How far does an anonymous Google Play app compromise privacy?

Hi all, I have recently purchased a Fairphone FP5 running /e/OS.

I am unsure what to make of the ability to download Google apps “anonymously”.

Firstly, big applause for the fact that every time I try to to that, there is a provacy warning: I like that feature. If you give someone the ability to re-Google a de-Googled phone then it is absolutely right to flag up that there is a risk, every time they do so. I also note from the T’s & C’s that by doing so, the app itself gets a connection to the Google eco-system that neither Murena nor /e/OS/ takes responsibility for. All good: you give us that choice and warn us.

But how far would I be compromising my privacy by doing this?

Having installed just one app from the G Play store, how far does Google get to TIA my phone through that one app? (That is their prvacy-busting tech that fingerprints my device f0r future reference – see the expose by Snowden and others).

If I only install (say) You-Tube anonymously and never log in, does Google potentially learn anything about me?

If I install a second app. also anonymously, is there anything in the /e/OS/ system that prevents G from cross-matching those two anonymous apps?

Finally, if I install a third app and log in, does G then get to cross match that login with both the anon logins?

How much safer would I be if instead I kept all my Play Store apps on a separate device, running the fully-Googled Android, knowing that everything on that phone is potentially compromised? I need to understand exactly how big the risks are, before choosing to carry the extra hassle of using that extra phone.

Note: I did try to do a search on this, but could find nothing more recent than 2021, and that predates my FP5 by a few years. I am hoping things have been tightened up in the last 3 years…

Regain your privacy! Adopt /e/OS the deGoogled mobile OS and online services

Please try this: Anonymous calls to Google servers. Imho anonymous but “fingerprinted”.

There are actually two separate questions there:

1. Is it technically possible for Google to …
2. Is there any evidence that Google actually does …

OK, in theory that is true. But my feeling about Google is that the two cases collapse into one, as anything that is technically possible, will be under development as soon as anyone in Google thinks of it.

So, please interpret my question as being about what defences (if any) /e/OS/ adds in compariison, to

1. Google Play apps running on a mainstream Android 13 device

2. Google play apps running on one device, and non-Google-play aps running in a physically separate device

I realise that even 2 is not watertight. No doubt Google will make a point of learning my little quirks (especially if I use the Google keyboard as I do on my mainstream Android)

Thanks – but not being totally technical, I still need more detail, with examples, about what the actual effects are.

That is why I asked a series of questions in my OP

I do like the two phone approach, used judiciously.

Google is an advertising agency. I believe that they themselves have very little interest in the punters; your questions seemed directed at this concept, I thought.

Why would they do that? As @aibd points out you are not interesting / useful / profitable to Google, except to the extent they can use information about you and your device to sell targeted advertising.

They will use information from the emails in your Gmail account and, unless you turn them off in your account settings, your search history, location history, browsing activity, what you have downloaded from the Play Store.

Doing anything beyond that doesn’t help them sell targeted advertising and make money, so why would they waste time doing it? (Rhetorical question - they won’t, and there is no credible evidence that they do or ever have done).

There is plenty of evidence that Google has in the past and still does now collect info far beyond what you said for tracking purposes.

It is trivially easy for them, with the AI at their disposal, to track users quirks, to identify the same user if they come up again – essentially this is the same fingerprinting that universities use to detect plagiarism.

That is why it is absolutely right that there is a warning about installing the Google keyboard, for example, which of course I did not do. But that made me wonder just how far the whole idea of having ANY Play Store apps in my /e/OS/ phone makes sense.

And I would actually like some info about what, if any, other protections there might be, rather than simply being told “don’t worry about it”.

Turning to your point about it not being worth their while to do it, they clearly think it is - as do Microsoft who for Win11 users are even further down the snooping model than Google.

And they would do it precisely because they want to track people, which they want to do to sell ads to companies wanting to ambush those people when they are away from the platform where they expressed an interest in some product related to the advertiser.

And finaly, your point about there being no credible evidence is merely showing your lack of research in the topic. Just two examples out of many:

First, as already mentioned, the Google keyboard: this has a genuine reason to collect personal quirks, in order to swiftly correct typos that a given user habitually perpetrates, and to learn NOT to auto correct abbreviations that that user frequently uses. Given that they collect that for a legitimate reason, do you seriously believe they will not use that as one more way of fingerprinting that user if they pop up again on a different platform? From their ad-centric motivation it would be daft of them not to. I would need overwhelming credible evident that they DON’T befire believing they don’t. This is not a case where “benefit of the doubt” applies, rather “user beware”.

When you connect to a website, have you ever seen the little logo in the title bar be replaced by another one, several times before it settles down? This is a trick used by Google (possibly invented by them?) that detects if you have been to that website before. It is not there to do anything other than track people.

Finally an analogy from physical privacy. When glazing bathroom windows it is normal to use translucent glass rather then clear, even on upper floors. That is because most of us prefer NOT to wait till we have conclusive proof of a peeping Tom before wanting to make what we do there invisible to strangers. For me, same appiles with online privacy. My policy, and my advice, is NOT to wait till Google is caught with their hands in yet another privacy cookie-jar, but to close off as much as we can identify as a plausible attack.

So please do not imagine that they confine their tracking activities to the ones you mention. That list was probably last complete around the millenium. They have moved on since then. And whether that makes sense to you or not is not a topic for this thread.

Here I am explicitly asking for info on whether there is any further protection built into /e/OS/ to stop one Play Store originated app colluding with another. Please stay on topic, or start another thread to argue that nothing else matters…

I think you can just consider it as the ability to download, install, use some apps, and get notification for update release, without the need of owning or declare a gogol-account…

BUT in addition to it, you will be considered by gogol as a “bad user” as you use a custom OS, and you don’t install your apps using the PlayStore tool…

Yes, and I have already seen at least one symptom of that: You-Tube (the only Play Store app I have installed so far, and anonymously) presents several times as many ads as on the regular Android, enough of an increase to be obvious even without collecting statistics.

Are you sure of that ?

You are right, they are sometimes being punitive to “bad customers”. In the mean time, use youtube through firefox with ublock and privacy badger, this will remove all adds and most trackers.

I am very interested in having a documented answer to your original question (very well asked). It is a question that is relevant to us all, as we all have from time to time to use a proprietary app, be it for work, convenience (waze still more uptodate regarding traffic than magic earth), etc.

I think that both of you are right: yes your personnal data is less valuable when you make it harder for google to identify yourself and at the same time reduce the amount of data they can collect on you ; on the other hand, yes google can still fingerprint you on third party websites and apps, even though we are not many and hence not really valuable. We have no control on what google is doing with this data, and they are excellent at collecting it. We have to bear in mind that their dominant position (monopoly) lead them to collect and sell our data for other reasons than advertisement: like health statistics or political influence even inside democratic states. Monopoly is not good because it comes with Ubris and an absence of control over it. For example they can send health data to insurance company that would refuse to insure you, or use health statistics to feed life-prolongation programs without ethical control. They can also sell political data to anyone (customer) for influencing opinion in a democracy. Those are examples that data monopoly is not only dangerous in a dictatorship like China.

In the end, the solution will reside in the European Union regulation, that is probably the only body who could protect us from the very bad, uncontrolled influence on democracy and state of law that big data monopoly have: like Gael Duval mentioned it, EU has already forced apple to authorize app installation from other stores, and will probably soon force google to open its google play app catalogue to others. So App Lounge with its anonymous account is not really breaking the law and google knows it and they know that starting a risky lawsuit for 50 000 users is not worth the bad publicity they will get by loosing it and creating a jurisprudence stating clearly that google play itself it a “gate keeper” that must be opened and controlled by EU regulation.

Yes, absolutely sure. There is such a huge difference in both the gap between ads (much shorter) and the number of ads back to back that it is obvious even without taking stats. Subjectively I would describe Y-T ads as “intrusive but bearable” on a logged in device, but “so intrusive as to make it not worth watching” on a what Google regards as a rogue device.

Google compulsively collect data all the time. In a database course i taught for a British Uni back in the eighties, “database wharehousing” was already a thing. Even back then, some companies were retaining all the data that crossed their parth, and storing it in a Relational Databsse format – the motivation for that format being that it does not limit what future uses can be made of that data (at that time there were still advocates of CoDaSyl databases, where you have to predetermine what queries you want asked before you start collecting the data).

The advent of recent AI models makes the possibility of the use of archived data even more worrying. A properly designed relational database can only find correlations that really are in the data, in that sense it is rational (see the works of Ted Codd for the proof of that). In contrast, throw data at ChatGPT and it can hallucinate correlations that are not justified by the data.

So the question is not only “what uses can we prove they are making of the data now?”, nor is it “what uses do they intend to make of our data when processing speeds get fast enough?”. The question should, in my opinion, be “what correlations could they in principle make in the next twenty years of data they are archiving about us now?”