Android phones have been collecting and sending encrypted location data back to Google without permission, even when location services are disabled, Quartz discovered Tuesday.

Apparently, Google found a way to track location even if the user has actively turned off location services, hasn’t used any apps and hasn’t even inserted a carrier SIM card.

As soon as the phone connects to the Internet, the location data is sent back to Google.

Even devices that had been reset to factory default settings and apps, with location services disabled, were observed by Quartz sending nearby cell-tower addresses to Google. Devices with a cellular data or Wi-Fi connection appear to send the data to Google each time they come within range of a new cell tower. When Android devices are connected to a Wi-Fi network, they will send the tower addresses to Google even if they don’t have SIM cards installed.

This has been going on for at least eleven months.

According to the search giant, which has confirmed this location-tracking practice, Android phones do collect the addresses of nearby cellular towers as part of the system the company uses to manage push notifications and messages on Android handsets.

Consumers currently cannot disable this service, but the company assured privacy-minded users that the location data was never used or stored on its servers:

In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery. However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.

The spokesperson added that apps and advertisers cannot access users’ location data because the system that controls Google’s push notifications and messages services is “distinctly separate from Location Services, which provide a device’s location to apps.”

The Mountain View company is now taking steps to end the practice after being contacted by Quartz, saying Android phones will no longer send cell-tower location data to its servers. In other words, this controversial practice would have continued for God knows how long had Google not been caught with its hands in the jar.

Location tracking without permission poses a security risk, researchers warn, especially for people like law-enforcement officials or victims of domestic abuse who turn off location services thinking they’re fully concealing their whereabouts.

According to the Quartz article, spyware and various hacks could easily allow a nefarious party to upload any gathered location data from a compromised phone to a third-party server. As each Android phone has a unique ID, the data could be associated with specific devices.