Research in Smartphone Data Collection

An interesting new bit of research shows just how much data is being “phoned home” by the two major smartphone operating systems in the world.

Vast Data Collection from Smartphones

Even when sitting idle and not logged in, both operating systems connect to their respective backend servers about once every five minutes. In a 12-hour window an idle Android phone will send back about 1 MB of data, while an idle iPhone sends 52 KB of data. Even with most tracking features turned off, these devices still phone home.

The headline for many news stories on this research – that Android sends back 20x more data than iOS – is probably not a big surprise.

After all, Android is owned by Google, and Google makes the majority of its money from selling highly-targeted ad spaces in Google Search, Google Maps, GMail, etc. Having the additional information (like location, recent searches and apps used) from a user’s phone makes their ability to target ads exponentially more effective.

What was surprising – at least to me – is the sensitivity of data that iOS sends back. Apple says that they don’t share personal information without “your direction” in their privacy statement:

Apple may share personal data with service providers who act on our behalf, our partners, or others at your direction. Further, Apple does not share personal data with third parties for their own marketing purposes.

It’s worth pointing out here, though, that Google doesn’t really share your personal data either, they keep it to themselves, and use it to deliver their highly-target ads (which they do sell).

Even without selling the data to a 3rd-party, though, there are some implications of this data collection to be aware of.

The Danger: Data Aggregation

Here’s a chart showing some of the data shared from an Android/iOS device when it’s not logged in to a user account:

Handset data sent when users are not logged in.

Some of the information may look innocuous, but innocent data – when aggregated – can become much more invasive.

For example, iOS sends the MAC addresses of nearby WiFi devices (likely for services like AirPlay or AirDrop), even when a user isn’t logged in.

This means that if a single person with location services turned on connects to your Wi-Fi network, Apple now knows where your Wi-Fi network is (and, by extension the location of other connected devices). This will happen even if you choose to leave location services off.

Remember, though, that Apple – according to their own privacy statement – doesn’t share this data. So is it a problem that Apple simply collects it?

A similar question exists for Android.

It’s not (or shouldn’t be) a surprise that large amounts of device and user information are collected and transmitted to Android’s “mothership”. It’s also true that – by and large – Google doesn’t sell the information to 3rd-parties, although there are more asterisks on this statement coming from Google.

An Accurate Report?

Although this report may not be comforting for the privacy-focused smartphone user, I think that this report does a good job of showing just how much information we’re giving away by simply having a smartphone turned on.

According to the Ars report I linked earlier, spokespeople for both Android and Apple have come out to say that the report is inaccurate in one way or another, or that this kind of behavior should be expected from smartphones.

And I think by upsetting both companies, this report gains credibility – if you don’t want to share this kind of information, the only fix is to ditch the smartphone entirely.