Understanding Google’s terms of service & privacy policy

This is the second in a series of blog posts looking at the considerations around adopting a GMS deployment in the enterprise.  Each post features a tl;dr along with recommendations.  For other posts in this series please see the links below:

• Preventing unattended application updates initiated via the Play Store
• Understanding Google’s terms of service and privacy policy
• The managed Google Play Store
• Application deltas between Android GMS and AOSP
• GMS Location services and tracking
• Distributing private apps in the Managed Play Store
• Data usage of GMS applications and services
• Factory Reset Protection
• The setup wizard and how to bypass it

Google are open about the type of data they collect on Android, why they collect that data and how that data is used.  The actual details of the privacy policy are available from https://www.google.com/policies/privacy/ and is written to be understandable. Note that there are a number of international versions of this policy that you may be directed to, for example the US and UK policies but the differences are lingual and regional rather than affecting the actual policy wording, for example the US “cell towers” are changed to UK “mobile towers”.   Google also have a “terms of service” and both policies are Google-wide meaning they are written to cover any method for accessing Google’s services e.g. Chromebook, desktop search or Chrome on iOS therefore not all the policy information is immediately applicable to Android.

Collected information includes but is not limited to: Hardware model, Android version, device UUID, mobile network, search queries, telephone logs, IP addresses, device crash information and system activity.

As Google states, “this data will be used to improve Google’s products and services for everyone” but frequently we find our enterprise customers err on the cautious side and would rather disable Google’s data acquisition entirely.  Techniques for disabling data gathering are discussed later but the extent of the privacy policy and TOS are not unique to Google; as more enterprises embrace public cloud and hybrid cloud models in their infrastructure the bigger picture of information sharing should be considered in light of the general trend toward being more accepting of cloud computing.

Executive Summary (TL;DR)

• It is possible to prevent devices from communicating back to Google’s servers and the most reliable way to achieve this is through network configuration. Options do exist on Android devices and within Android applications to disable analytics but many of these options require manual intervention to disable.
• The extent of the privacy policy and terms of service are not unique to Android or Google and many enterprises are embracing hybrid or public cloud models which have similar policies.
• There is not just one type of analytics.  The device OS itself sends analytics, system applications (e.g. Chrome or Maps) send their own analytics and Firebase analytics (owned by Google) is a hugely popular analytics engine used by 3^rd party applications.  To truly prevent any analytics going through Google’s servers you will need to address all of these vectors.

Google analytics

In order to use Google services, a user or device administrator are required to agree to Google’s privacy policy and terms of service.

This section discusses some of the ways you can prevent your data being shared with Google and there are two broad techniques to achieve this:

1. Stop the device from reporting analytics to Google by preventing network access.
2. Turn off analytics via the device and application settings

Note that you can click ‘Don’t add this account now’ during the set-up wizard rather than agree to Google’s terms of service.  Clicking ‘Don’t add this account now’ does not prevent your device from communicating back to Google as you still implicitly agree to the privacy policy through just using Google services. By not adding a Google account to the device, any information being gathered cannot be associated with a unique user but you will lose any functionality that depends on that account e.g. GSuite, Gmail, Drive, reset protection and many others.

Let us dive into each of these approaches to prevent data being shared with Google:

1) Stop the device from reporting analytics by preventing network access

The simplest, most obvious way to avoid Android devices ‘phoning home’ to Google is to prevent them from having external network access.  This makes sense for a large number of enterprise customers whose devices are deployed within the 4 walls and only have access to the company network; it is not required to give users internet access on the device to perform their job so the network administrator can deny external access.

By preventing devices from reaching the wider internet you will experience a degradation of features but will still have more features than a non-GMS device.  An oft used example to illustrate this is the location APIs: a GMS device with external internet connection is able to take full advantage of location services e.g. to create a Geofence around a particular location. If that same GMS device is prevented from accessing the external internet it can still use location services for actions that do not require internet access, for example determining the current activity of the device user (running, walking, driving).  On a non-GMS device, the location services are not available at all and the developer has to depend solely on the earlier location manager APIs whose use Google no longer recommends where alternatives exist.

If you wish to be more controlled over which addresses to block to prevent Android from ‘phoning home’ there is no authoritative list and the most reliable way is to prevent your device from accessing any of the IP addresses under Google’s ASN, 15169.  ASN 15169 consists of a long list of IP v4 and v6 addresses but external tools exist that can make the job easier for network administrators e.g. using https://www.enjen.net/asn-blocklist/index.php you could create an IP list as https://www.enjen.net/asn-blocklist/index.php?asn=15169&type=iplist and download that list by adding &api=1 to the end of the URL.  These external tools come without any endorsement from Zebra but just be aware that they do exist.  Bear in mind that the IP addresses covered in Google's ASN also cover 3rd party sites hosted on Google servers, according to https://ipinfo.io/AS15169 there are about 5M of these.

In terms of ports, again there is no authoritative list of all ports an Android device will use to connect to Google servers, the best information available only exists for the Firebase Cloud Message (FCM) service, which states ports: 5228, 5229 and 5230 are used by that tool.  Interestingly the FCM documentation also advises opening up all IP blocks listed under Google’s ASN in order to just support cloud messaging.

Looking at this the other way, the opposite is also true: if you wish to take full advantage of the google services such as enhanced location, application updates via the Play Store or Gmail then it is required to accept outgoing connections to all IP addresses contained in ASN 15169 as well as open ports 5228, 5229 and 5230 if you wish to take advantage of FCM.

2) Turn off analytics via the device & app settings

If preventing your device from having internet access to Google’s servers is not an option for you, perhaps because you require some of the added services that GMS offers then you may wish to disable data collection on the device by modifying the appropriate settings.  There is not a single master switch for turning off all analytics data and there are several classes of application which will be sending data:

1. The Android system sends information back to Google such as battery level, app usage, app crash statistics and network connectivity.
2. Google developed system applications pre-installed on Android such as the keyboard, Chrome and Maps send their own analytics to Google.
   
   1. A further distinction can be made for this application analytics data as it may or may not be associated with a Google account.  Consider the maps example, you can use Maps without a Google account and your location data is available to Google, if you then sign into Maps with your Google account that location data can be (optionally) stored as a history associated with your account.
3. Any Android developer can integrate Firebase analytics (which is owned by Google) into their native Android application, the getting started guide is here.  So, if you have a specific concern about Google then bear in mind that it is a hugely popular application analytics platform for many 3^rd party applications.

Analytics sent from the Android system

The Android system analytics can be configured as part of the start-up wizard (SUW) (see screenshot above, “Help improve your Android experience”) and will default to true, i.e. system analytics will be enabled.

You will not see this start-up wizard screen if you provision your device as a managed Android device (i.e. setup as a device owner).  In my tests the diagnostic data option is disabled by default for managed Android devices but since there are many ways to configure managed devices I recommend you test with your particular deployment.

You can manually modify or check the value of this setting at any time by following the instructions at https://support.google.com/accounts/answer/6078260, i.e. go to Settings --> Google --> (Menu) --> Usage & diagnostics and slide to ‘Off’ to disable analytics.  This settings screen also contains information about what diagnostics are being captured and the link to ‘Find out more’ will take you to the answer URL just given.

Analytics sent from Google developed, preinstalled applications

Google have a number of preinstalled applications on GMS devices that they explicitly call out as having additional privacy considerations in their privacy documentation, here.  Note that some of these applications depend on being associated with a Google account in order to have privacy implications (for clarity the Google account required for analytics to be captured is an account in the @gmail.* domain and not a managed Play account).  The list below is not exhaustive or comprehensive and if you plan on using a Google application or service it is recommended to review the privacy documentation for that application; the aim of the table is to explain how to address some of the common privacy concerns.

Note that some of the applications described below expose managed configurations, these require managed devices as well as an EMM that supports them.  You may consider disabling any system application that gives you privacy concerns and this will be covered in a later post, there is also an earlier blog on the subject available which does not provide any recommendations.

Analytics from 3^rd party applications using Google as their analytics provider

Firebase analytics is a very popular analytics platform from Google for Android and other operating systems.  You will find many 3^rd party applications will use Firebase analytics so a logical question would be whether you can disable Firebase analytics using the same setting described earlier which disables Android analytics, i.e. Settings --> Google --> (Menu) --> Usage & diagnostics and slide to ‘Off’.  The answer is ‘no’, there is no way in software to disable a 3^rd party application’s analytics unless an option is explicitly exposed by that application; the fallback is to prevent the application from communicating with the Firebase backend, as explained at https://developers.google.com/cloud-messaging/http for Firebase, i.e. disable access to ports 5228, 5229 & 5230.  If the 3^rd party application uses an analytics engine other than Firebase then the instructions would differ depending on the provider.

Recommendations

If you wish to prevent the Android OS as well as applications running on your device from providing analytics to Google the most robust way to achieve this is though network configuration, either:

• By preventing external access entirely or
• Prohibiting access to Google’s servers via a VPN or firewall.

Settings exist to turn off analytics but there are some difficulties to this approach:

• Separate settings exist for the device and system applications.  It can be challenging to manage the number of settings and ensure none are missed.
• Many settings require manual intervention (at the time of writing) therefore making it more time-consuming to stage & provision devices
• 3^rd party applications making use of Firebase analytics may choose to not expose an option to disable analytics, though they must state that analytics are being gathered in that app’s privacy statement