NurPhoto/Getty Images

Some apps may track your activity over time, even when you tell them to forget the past. And there's nothing you can do about it.

Roughly 17,000 Android apps collect identifying information that creates a permanent record of the activity on your device, according to research from the International Computer Science Institute that was shared with CNET. The data collection appears to violate the search giant's policy on collecting data that can be used to target users for advertising in most cases, the researchers said.

The apps can track you by linking your Advertising ID -- a unique but resettable number used to tailor advertising -- with other identifiers on your phone that are difficult or impossible to change. Those IDs are the device's unique signatures: the MAC address, IMEI and Android ID. Less than a third of the apps that collect identifiers take only the Advertising ID, as recommended by Google's best practices for developers.

"Privacy disappears" when apps collect those persistent identifiers, said Serge Egelman, who led the research. He said his team, which reported the findings to Google in September, observed most of the apps sending identifying information to advertising services, an apparent violation of Google's policies.

Now playing: Watch this: Android apps by the thousands collect user data you can't...

The company's policies allow developers to collect the identifiers but forbid them from combining the Advertising ID with hardware IDs without explicit consent of the user, or from using the identifiers that can't be reset, to target ads. What's more, Google's best practices for developers recommend collecting only the Advertising ID.

The behavior fits into the tech industry's long history of creating privacy measures that websites and app developers quickly learn to bypass. Adobe, for instance, was forced to address Flash cookies in 2011 after complaints that the snippets of software could survive in your web browser even after you cleared all your cookies. Similar complaints arose in 2014 over Verizon's and AT&T's use of so-called "supercookies," which tracked users across multiple devices and couldn't be cleared. In 2012, Microsoft accused Google of circumventing its P3P web privacy standard, which let users of the Internet Explorer browser set their preferences for cookies. (Google countered that the standard wasn't useful anymore).

Data collected by mobile apps has provoked even broader scrutiny because of the explosion of smartphones and tablets. In January, Facebook and Google were both found to have used a developer tool to circumvent Apple's privacy rules and build iOS apps that collect user information. Facebook's Cambridge Analytica scandal in 2018 and other privacy controversies have sparked greater scrutiny over how data is being collected and used. (For tips on how to prevent apps from taking your data, please see this story.)

Egelman's team, which previously found around 6,000 children's apps improperly collecting data, said Thursday that big-name apps for adults are sending permanent identifiers to advertising services. The apps included included Angry Birds Classic, the popular smartphone game, as well as Audiobooks by Audible and Flipboard. Clean Master, Battery Doctor and Cheetah Keyboard, all utilities developed by Cheetah Mobile, were also found to send permanent info to advertising networks.

All of these apps have been installed on at least 100 million devices. Clean Master, a phone utility that includes antivirus and phone optimization services, has been installed on 1 billion devices.

What Google's doing about it



Google said it had investigated Egelman's report and taken action on some apps. It declined to say how many apps it acted on or what action was taken, or to identify which of its policies the apps had violated. The company said its policies allow for the collection of hardware identifiers and the Android ID for some purposes, like fraud detection, but not for the targeting of ads.

Google also said it can enforce its policies only when Android apps send the identifiers to Google's own ad networks, such as AdMob. If the apps send the data to outside networks, Google says it can't monitor them for violations.

"We take these issues very seriously," a Google spokesperson said in a statement. "Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies."

Google has a number of initiatives that aim to protect user privacy and security. In a blog post Wednesday, the company said it increased the number of abusive apps it blocked from the Google Play store by 55 percent in 2018.

Representatives of Rovio, which develops the Angry Birds series, and of Audible, didn't respond to requests for comment.

A Cheetah Mobile spokesman said in an email that its apps send a device's Android ID to a company that helps it track installations of its products. The information isn't used for targeted ads, and the company complies with all relevant Google policies and laws, the spokesman said.

He added that the version of Battery Doctor tested by the researchers was out of date; Cheetah Mobile updated the app in 2018 to no longer collect the IMEI.

Flipboard said it doesn't use the Android ID for ad targeting.

James Martin/CNET

The data collection identified by Egelman and his team is similar to an issue that got Uber in trouble with Apple in 2015. According to The New York Times, Apple CEO Tim Cook was furious to learn that Uber was collecting iOS users' hardware identifiers against Apple's policies and threatened to remove the Uber app from the App Store.

Egelman's team tested the apps as they ran on Android 6, also known as Marshmallow. Just over half of all Android devices run Android 6 or an earlier version of the system, according to a Google analysis from October. The researchers configured a version of Android that let them track which identifiers an app collected and then ran thousands of apps on the modified software.

Egelman said that changing your Advertising ID should serve the same function as clearing out your web browsing data. When you clear cookies, websites you visited in the past won't recognize you. That stops them from building up data about you over time.

But you can't reset other identifiers, like the MAC address and IMEI. The MAC address is a unique identifier that your device broadcasts to internet connections like Wi-Fi routers. The IMEI is an identifier for your specific device. Both identifiers can sometimes be used to prevent stolen phones from accessing a cellular network. The Android ID is another identifier that's unique to each device. It can be reset, but only if you run a factory reset of your device.

If apps send ad networks any of those identifiers, it won't matter how many times you reset your advertising ID. They can still tell it's you.

Sandy Bilus, a privacy and cybersecurity lawyer at Saul Ewing Arnstein & Lehr, said the apps might be in violation of the General Data Protection Regulation, a European Union law that requires organizations to tell users what data they collect on them, if they haven't spelled out what they're collecting to EU users.

"It certainly could raise GDPR issues," Bilus said. "The app developers who are collecting and using this data should be careful about that."

Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University, said that Google is in the best position to crack down on apps that use hardware identifiers and the Android ID in ways that violate its own policies.

The fact that developers are creating workarounds to the Advertising ID suggests that many people are resetting the identifier, Cranor said, even if most users are unaware of the privacy feature.

"Otherwise," she said, "why would they bother?"

First published at 5:00 a.m. PT.

Updated at 7:34 a.m. PT: Added more details about Cheetah's apps.

Google Play says: We've cracked down on bad apps.

Privacy? What privacy? Here's a reminder that you have none.