You are being trackedand it cant be stoppedgettyUpdated on March 4th with Googles response to the new tracking warning.Google Chrome is about to make a huge tracking change. We await a global prompt to say no to cookies within the worlds most popular browser albeit we will need to use private browsing for some of the new protections. But while all thats going on, heres a nasty new surprise for Android users who it seems will be tracked anyway.A new Trinity College, Dublin study warns Google starts tracking your phone as soon as its powered on, through cookies, identifiers and other data that Google silently stores on Android handsets, through the default apps that are pre-installed. The researchers warn no consent is sought for storing any of this data and there is no opt out. They also claim this study is the first to cast light on the cookies etc stored by pre-installed Google apps.This tracking starts even if you dont open the apps, and the report claims no opt outs which clashes with the direction being taken with Chromes tracking cookies. The default apps in question include Googles Play Store and Play Services, which is particularly timely given the furor around the SafetyCore photo scanning app that has been secretly installed on all almost all Android phone in the last few months. This issue is the same transparency.The bad news here is that unlike SafetyCore, according to the researchers theres no way to stop this. I have reached out to Google and will update with their comments on the reports fin dings and on their advice on any way to opt out. Otherwise you might need to switch OS to kill this kind of data leakage.The Trinity study caught cookies counting ad views and clicks alongside the Android ID which is as a persistent device and user identifier albeit plenty of warnings say reset or disable this, plus usual tracking cookies. The team says no consent is sought or given for storing any of these cookies and other data, the purposes are not stated and there is no opt out from this data storage. Most of this data is stored even when the device is idle following a factory reset and no Google apps have ever been opened by the user i.e. they are not set in response to services explicitly requested by the user.Its important not to overplay these findings. I have warned for years that our phones are designed to track almost everything we do, and we need to change settings to add a modicum of privacy. The issue here is awareness. Theres also a question around how we restrict tracking from the OS itself and its core services, not just third-party apps.The universitys Professor Doug Leith told Irish Tech News that we all know that our consent is needed before a website stores advertising and tracking cookies when we visit it, but that cookies stored by apps have received far less attention than web cookies, partly because they are harder to detect, and a closer look at them is long overdue.This report comes just days after Googles controversial decision to allow device fingerprinting again, after vanquishing the practice in 2019. At that time, Google said that developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.Its hard to see this, with its lack of control, as being much different surely then it must be equally wrong. Googles return to fingerprinting was justified based on new privacy preserving technologies that give us more optionality as to what our phones can and cannot do. Its critical that we know what to restrict, of course.The Trinity study delves into the murky waters of data legislation and regulations, albeit the report is a technical study, not a legal one, and [they] are not legally qualified. Nevertheless, it says, the data storage that we observe by Google raises obvious questions regarding the EU e-Privacy Directive and perhaps also the GDPR data protection regulations. This stems from the fact that all data measurements were carried out in Ireland, which falls under those protections.The e-Privacy Directive, the report notes, is sometimes referred to as the cookie law. It recognizes that the devices of users of electronic communications networks and any information stored on their devices are part of their private sphere and that they require protection, which restricts storage of data on a handset, stating that a person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless (a) the subscriber or user has given his or her consent to that use, and (b) the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which (i) is both prominently displayed and easily accessible, and (ii) includes, without limitation, the purposes of the processing of the information. Exceptions are allowed when the storage is for the sole purpose of carrying out the transmission of a communication over an electronic communications network or strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.In response to this, Google told me this report identifies a number of Google technologies and tools that underpin how we bring helpful products and services to our users. The researcher acknowledges in the report that they are not legally qualified, and we do not agree with their legal analysis. User privacy is a top priority for Android and we are committed to complying with all applicable privacy laws and regulations.This isnt the first time Trinity and Leith have reported on Googles data practices. In 2022, they warned that data sent to Google by the Google Messages and Google Dialer apps [tells] Google when message/phone calls are made/ received The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.And in 2021, the team studied the telemetry traffic sent by modern iOS and Android devices back to Apple and Google servers and found that Google collects around 20 times more telemetry data from Android devices than Apple from iOS. Somewhat alarmingly, as reported by The Record at the time, both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this [option]."In the study, Leith notes that the Google Play Services and Google Play store apps studied here are in active use by hundreds of millions of people. We informed Google of our findings, and delayed publication to allow them to respond. They gave a brief response, stating that they would not comment on the legal aspects (they were not asked to comment on these). They did not point out any errors or mis-statements (which they were asked to comment on). They did not respond to our question about whether they planned to make any changes to the cookies etc stored by their software.This is a tricky time for Google on the tracking front, and the latest report will highlight some of whats going on below the surface on the devices and platforms we all use. As Ive commented multiple times recently, its critical that Google and the other mainstream platform providers increase the levels of transparency as the balance is currently pivoting back in the wrong direction. We had been making good privacy strides, but that seems to have started to wobble, and not just for Google.According to Leith, this latest research is a wake-up call for data regulators to start properly protecting users of Android phones. Google Play Services and the Google Play store are pre-installed on almost every Android phone. This study shows that they silently store advertising and other tracking cookies and data on peoples phones. No consent for this is sought by Google, and there is no way to block these cookies.