Our response to Google: Privacy isn't a Luxury
Google respond to our low-cost tech campaign. There's some good news, some bad news, and some mediocre news.
Updated on 7 October 2020
PI’s "Privacy shouldn't be a luxury" public campaign against unauthorised data sharing by the pre-installed apps on android devices, was supported by over 50 other organisations, and signed by thousands people. Our campaign generated better understanding and wide public debate around vulnerabilities created by pre-installed android apps and their impact on users’ privacy. As a result, Google responded to our concerns and committed to address issues raised by PI. Following on from our public campaign we expect Google to impose minimum privacy safeguards from pre-installed app vendors to ensure better protection to users.
- Google responded to our campaign.
- We're pleased to hear that Google are exploring ways to establish clearer standards for pre-installed apps and look forward to finding out more about this going forward.
- They broadly agreed with us that people should be able to uninstall apps - but we still think they failed to really engage with their role in the sector.
- Google seem to have misunderstood our points on update mechanisms.
- Google failed to acknowledge our point about their certification process at all.
Back in January, Privacy International and over 50 other organisations wrote to Google asking the company to take action over pre-installed apps that cannot be deleted (often known as “bloatware”), which can leave users vulnerable to their data being collected, shared and exposed without their knowledge or consent. Thousands of people from over 50 countries signed our petition supporting this ask. We welcome the constructive conversations we had with Google following this campaign and for the public response to the issues raised in the letter, which we have published here
Since we began the campaign and reached out to Google, the world has changed dramatically.
Covid 19 raises many of these issues even more to the fore. Contact tracing has become an important part of many countries' responses. It will only work if people trust that their devices are not betraying them by collecting and sharing too much personal data.
With mounting protests across the world, as a result of PI's campaign, human rights organisations are also making the link between the current global anti-racism protests, contact tracing, and the ease of surveillance on targeted groups, particularly on devices that can't be updated.
Therefore, some of our key concerns from our original letter still remain upon receiving Google's response:
- Individuals should be able to permanently uninstall the apps on their phones. This should include any related background services that continue to run even if the apps are disabled.
Google broadly agrees with us; in their letter they stated:
"We agree that users should be able to choose which apps to run on their phones. All apps downloaded from Google Play can be uninstalled at any time."
However, we are highlighting the issue of pre-installed apps put on the phone by manufacturers which are not on the Google Play store. Google go on to say in their response to us that they maintain little influence as to which pre-installed apps are included on phones by manufacturers.
We still think Google underestimate their influence. We are asking specifically about phones that Google certify and allow to use Google branding. In the examples we highlighted in our research, it is clear that Google is certifying devices that undermine users' privacy and security.
We feel Google could more strongly encourage vendors to make better choices around which apps are not removable from phones. For example Google could prohibit certified devices from making it impossible to remove apps such as Facebook, browsers, and other commercial third parties. Apps that only provide value added services not intrinsic to the functionality of the device must be removable.
- Pre-installed apps should adhere to the same scrutiny as Play Store apps, especially in relation to custom permissions.
Pre-installed apps come with pre-accepted permissions that are difficult to modify. These permissions can be exceptionally pernicious if they are not curtailed, including taking over control of the whole device, even accessing the microphone or camera. As part of our most recent research we analysed the MyVerizon app, which is pre-installed on Android handsets sold by Verizon. We discovered it has the following permissions, including Camera access, audio, call, SMS and contact access:
"permissions": [ "android.permission.INTERNET", "android.permission.WRITE_EXTERNAL_STORAGE", "android.permission.READ_PHONE_STATE", "android.permission.CHANGE_NETWORK_STATE", "android.permission.RECORD_AUDIO", "android.permission.CONNECTIVITY_INTERNAL", "com.google.android.providers.gsf.permission.READ_GSERVICES", "android.permission.ACCESS_NETWORK_STATE", "android.permission.ACCESS_COARSE_LOCATION", "android.permission.ACCESS_FINE_LOCATION", "android.permission.CALL_PHONE", "android.permission.BLUETOOTH_ADMIN", "android.permission.BLUETOOTH", "com.samsung.android.launcher.permission.WRITE_SETTINGS", "com.samsung.android.launcher.permission.READ_SETTINGS", "com.verizon.mips.ACCESS_VERIZON_SERVICE", "android.permission.CAMERA", "android.permission.ACCESS_WIFI_STATE", "android.permission.CHANGE_WIFI_STATE", "android.permission.KILL_BACKGROUND_PROCESSES", "android.permission.READ_EXTERNAL_STORAGE", "android.permission.WAKE_LOCK", "android.permission.READ_CONTACTS", "android.permission.WRITE_CONTACTS", "android.permission.READ_CALL_LOG", "android.permission.WRITE_CALL_LOG", "android.permission.GET_ACCOUNTS", "android.permission.GET_PACKAGE_SIZE", "android.permission.GET_TASKS", "android.permission.READ_SMS", "android.permission.WRITE_SMS", "android.permission.RECEIVE_SMS", "android.permission.SEND_SMS", "android.permission.RECEIVE_MMS", "android.permission.READ_CALENDAR", "android.permission.WRITE_CALENDAR", "android.permission.AUTHENTICATE_ACCOUNTS", "android.permission.VIBRATE", "com.google.android.c2dm.permission.RECEIVE", "com.vzw.hss.myverizon.permission.C2D_MESSAGE", "com.vzw.permission.ALLOW_VOLTE_PERMISSION", "android.permission.WRITE_SETTINGS", "service.permission.ACCESS_SERVICE", "android.permission.GET_REALTASKS", "android.permission.PROCESS_OUTGOING_CALLS", "android.permission.RECEIVE_BOOT_COMPLETED", "com.vzw.APNPERMISSION", "android.permission.ACCESS_LOCATION_EXTRA_COMMANDS", "receiver.permission.ACCESS_RECEIVER", "android.permission.BATTERY_STATS", "com.verizon.settings.permission.RECEIVE_UPDATED_SETTING", "com.verizon.vzwavs.permission.READ", "com.verizon.vzwavs.permission.WRITE", "com.verizon.api.ACCESS", "com.verizon.net.IMS_REGISTRATION", "android.permission.READ_NETWORK_USAGE_HISTORY", "android.permission.RECEIVE_DATA_ACTIVITY_CHANGE", "android.permission.MODIFY_AUDIO_SETTINGS", "android.permission.SYSTEM_ALERT_WINDOW", "android.permission.CfALL_PHONE", "android.permission.permission.READ_SMS", "android.permission.USE_FINGERPRINT", "android.permission.FLASHLIGHT", "android.permission.CLEAR_APP_CACHE", "android.permission.PACKAGE_USAGE_STATS", "android.permission.REBOOT", "android.permission.WRITE_SECURE_SETTINGS", "com.verizon.lpa.ACCESS_LPA_SERVICE", "com.vzw.hss.myverizon.gcm.permission.C2D_MESSAGE" ],
We are somewhat reassured by Google's response to our concern: "We’ve been exploring ways to establish clearer baseline standards for pre-installed apps, analogous to our Google Play standard..." We look forward to hearing more on this going forward.
- Pre-installed apps should have some update mechanism, preferably through Google Play and without a user account.
Many pre-installed apps cannot be updated if the manufacturer stops releasing updates for them. Google's response to PI suggests that offering an anonymous update system through Google Play would somehow interfere with the operation of Google Play for conventional users. However the apps in question are pre-installed and therefore do not require payment or an account to acquire them.
Google highlight that Google Play "[can] help users manage their installed apps". This doesn't help manage pre-installed apps however as Google highlight in their response to us, "device makers choose to use their own update mechanism for pre-installed software, either through their own app store or another mechanism". To clarify, what PI is asking is: Where Google certifies a device (meaning it will include the Google Play Services) and where a pre-installed app is included, which cannot be removed, it must be able to be updated through the Play Store as a manner of last resort so that faulty or malicious apps can be decommissioned without user intervention.
- Google should refuse to certify a device on privacy grounds, where manufacturers or vendors have attempted to exploit users in this way.
Unfortunately, this key point was not acknowledged in Google's response. Google remain a key gatekeeper and stakeholder within the Android ecosystem. For manufacturers to include Google's services and provide functionality like Android Pay, their device must pass through the Google certification process. We therefore think it is incumbent on Google as part of that process to consider the privacy implications in addition to the security requirements of the software bundled on devices that they certify.
We thank Google once again for their response and hope to continue an open engagement on this topic going forward.