Android phones have been collecting and sending encrypted location data back to Google without permission, even when location services are disabled, Quartz discovered Tuesday.

Apparently, Google found a way to track location even if the user has actively turned off location services, hasn’t used any apps and hasn’t even inserted a carrier SIM card.

As soon as the phone connects to the Internet, the location data is sent back to Google.

Even devices that had been reset to factory default settings and apps, with location services disabled, were observed by Quartz sending nearby cell-tower addresses to Google. Devices with a cellular data or Wi-Fi connection appear to send the data to Google each time they come within range of a new cell tower. When Android devices are connected to a Wi-Fi network, they will send the tower addresses to Google even if they don’t have SIM cards installed.

This has been going on for at least eleven months.

According to the search giant, which has confirmed this location-tracking practice, Android phones do collect the addresses of nearby cellular towers as part of the system the company uses to manage push notifications and messages on Android handsets.

Consumers currently cannot disable this service, but the company assured privacy-minded users that the location data was never used or stored on its servers:

In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery. However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.

The spokesperson added that apps and advertisers cannot access users’ location data because the system that controls Google’s push notifications and messages services is “distinctly separate from Location Services, which provide a device’s location to apps.”

The Mountain View company is now taking steps to end the practice after being contacted by Quartz, saying Android phones will no longer send cell-tower location data to its servers. In other words, this controversial practice would have continued for God knows how long had Google not been caught with its hands in the jar.

Location tracking without permission poses a security risk, researchers warn, especially for people like law-enforcement officials or victims of domestic abuse who turn off location services thinking they’re fully concealing their whereabouts.

According to the Quartz article, spyware and various hacks could easily allow a nefarious party to upload any gathered location data from a compromised phone to a third-party server. As each Android phone has a unique ID, the data could be associated with specific devices.

  • PerfectyQ

    Thats kills the privacy

  • therealjjohnson

    No matter what they say, you will always be tracked. By Google, by Apple, by whoever. Your data is not private. Its accessible. Hard truth.

    • TechnoBuff

      Exactly. I agree with you. Some people assume that Apple has no access to your data!

      Apple might not track you but certainly has access to your data including the biometric information if and when they want to access it.

      Everyone loses their privacy once they connect to the internet or chose to get a smartphone no matter who the OEM is.

      • Joshua The-Legend Wiebe

        That’s not true, our biometric data is stored inside the device, It’s not uploaded to any server. As for our privacy, Apple does claim that our personal data is secured and encrypted. Yes, they can get access to our data but only if it’s absolutely necessary for law enforcement. And with google.. they’re just as what Tim says “A hell stew of vulnerabilities”

      • TechnoBuff

        You have just contradicted yourself.. your phone does not have to be uploaded to a server for it to be accessible if and when possible.
        FYI. Apple created the secure chip inside an iphone.. do you actually believe that if they want to access, that they simply cannot!!!!
        The fact that Apple has access to it for any reason makes the point of privacy irrelevant.
        We can all believe whatever Apple or Google says.. which is not verifiable by any third party.. i wonder when people just believe whatever they are told when the facts runs counter to that.
        I am not accusing Apple of what Google has done but to assume that you have total privacy with Apple is an ignorant perspective.

      • Urname

        It’s like smartphones and technology are just a magic black box to you…

      • Bryan I

        I agree that Apple have access to our iCloud completely but I don’t believe that Apple can actually access our fingerprint from their server without having physical access to the phone itself because if they do then why didn’t they use it to unlock Texas Shooter’s phone?

      • livin1965

        You are conflating a number of issues here. What Apple does or doesn’t access on your personal device versus the general security of online user traffic are not the same thing. This sort of extremist fear-mongering is very unhelpful and only serves to spread misunderstanding. We should all be more convinced by the track-record of a company’s behavior, rather than speculative fears about what they can and cannot do. And, yes, what Apple and Google say about the security of their devices is verifiable by third parties. The jailbreak community has been hacking at iOS code for years. If you can find any evidence from their work that Apple is monitoring, sharing, storing your TouchID or FaceID info, as you are alluding to, please share it with the rest of us. In a stark contrast, Google has directly stated that Android was not designed with security in mind. Apple has spent years making money off of devices that provide increased security and enhanced user privacy. Google has spent the same time working to circumvent user privacy and exploit user information for profit and gain. The companies have been reasonably transparent about their goals. Apple makes money off selling secure products. Google makes money by selling information about you to third parties.

      • Evan King

        Have you learned nothing from the San Bernardino case with the FBI? No one in America could get data off of an iPhone 5c, an old iPhone, running an outdated and less secure version of iOS. And it was still keeping all the data on it secure. It didn’t even have a Secure Enclave, found in every iPhone since the 5s, which protects all biometric data. So first of all, no, Apple does not have access to your data. When you select no to something like Camera access or microphone access, you can be sure that this is real, unlike Google who was still using location information after it was turned off. What gain does Apple have to obtain our information? They are the richest technology company in the world. Google makes their money from advertising since they are an advertising company that happens to sell hardware. So Google has a reason to take our information. Apple does not. I can’t believe Apple was even brought up when they’ve been doing everything right when it comes to protecting user privacy and data. Their track record shows that. But because Google was being Google and got caught yet again stealing people’s information, Apple must get dragged talked about for no reason. If you have a lack of faith in any company, let it be Google for now, since they, NOT APPLE, were found breaking user privacy. If Apple were to be found guilty, that would be a different story. But Google is found guilty, and then you say that Apple is a company to watch for because… oh that’s right, you have no past evidence to back up your conspiracy theory. But paranoia really can be a gateway to lunacy, so don’t worry too much about this stuff it’s not good for your health

  • nonchalont

    Sneaky Google ?