In its next release, Android plans to up its privacy game. But the operating system still caters to ad trackers at its users’ expense.

The newest release of Android, dubbed “Q,” is currently in late-stage beta testing and slated for a full release this summer. After a year defined by new privacy protections around the world and major privacy failures by Big Tech, this year, Google is trying to convince users that it is serious about “protecting their information.” The word “privacy” was mentioned 22 times during the 2019 Google I/O keynote. Keeping up that trend, Google has made—and marketed—a number of privacy-positive changes to Android for version Q.

Many of the changes in Q are significant improvements for user privacy, from giving users more granular control over location data to randomizing MAC addresses when connecting to WiFi networks by default. However, in at least one area, Q’s improvements are undermined by Android’s continued support of a feature that allows third-party advertisers, including Google itself, to track users across apps. Furthermore, Android still doesn’t let users control their apps’ access to the Internet, a basic permission that would address a wide range of privacy concerns.

One ID to rule them all

Q places new restrictions on non-resettable device identifiers like IMEI number and serial number. Apps will need to request a new “Read privileged phone state” permission to access them. These changes are good: they will help prevent apps from tracking users based on information they can’t modify or reset, and they obey the principle of least privilege: apps that don’t absolutely need access to potentially sensitive information shouldn’t have it. Unfortunately, Android Q will still allow unrestricted access to its own, custom-made tracking identifier.

Android generates and exposes a unique device identifier, called an “advertising ID,” that allows tracking advertisers to link your behavior across different apps. The ad ID can be thought of as a tracking cookie, visible by default to every app on your device, that can’t be restricted or deleted (though it can be reset). As of the latest release, Google encourages ad trackers to eschew other device identifiers, like IMEI, in favor of the ad ID. Facebook and other targeting companies allow businesses to upload lists of ad IDs that they have collected in order to target those users on other platforms.

Android includes an “opt out of ad personalization” checkbox, buried deep in the settings, that allows users to indicate that they don’t want to be tracked by their ad ID. Checking it should delete the ID entirely, or at least restrict apps’ access to it, right? Wrong. Instead, the checkbox doesn’t affect the ad ID in any way. It only encodes the user’s “preference”, so that when an app asks Android whether a user wants to be tracked, the operating system can reply “no, actually they don’t.” Google’s terms tell developers to respect this setting, but Android provides no technical safeguards to enforce this policy.

You can view your advertising ID on Android by heading to Settings > Google > Ads, and you can reset it by tapping Reset advertising ID. This will cause your phone to generate a new, unique ad ID that is unrelated to the old one. While it’s nice that Google gives you some control over your ad ID, neither a preference flag nor a simple “reset” will actually prevent anyone from tracking you. Apps on your device can access more than enough information to allow them to link your old ID to your new one if they so choose. Once again, Google politely instructs trackers “respect the user's intention in resetting the advertising ID,” but does not indicate how this is enforced.

Apple’s iOS has a nearly identical “Identifier for Advertisers (IDFA),” which is also available to developers without any special permissions. Like Google, Apple’s decision to make allow this kind of tracking by default conflicts with its privacy-focused marketing campaign. Unlike Google, Apple does give users the ability to turn off tracking completely by setting the IDFA to a string of zeros.

On Android, there is no way for the user to control which apps can access the ID, and no way to turn it off. While we support Google taking steps to protect other hardware identifiers from unnecessary access, its continued support of the advertising ID—a “feature” designed solely to support tracking—undercuts the company’s public commitment to privacy.

Internet access: the permission that isn’t

The advertising ID should not be enabled by default, and users should have a way to turn it off for good. But apps can’t collect your advertising ID, or any other kind of personal information, without access to the Internet. Much of the most egregious tracking in the Play Store is performed by apps that have no business on the Internet at all, like single-player games, stopwatches, and “flashlights.”

This should be simple. If an app doesn’t need access to the Internet, it shouldn’t have it. And users should be able to decide which apps can and can’t share data over the network. But neither iOS nor Android has an “Internet” permission that users can grant or revoke. Every developer of every app has access to as much data as it can gather whenever the device is online. It’s time for Google to fix it already.