How Is Your Digital Privacy?
Your smartphone is a surveillance device. This article examines how operating systems, apps and mobile networks collect your data — and what concrete steps you can take to reclaim your digital privacy.
Smartphones are the most important communication devices of our time. Their functioning is based on a complex interplay of hardware, software, scientific research, and global infrastructure. They are the digital gateway to the world in handy pocket format. The youngest generations no longer know a world without this fixed component of our lives.
This development, however, brings with it not only various mental health risks but also an increasing collection and processing of personal data. We often perceive this indirectly, for example through personalized content or advertising. Some may already have had the aha-moment when fitting advertising appears on the smartphone at exactly the right moment, even though one had only just expressed this new wish in a private and very personal setting. Is someone listening in?
In fact, there is now a global and billion-dollar industry that deals exclusively with surveillance and spyware. This “spyware industry” is increasingly developing into an intransparent surveillance ecosystem with many interlocking fundamental segments. In this complex network, there is close cooperation between technology companies, telecommunications corporations, and government agencies. In the process, through massive dragnet surveillance and targeted monitoring, every individual citizen is in focus. It lies in the nature of the prevailing social structures that all governments of this world have a self-interest in such expanded control and surveillance tools.
In this article, I would like to provide an initial overview of central technical and structural aspects of mobile data processing and put their significance for privacy in context. Subsequently, I will as usual go into more detail on possible solutions. However, we can only understand the solutions if we know the problems.
Operating Systems and Data Transmission
The market for mobile operating systems today is essentially dominated by Apple with iOS and Google with Android. Together, both systems reach a global market share of over 99%. These are predominantly proprietary systems whose source code and internal functioning are only restrictedly publicly accessible. This makes it very difficult for outsiders to comprehend how much data is actually collected by these companies.
A frequently cited study by Trinity College Dublin (2021) investigated the data transmission of iOS and Android devices under controlled conditions. The results show that both systems regularly transmit data to manufacturers’ servers, even when certain privacy options are deactivated. In the process, device identifiers such as advertising IDs or system identifiers such as the IMEI (International Mobile Station Equipment Identity) are transmitted, among other things. These can under certain circumstances be linked to one another and thus enable device-related re-identification.
According to the study, it is particularly critical that this data collection cannot be completely deactivated and also occurs in idle mode or without active use. Overall, the investigation shows that through the combination of this data, a detailed profile including identity, location history, and usage behavior can be created. At the same time, it should be noted that such data transmissions are in some cases technically integrated into system functions.
Apps and Third-Party Structures
In addition to operating systems, apps play a central role in data collection. These mobile applications are frequently developed by third-party providers and in many cases access external services, for example for analysis, advertising, or functional extensions. The currently most popular app stores are the Google Play Store and the Apple App Store.
A large-scale study (2019) showed that many Android applications transmit data to a large number of external domains, including unique device identifiers such as the Android ID or the IMEI. These data flows frequently occur via so-called Advertising and Tracking Services (ATS). Notably, many applications simultaneously integrate several such services. The data is passed on not only to classic advertising networks but also to many intransparent or unknown tracking domains. Through this, users can be uniquely identified across multiple apps.
A large part of this infrastructure is operated by technology corporations, including Google’s parent company Alphabet Inc. This potentially creates the possibility of merging data from different sources. Overall, this creates a system in which tracking across apps, operating systems, and even devices can be combined, so that very comprehensive user profiles are created, often without clear transparency or control for the users.
Current studies also show that tracking mechanisms are continuing to develop. In addition to classic identifiers, increasingly indirect methods such as fingerprinting or server-side data linking are being used. These are frequently difficult for users to understand.
Mobile Networks and Infrastructure
Mobile network providers such as Vodafone or Telekom are central gatekeepers of communication and process a large part of mobile data traffic. They therefore play a special role.
Technologically, mobile communications have developed strongly in recent years. Since the introduction of LTE (Long Term Evolution) in 2010, data transmission has occurred predominantly in packet-switched form based on IP protocols. In contrast to earlier circuit-switched systems, LTE as the fourth generation (4G) of mobile communications enables more efficient use of network resources and a higher data transmission speed.
Since the expansion of 5G in 2020, additional higher frequency ranges (millimeter waves) are being used. This fifth generation enables on one hand higher data processing, but on the other hand has a shorter range. This requires a denser network structure. This change is desired by politics and business, particularly in connection with the Internet of Things (IoT), smart cities, and similar developments. These require higher data rates, lower latencies, and the connection of a large number of devices.
With the 4G network and at the latest since 5G, classic services such as telephony or the transmission of messages are increasingly being offered on an IP-based basis.
When we activate and use our smartphones, they transmit unique identifiers to the mobile networks. These can thus identify us as customers and link us to one another. In the process, the IMEI (International Mobile Station Equipment Identity) of your smartphone is used for data mediation by both the Google and Apple operating systems and by apps and mobile network providers. It is generated by the manufacturer and registered by your network operator. It can serve to recognize stolen phones and block them from the network. Additionally, on every SIM card there is also the IMSI (International Mobile Subscriber Identity) as an identifier that identifies the country, location, and subscriber number in the home network.
State authorities use, for example, so-called IMSI catchers. These devices impersonate a cell tower of a network provider and thereby read out the IMSI numbers of mobile phones. Due to their stronger signal, mobile phones in the vicinity automatically connect to the IMSI catcher. This remains hidden from users. Once connected, the IMSI catcher can locate the associated phone and intercept telephone calls. Thus all persons within a certain radius can be monitored and, for example, participants of demonstrations or other large events can be recorded. This method is regularly applied by the state side in Germany.
Another common surveillance instrument of authorities is the cell site query. Law enforcement authorities can require mobile network providers to subsequently provide information about which mobile devices were logged into a precisely delimited cell at a specific time. Mobile networks are divided into spatially delimited areas, so-called cells. Every end device (smartphone, tablet, IoT device with SIM card) uses a specific base station to communicate with the network. Such a query typically encompasses several thousand devices.
Conclusion
The structures presented show that mobile communication today is embedded in a complex web of technical, economic, and state interests. Data collection is thereby not a marginal phenomenon, but an integral component of the functioning of digital systems.
Thus in Germany too there are several well-documented cases in which authorities have violated existing data protection or surveillance rules. From a critical perspective, the question therefore arises as to what extent a self-regulation of the state apparatus is to be taken seriously at all. In particular, the intransparency of many processes and the high market concentration make effective control by the population difficult.
Here too, as in so many other areas of our lives: those who place freedom and self-determination above surveillance and convenience must inevitably take on more responsibility again.
What You Can Do
Inform yourself about the data collection methods of telecommunications providers.
Take control of the operating system of your phone. Replace your conventional operating system with an open-source operating system (OS) that prevents tracking by companies. You can, for example, buy a smartphone with a pre-installed OS from above.phone, freifon, or murena. Alternatively, you can also install GrapheneOS and CalyxOS yourself on your smartphone. You can find numerous guides on the internet for this.
Get used to using trustworthy software services and applications. As we have seen, conventional app developers sell the data of their users through advertising and analytics services. On “de-Googled” phones, we do not use the conventional Play Store, but free and open-source apps from stores such as F-Droid. The apps there undergo a review process and are more transparent regarding the services to which they connect. We should not log into our previous accounts with the major tech companies on our new phones, as this carries the risk of de-anonymizing our phone. We should monitor and control our app data traffic with the help of our new operating system and, if necessary, block apps.
It requires joint efforts and a change in our lifestyle to prevent any tracking on our devices and in our internet use. Not everyone will be willing to take this effort upon themselves, but those who do create the prerequisites for being able to act unimpeded even in the distant future.