Cybernews researchers analyzed the web traffic of the new Pixel 9 Pro XL, revealing that the device sends personal data to Google every 15 minutes. According to Aras Nazarovas, a security researcher at Cybernews, these packets include sensitive information such as the user's location, email address, phone number, and other telemetry data. More troubling, the phone reportedly attempts to download and run new code, raising potential security risks.
"The Pixel 9 Pro XL repeatedly uses personally identifiable information for authentication and configuration," Nazarovas explained. "This practice seems excessive and doesn't align with industry best practices for data anonymization."
In response to the report, Google stated that the data transmissions are necessary for legitimate services across all mobile devices, regardless of the manufacturer. A Google spokesperson emphasized that user security and privacy are top priorities for the company.
"User security and privacy are top priorities for Pixel. You can manage data sharing, app permissions, and more during device setup and in your settings. This report lacks crucial context, misinterprets technical details, and doesn't fully explain that data transmissions are needed for legitimate services on all mobile devices regardless of the manufacturer, model or OS, such as software updates, on-demand features and personalized experiences."," the spokesperson told Forbes.
Researchers discovered that the Google Pixel 9 Pro XL regularly communicates with Google servers. For instance, the device sends authentication requests approximately every 15 minutes and a 'check-in' request about every 40 minutes. These requests list essential details, including firmware versions and network status. Even with GPS disabled, the device still shares location data by relying on nearby Wi-Fi networks.
"Every 15 minutes, the "Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry." This data, they found, is sent "to various Google endpoints, including Device Management, Policy Enforcement, and Face Grouping."
The implications of such continuous data transmission raise significant privacy concerns. Nazarovas pointed out that these practices do not align with established best practices for data handling.
Another troubling aspect of the Cybernews findings was the Pixel device's connection to services without explicit user consent. Researchers noted that the phone contacted endpoints related to Google Photos' Face Grouping feature, even though they had not used the app. This raises concerns over how much control users have over their personal data.
"These services are especially sensitive," Nazarovas said. "They process biometric data, such as facial recognition. Without explicit consent, this practice is alarming."