to Firebase Cloud Messaging. Google claimed data "never used or stored" and was "immediately discarded" — only stopped after Quartz contacted them. Users had no way to opt out.
What they claim: Google told users disabling Location History would prevent storage of location data.
What we found: Sep 14, 2023: California AG Rob Bonta announced $93M settlement. Google falsely told users turning off Location History stopped storage, but continued collecting through other sources. Also deceived users about opting out of location-targeted advertising. Google's fifth settlement over geolocation. Required auto-delete location data within 30 days and disclose location data used for ad personalization.
What they claim: Google Play Data Safety section tells users what data apps collect. Google: apps "are responsible for making complete and accurate declarations."
What we found: Mozilla Foundation (Feb 2023, "See No Evil"): nearly 80% of top apps had false or misleading Data Safety labels vs actual privacy policies. 40% of 40 top apps received "Poor" grade (Minecraft, Twitter, Facebook). TikTok and Twitter claimed they don't share with third parties — policies explicitly state they share with advertisers. Google exempts "service providers" and "anonymized" data. Google performs zero verification. None of top 20 apps correctly disclosed collection (2026 arxiv study). In 2024, Google unpublished 1.3 million apps for data issues yet labels remain self-reported.
What they claim: Chrome Incognito: "You've gone incognito" and "Now you can browse privately." Internal Google email from marketing chief Lorraine Twohill to CEO Pichai (2019): "limited in how strongly we can market incognito because it's not truly private."
What we found: Class action (Jun 2020) alleged Google tracked browsing in Incognito via Google Analytics, DoubleClick, ad technologies. Settled 2024 — Google agreed to delete billions of browsing records. No monetary payment to class members. Google's own marketing chief admitted internally it's "not truly private." Updated disclaimer now reads: "This won't change how data is collected by websites you visit, including Google." Over 1,000 individual damages claims filed in California.
What they claim: Google Play Data Safety requires apps to disclose data collection. Google states core Play services SDKs "do not collect any end-user data."
What we found: Exodus Privacy / Yale Privacy Lab: 75% of Android apps contain at least one third-party tracker; Google Firebase Analytics in 59% (154,355 apps analyzed). Firebase SDK auto-collects app-instance ID, advertising ID, uses cookie-like technologies. 2023 ACM study: almost half of apps continued engaging trackers after users declined consent. Data flows to app-measurement.com linked to device RDID, enabling cross-app profiling. Invisible to users.
What they claim: Google says Gemini Intelligence features are "opt-in" with user controls, and the security framework ensures "your data stays private"
What we found: Auto Browse in Chrome on Android can access Google Password Manager and log into third-party websites on your behalf — the first time Google's AI has been granted delegated credential use on external sites. Once enabled, Gemini navigates sites, fills forms, and completes bookings using your saved passwords. Google's own Privacy Hub confirms human reviewers can access AI conversations, and the Gemini Apps Activity policy states data may be retained up to 18 months.
What they claim: Google positions Gemini as safe for enterprise use with "layered defense strategy" against prompt injection and built-in security controls
What we found: Security firm Noma Labs demonstrated "GeminiJack" — a single poisoned Google Doc containing hidden instructions that causes Gemini to exfiltrate years of email, complete calendar histories, and entire document repositories with zero clicks, zero warnings, and zero DLP alerts. Separately, Miggo demonstrated prompt injection via Google Calendar invites that bypasses Gemini's privacy controls to exfiltrate private meeting data — zero interaction required from the target user.
What they claim: Google Play Protect marketed as keeping "your apps safe & your data private." "Scam detection on-device ensures user privacy while enhancing security."
What we found: Play Protect scans all apps on device including sideloaded — 350 billion apps/day globally. Google "may receive information about OS and apps installed" even for Play Store apps with some protections disabled. With "Improve harmful app detection" enabled, entire app binaries uploaded to Google. On by default. Even with scanning disabled, Google states it "may continue to receive information about apps installed through Google Play." Installed app list reveals sensitive interests (health, dating, religion, politics).
What they claim: Google markets Android auto-backup to Google Drive as secure. Implies data protected in cloud.
What we found: E2E encryption for backups only works on Android 9+ with lock screen set. Photos, Drive files, and MMS use Google-held keys — not E2E. Google can access and provide backup content to law enforcement with valid warrant for non-E2E categories. Similar to Apple's iCloud problem: backup containing message keys makes per-message encryption moot. Users not informed which categories are E2E and which aren't.
What they claim: Google support page: "You can turn off Location History at any time. With Location History off, the places you go are no longer stored."
What we found: Aug 2018 AP/Princeton: Google Maps created location snapshot whenever opened even with Location History off — separate "Web & App Activity" independently recorded location. Searches unrelated to location ("chocolate chip cookies") saved precise lat/long accurate to the square foot. Princeton researcher Gunes Acar demonstrated by carrying Android with History disabled; AP mapped his commute across New York. Google settled: Arizona $85M (Oct 2022), 40 states $391.5M (Nov 2022) — largest multistate privacy settlement in US history.
What they claim: Google states users have meaningful control over Gemini's data access with ability to "turn off" features and manage permissions
What we found: On 7 July 2025, Gemini automatically activated access to Android Messages, Phone, WhatsApp, and system utilities by default — without clear opt-in consent. Google's own statements contradicted each other: one said the change applied "whether your Gemini Apps Activity is on or off," another said previously-disabled features would "remain off." Users reported "unauthorised screenshots" on support forums when Gemini was activated via voice or hardware button, capturing banking apps, health apps, and messaging threads.
What they claim: Google: Play Services "helps you keep your apps running securely, and quickly delivers new features." Presented as security and functionality benefit.
What we found: Leith: Play Services responsible for bulk of mandatory telemetry. android.googleapis.com/checkin links IMEI, serial, SIM IMSI, AndroidId, WiFi MAC, email, Droidguard key every 6 hours. play.googleapis.com/log/batch aggregates data from 50+ logging sources including CARRIER_SERVICES, DIALER, GOOGLE_NOW, DRIVE, PHOTOS, CALENDAR, CONTACTS, GMAIL, MESSAGING. Cannot be uninstalled on any certified Android device. Disabling breaks most phone functionality.
What they claim: Google presents products as responsive tools that work when you use them. Implicit promise: when not using Google, Google isn't collecting.
What we found: Schmidt/Vanderbilt (2018): 11.6MB/day between Android device and Google. Dormant Android with Chrome in background sent location data 340 times in 24 hours (14x/hour). Schmidt: "A major part of Google's data collection occurs while a user is not directly engaged with any of its products." Ad data = 46% of all requests. Phone isn't waiting for you to use Google; Google uses the phone to watch you continuously.
What they claim: Google promotes "Protected by Android" with Play Protect for security and "GPS permissions for control of personal information."
What we found: Android ships with Google apps (Play Services, Chrome, Gmail, Maps, YouTube) that cannot be uninstalled — only disabled. Play Services cannot be disabled without breaking phone. OEM bloatware runs in background collecting data when never opened. Many pre-installed apps have contacts, location, phone permissions by default. Xiaomi sends details of all app screens viewed including call timing to Singapore servers (TCD study). Huawei's Swiftkey sends usage to Microsoft. Removing bloatware requires ADB developer tools.
What they claim: Google markets Android as giving users control over their devices. Play Store focuses on user-initiated actions.
What we found: Google can silently install apps without user consent via Play Services. MassNotify incident (Jun 2021): Google remotely installed COVID-19 exposure notification app on Massachusetts phones without consent, without app icon, without notification. Google confirmed "intentional." Also has documented kill switch for remote app removal. Play Services operates at higher privilege than user apps — system-level component users cannot fully control.
What they claim: Google describes Android as open platform giving users choice and control.
What we found: Without Google account: no Play Store (primary app source), no automatic backup, no contact/calendar sync. YouTube loses personalization, Maps loses saved places. Sideloading requires technical knowledge. Starting 2026-2027, Google extending mandatory developer verification to ALL Android apps — even sideloaded apps will query Google verification server on certified devices. /e/OS and LineageOS are only real alternatives but run on limited hardware.
What they claim: Android permission system presented as user control: apps must request dangerous permissions and users can grant/deny.
What we found: ECCWS study found 72% of dangerous permissions not shown to users in device settings. Apps can access data beyond declared permissions through Android system APIs. Pre-installed apps bypass normal permission flow with system-level privileges. Google Play Services itself holds virtually all dangerous permissions by default with no user ability to revoke.
What they claim: Google claims to deliver notifications as sent by app developers
What we found: Google is using on-device AI to summarise, reorder, and rewrite push notifications before users see them. Messages from apps are altered without the sender's or receiver's consent — Google decides what you read and in what order.