Buy a phone, get a tracker: unauthorized tracking code illegally installed on Android phones

Online & Mobile tracking
 /  06 April 2021
AAID

Buy a phone, get a tracker: unauthorized tracking code illegally installed on Android phones

As reported by the Financial Times, noyb launched further action against Google’s AAID (Android Advertising Identifier), following similar complaints against Apple’s IDFA. The somewhat hidden ID allows Google and all apps on the phone to track a user and combine information about online and mobile behaviour. While these trackers clearly require the users’ consent (as known from “cookie banners”), Google neglects this legal requirement. noyb therefore filed a complaint against Google’s tracking code AAID.

Tracking without user consent. Google’s software creates the AAID without the user’s knowledge or consent. The identification number functions like a license plate that uniquely identifies the phone of a user and can be shared among companies. After its creation, Google and third parties (e.g. applications providers and advertisers) can access the AAID to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.

No tracking? No chance! Google not only installs the AAID without consent but it also denies Android user’s the option of deleting it. As we have proven in our previous complaint filed in Austria, users can merely “reset” the ID and are forced to generate a new tracking ID to replace the existing one. This neither deletes the data that was collected before, nor stops tracking going forward.

“Imagine having coloured powder on your feet and hands that marks your every step and action: everything you touch within the mobile ecosystem. And you can’t remove it - you can only change it to a different color. This is what the Android Advertising ID is all about – a tracker that marks your every action within and beyond the mobile ecosystem.” - Stefano Rossetti, privacy lawyer at noyb.eu

Majority of EU Citizens affected. Currently there are about 450 million active mobile phones in the European Union. Of these, about 306 million use Android. Considering that almost all of these Android phones use the AAID tracker, one can get an impression of the extent of this tracking.

The extent of this case is bewildering. Almost all Android users seem to be affected by this technology. We therefore hope that the French CNIL will take action” - Stefano Rossetti, privacy lawyer at noyb.eu

Next steps. Since this complaint is based on the e-Privacy directive, the French authority can directly make a decision, without the need for cooperation with other EU Data Protection Authorities as under GDPR. Should the authority adhere to the complainant's interpretation, the amount of the sanction could be substantial. This complaint is part of a larger project aimed at removing hidden tracking identifiers from the mobile environment. A few months ago, we filed similar complaints against the other market leader, Apple, for similar reasons.