This article is more than 1 year old
Upcoming Android privacy changes include ability to blank advertising ID, and 'safety section' in Play store
New policies give users more control, but ad tracking still on by default
Google has shared details of upcoming changes to Android including the ability to blank a device's advertising ID, and a new safety section for apps in the Play store.
The advertising ID is an identifier unique to an Android device which is supplied by Google Play Services. Since every app on that device can retrieve the same ID, it can be used for profiling the user of the device. Users can set an option to "Limit ad tracking", and the API that supplies the advertising ID also indicates whether the user has opted out, but respecting this option is on a trust basis.
Privacy advocate Max Schrems filed a legal complaint against Google last year, arguing that the advertising ID is personal data and that the option to reset it, which automatically creates a replacement ID, was "like cancelling a contract only under the condition that you sign a new one."
Why supply the advertising ID at all if the user wishes to limit ad tracking? Google has accepted this idea, and director of product management Krish Vitaldevara posted that "when users opt out of interest-based advertising or ads personalization, their advertising ID will be removed and replaced with a string of zeros."
Developers were informed of the upcoming change last month. The change will be implemented by an update to Google Play Services on the device, and will affect Android 12 devices from late this year, and "all apps running on devices that support Google Play" in early 2022.
There is also a new feature whereby when a user deletes their advertising ID, developers will receive a notification "so they can promptly erase advertising IDs that are not in use."
Are there other ways of uniquely identifying a device? There are, including the hardware IMEI, the serial number, the Wi-Fi or Bluetooth MAC address, and the Android ID. Vitaldevara said that Google is "prohibiting linking persistent device identifiers to personal and sensitive user data or resettable device identifiers."
Once again it is a matter of trusting the vendor, though Android permissions play a role here too. Apps that ask for permissions that appear to have nothing to do with their functionality should give users pause for thought. Note Android 12, currently in beta, has fixed a long-standing complaint, that apps scanning nearby Bluetooth devices need location permissions. This is not the case in Android 12.
- Mozilla ups its VPN game – and the price – with split tunneling for Android, iOS
- Google to bake COVID-19 vaccine passport support into Android with Passes API update
- Android devs prepare to hand over app-signing keys to Google from August
- Samsung commits to 5 years of Android updates... for its enterprise smartphone users at least
That said, Google is also introducing a new device identifier, called the app set ID, which will be the same for all apps on a device that are published by the same developer. This is intended for "analytics or fraud prevention." Vitaldevara said that "you cannot use app set ID for ads personalization or ads measurement." Developers can only use the advertising ID for this, and further, apps "primarily directed to children" are not allowed to collect the advertising ID.
The safety section is an upcoming addition to the Play store and "ultimately, all Google Play store apps will be required to share information in the safety section," said Suzanne Frey, VP Android security and privacy. The deadline for this is April 2022. It will show what type of data is collected, such as location, contacts, personal information, and so on. It will also show how data is used and whether data collection is optional or required. All developers must provide a privacy policy, even if their apps collect no personal data. Frey added that Google "learned that users care about whether their data is shared with other companies, and why."
While these changes will no doubt be welcomed by those who care about their privacy, note that the advertising ID will be present by default, unlike Apple's changes in iOS 14.5 which require developers to ask users to opt into tracking across apps and websites. Figures collected by analytics company Flurry show an opt-in rate of just 13 per cent across apps, gradually increasing as more users respond to prompts. The opt out is likely to have much less impact.
If Google is imposing these restrictions on developers of apps using its platform, is it also imposing them on itself? Currently, Google's privacy policy (which applies to Android as well as other services) states that "the information we collect includes unique identifiers" as well as "which apps you've installed." The policy also states that "we use the information we collect to customize our services for you, including providing recommendations, personalized content, and customized search results" and that "depending on your settings, we may also show you personalized ads based on your interests," though there are per-browser settings to disable ad personalisation. A common complaint is that identifying exactly how Google uses the data it collects is beyond challenging.
Doubts remain, both over how effective these new privacy controls will be at curbing ad tracking on Android, and whether Google's changes will also happen to give the company a further advantage over its competitors. In its latest financial statements for calendar Q2, Google's parent company Alphabet reported quarterly revenue from advertising of $50.44bn from $61.8bn total revenue. ®