Google blasts report about personal data being sent every 15 minutes from the Pixel 9 Pro XL

A report from Cybernews says that after examining the web traffic on the Pixel 9 Pro XL, it appears that the phone sends a data packet to Google that shares a user's location, phone number, email address, network status, and other metrics to the company. Even potentially more dangerous, the phone will try to download and run new code. Web traffic analysis revealed that the phone sends personally identifiable information (PII) to a Google endpoint called "auth." This takes place every 15 minutes.

Even if GPS is disabled, the location of the phone is sent by using Wi-Fi networks to determine the location of the device. Security researcher Aras Nazarovas says, "The Pixel 9 Pro XL repeatedly uses PII for authentication, configuration, and logging. This practice doesn’t align with the industry’s best anonymization practices and appears excessive. The smartphone transmits the user's email address, location, and phone number, even when utilizing a variety of other identifiers for the user and the device."

The report adds that the device requests a check-in every 40 minutes listing the firmware version, whether the phone is using Wi-Fi or mobile data, the carrier whose SIM card is being used on the phone, and the email address of the user. Additionally, while Cybernews did not open the Photo app on the Pixel 9 Pro XL, the phone occasionally contacted endpoints connected to Google Photos' Face Grouping feature without asking for consent.

Researcher Nazarovas explains that this is concerning. "These services are especially sensitive as the endpoints are used for processing of biometric data, such as facial recognition. Since there were no photos on the test device, we did not observe any personally identifiable information being sent to these endpoints," he said. The Voice Search feature on the Pixel also connected with Google servers. Sometimes this took place multiple times within a few minutes, sometimes the connection wouldn't take place for hours.

It appears that in responding to the report, Google had much to say about inaccuracies it found in Cybernews' report. The company said, "User security and privacy are top priorities for Pixel. You can manage data sharing, app permissions and more during device setup and in your settings. This report lacks crucial context, misinterprets technical details and doesn't fully explain that data transmissions are needed for legitimate services on all mobile devices regardless of the manufacturer, model or OS, such as software updates, on-demand features and personalized experiences."

When I used the Pixel 2 XL and Pixel 6 Pro as my daily driver, I felt entirely comfortable with the devices. Now I'm asking Pixel 9 Pro users whether they are concerned about the report from Aras Nazarovas or if they believe that Google has shared a legitimate response.