Google failed to disclose a pretty severe privacy violation and that's bad for everyone, especially Android users.
Google makes no secret of the amount of user data it collects when someone signs up for its services. More so when he or she uses an Android phone. Given that Google is predominantly an advertising company, the more data accrued, the more targeted it can help its advertising partners be.
In the case of Android, Google makes the argument that by allowing it to collect location data, it can enhance services from Google Maps to Assistant, creating a web of context. It's why using an Android phone feels so magical, because Google is doing so many things behind the scenes with all the data being shared.
But according to Quartz, the company has gone a bit too far this time.
Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals' locations and their movements that go far beyond a reasonable consumer expectation of privacy.
The upside is this: not only has Google collected the location data for nearby cellular towers of any Android device that connects to its notification service powered by Firebase Cloud Messaging (FCM), a cross-platform and more advanced version of Google Cloud Messaging that many apps use to send notifications, but it's done so even when the user has no SIM card in his or her phone.
Companies like Google have no business collecting cell tower location data. Leave that to the cellular providers.
Google claims that the feature was enabled to "further improve the speed and performance of message delivery," but the data was never incorporated into any notification enhancements. A Google spokesperson said, "we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID."
Still, Quartz found this activity recently, on a current-generation Android phone; Google now says it will release an update later in the month to disable the practice altogether, but you have to wonder how long it would have taken to do so were it not caught.
Cell ID, or cell tower location data, is not something manufacturers or platform owners typically collect. Instead, the data is stored by the provider, such as T-Mobile or Verizon, and is rarely shared with outside vendors. Occasionally, the information is subpoenaed as part of a criminal investigation — remember the first season of Serial? — but it is understood that a person's cell tower data because it is so valuable, is never to be shared with third-party advertisers.
Even though Google has assured us that the data was never stored, nor used for anything, this revelation could be a hit to Google's already-fragile reputation when it comes to user privacy. The company has gone a long way to improve communication with its users over the past few years, making it fairly easy to opt-out of or remove location data or tune one's cross-account privacy with a simple check-up.
Google has found itself in a position of having to defend a practice that is largely indefensible: it should never have been collection Cell ID data in the first place; it should never have done so without a SIM card present; and it should never have kept it a secret.
While this storm is likely to pass quickly, it's sure to leave a sour taste in the mouths of Android users already worried about giving Google too much of their selves, willingly or otherwise.