Google says you can control what data they collect, but the most important data collection software on your Pixel phone — Google Play Services — has access to your location, texts, call history, contacts, camera, microphone, and body sensors, and you cannot turn it off or remove it. The "choice" they advertise does not apply to the biggest data collector on your phone. Even if you go through every privacy setting on your Pixel 8 and turn off everything you can find, your phone still sends data to Google every 4 minutes. It sends your phone number, device ID, location, and the WiFi networks near you — whether you are logged in or not. Academic researchers proved this happens even after you opt out.
What they claim: Google Safety Center states: "Whether you want to save, delete, or auto-delete your data, we give you the choice." Google privacy policy emphasizes user control over data collection and the ability to manage privacy settings.
What we found: Google Play Services (com.google.android.gms) runs as a privileged system process with 56 permissions including ACCESS_BACKGROUND_LOCATION, READ_SMS, READ_CALL_LOG, READ_CONTACTS, RECORD_AUDIO, CAMERA, BODY_SENSORS, READ_LOGS, and PACKAGE_USAGE_STATS. This service CANNOT be uninstalled, disabled, or permission-restricted by the user. It starts at boot (RECEIVE_BOOT_COMPLETED) and ignores battery optimization (REQUEST_IGNORE_BATTERY_OPTIMIZATIONS). The "choice" Google offers does not extend to the most invasive data collection channel on the device.
What they claim: Google privacy policy states data collection helps "maintain & improve" services and "develop new services." Privacy controls page suggests users can manage what data Google collects through account settings.
What we found: Trinity College Dublin research (Prof. Douglas Leith, 2021) found Google Pixel phones send ~1MB of telemetry to Google in the first 10 minutes of startup and ~1MB every 12 hours when idle. Data includes IMEI, SIM serial number, phone number, hardware serial number, location, cookies, local IP address, and nearby WiFi MAC addresses. Critically: "both iOS and Google Android transmit telemetry, despite the user explicitly opting out" and "this data is sent even when a user is not logged in (indeed even if they have never logged in)." Telemetry sent every 255 seconds (~4.25 min).
What they claim: Google privacy policy describes data collection categories and suggests users can review and control what information is gathered. The policy frames data collection as necessary for service functionality.
What we found: Google Play Services requests READ_SMS, SEND_SMS, WRITE_SMS, RECEIVE_SMS, RECEIVE_MMS — full SMS access for a service marketed as a background platform component. It also requests CALL_PHONE, READ_CALL_LOG, WRITE_CALL_LOG, PROCESS_OUTGOING_CALLS — complete telephony surveillance capability. Combined with READ_CONTACTS, WRITE_CONTACTS, and GET_ACCOUNTS, this gives Google access to every communication channel on the device. These permissions are not disclosed prominently in the privacy policy as system-level collection capabilities.
What they claim: Google states in its privacy policy: "We collect information to provide better services to all our users." The framing positions Google as a service provider that collects data to help users.
What we found: Google Pixel phones send 20 times more telemetry data to Google than iPhones send to Apple (Trinity College Dublin, 2021). Google collected data from 1.3 million Australian accounts through deceptive dual-setting design (ACCC, A$60M penalty). Google maintained Sensorvault — a database of location history for all Android users — which was the primary target for law enforcement geofence warrants covering every user near a crime scene. Google only began moving away from Sensorvault in Dec 2024, years after it was publicly criticised.
What they claim: Google announced in December 2023 that Location History would move to on-device storage with end-to-end encryption, and default auto-delete would be set to three months, positioning this as a major privacy improvement.
What we found: While Location History moved on-device effective December 2024, Web & App Activity and other Google services continue to collect location-adjacent data server-side. Google search queries, Maps directions, YouTube viewing location, Chrome browsing, and IP-based location all still flow to Google servers. The ACCC case proved Google has a pattern of using one visible setting as a decoy while collecting the same data through less visible channels. The 5th Circuit ruled geofence warrants unconstitutional, but Google had maintained Sensorvault for years before acting.
What they claim: Google markets Pixel 8 as receiving 7 years of security updates and being the "most personal, helpful and secure phone" with monthly security patches.
What we found: Despite monthly security patches, three high-severity Pixel-specific vulnerabilities (CVE-2024-29745, CVE-2024-29748, CVE-2024-32896) were actively exploited before patches were available. Meanwhile, Google Play Services maintains RECORD_AUDIO, CAMERA, ACCESS_BACKGROUND_LOCATION, and READ_LOGS permissions — creating a permanent attack surface that even patched devices cannot eliminate. The combination of privileged system access and demonstrated zero-day exploitation means the "most secure phone" label is misleading when Google itself maintains the largest privileged access footprint on the device.
What they claim: Google implied that the "Location History" setting was the primary control for whether Google collected location data from Android devices, giving users the impression they could stop location tracking by disabling this one setting.
What we found: The ACCC sued Google and won. The Federal Court of Australia found that between January 2017 and December 2018, Google misled 1.3 million Australian users. A second setting — "Web & App Activity" — was enabled by default and also collected personally identifiable location data. Google was ordered to pay A$60 million. This was a deliberate dual-setting design where disabling the obvious setting still left location collection active through a less obvious one.
What they claim: Google promotes Tensor G3 as enabling "on-device AI" for privacy-preserving features, marketing the chip as a reason Pixel phones are more private because processing happens locally rather than in the cloud.
What we found: While features like Call Screen and Live Translate run on-device, core AI features including Google Assistant, Google Photos face/object recognition, Google Lens, and search suggestions still route through Google cloud servers. The device maintains persistent connections to play.googleapis.com, app-measurement.com, firebaseinstallations.googleapis.com, and pagead2.googlesyndication.com (Google ad network). The "on-device AI" marketing creates a false impression that the phone operates independently when it continuously sends data to Google servers.
What they claim: Google privacy policy describes advertising as a service that "helps fund our services" and states ads are shown based on user activity, with the implication that advertising data collection is separate from core device functions.
What we found: Google Play Services connects to pagead2.googlesyndication.com and www.googleadservices.com — Google advertising infrastructure — as hardcoded endpoints at the firmware level. The service contains Google Analytics, Firebase Analytics, Google CrashLytics, and Google Tag Manager trackers. Combined with ACCESS_BACKGROUND_LOCATION, READ_PHONE_STATE, and GET_ACCOUNTS, the advertising system has access to persistent device identifiers and real-time location data through a system process that cannot be blocked by ad blockers or privacy tools.
What they claim: Google Assistant privacy disclosures stated that voice interactions were processed to improve service quality, with users understanding their data would be handled by automated systems.
What we found: In July 2019, a Dutch contractor leaked over 1,000 Google Assistant recordings to Belgian news outlet VRT. Contractors identified people by their home addresses and heard bedroom conversations, medical discussions, and recordings of women in distress. 153 conversations should never have been recorded at all — triggered without the "Hey Google" wake word. Google settled a class action for $68 million. The Hamburg DPA invoked GDPR Article 66 urgency procedure to halt Google voice data processing.
What they claim: Google markets the Pixel 8 as having "the most helpful and secure phone" with the Titan M2 security chip providing hardware-level protection and 7 years of security updates.
What we found: Forensic companies including Cellebrite exploited Pixel firmware vulnerabilities CVE-2024-29745 (bootloader information disclosure, HIGH severity) and CVE-2024-29748 (firmware privilege escalation, HIGH severity) to extract data from locked Pixel devices. CVE-2024-32896, a related zero-day confirmed by Google as actively exploited, allowed interruption of factory reset wipes. These exploits were weaponized specifically against Pixel devices. GrapheneOS discovered and reported these vulnerabilities while developing duress PIN features — Google did not discover them internally.
What they claim: The Pixel 8 includes the Titan M2 security chip for hardware-level protection of sensitive data, and Google markets Android as having a robust permission model that gives users control over what apps can access.
What we found: Google Play Services has BIND_DEVICE_ADMIN, INTERACT_ACROSS_USERS, READ_LOGS, DUMP, and PACKAGE_USAGE_STATS — system-level permissions that bypass the normal Android permission model entirely. It can read system logs (including other apps activities), access device admin functions, interact across user profiles, and monitor which apps you use and for how long. These privileged permissions are not subject to user consent and are not visible in the normal permission management interface. The Titan M2 security chip protects against external attackers but cannot protect users from Google itself.