1## 9.8\. Privacy 2 3### 9.8.1\. Usage History 4 5Android stores the history of the user's choices and manages such history by 6[UsageStatsManager](https://developer.android.com/reference/android/app/usage/UsageStatsManager.html). 7 8Device implementations: 9 10* [C-0-1] MUST keep a reasonable retention period of such user history. 11* [SR] Are STRONGLY RECOMMENDED to keep the 14 days retention period as 12 configured by default in the AOSP implementation. 13 14Android stores the system events using the [`StatsLog`](https://developer.android.com/reference/android/util/StatsLog.html) 15identifiers, and manages such history via the `StatsManager` and the 16`IncidentManager` System API. 17 18Device implementations: 19 20* [C-0-2] MUST only include the fields marked with `DEST_AUTOMATIC` in the 21 incident report created by the System API class `IncidentManager`. 22* [C-0-3] MUST not use the system event identifiers to log any other event 23 than what is described in the [`StatsLog`](https://developer.android.com/reference/android/util/StatsLog.html) 24 SDK documents. If additional system events are logged, they MAY use a 25 different atom identifier in the range between 100,000 and 200,000. 26 27### 9.8.2\. Recording 28 29Device implementations: 30 31* [C-0-1] MUST NOT preload or distribute software components out-of-box that 32 send the user's private information (e.g. keystrokes, text displayed on the 33 screen, bugreport) off the device without the user's consent or clear 34 ongoing notifications. 35* [C-0-2] MUST display and obtain explicit user consent that includes exactly 36 the same message as AOSP whenever screen casting or screen recording is 37 enabled via [`MediaProjection`](https://developer.android.com/reference/android/media/projection/MediaProjection) 38 or proprietary APIs. MUST NOT provide users an affordance to 39 disable future display of the user consent. 40* [C-0-3] MUST have an ongoing notification to the user while screen casting 41 or screen recording is enabled. AOSP meets this requirement by showing an 42 ongoing notification icon in the status bar. 43 44If device implementations include functionality in the system that either 45captures the contents displayed on the screen and/or records the audio stream 46played on the device other than via the System API `ContentCaptureService`, or 47other proprietary means described in 48[Section 9.8.6 Content Capture](#9_8_6_content_capture), they: 49 50* [C-1-1] MUST have an ongoing notification to the user whenever this 51 functionality is enabled and actively capturing/recording. 52 53If device implementations include a component enabled out-of-box, capable of 54recording ambient audio and/or record the audio played on the device 55to infer useful information about user’s context, they: 56 57* [C-2-1] MUST NOT store in persistent on-device storage or transmit off the 58 device the recorded raw audio or any format that can be converted back into 59 the original audio or a near facsimile, except with explicit user consent. 60 61### 9.8.3\. Connectivity 62 63If device implementations have a USB port with USB peripheral mode support, 64they: 65 66* [C-1-1] MUST present a user interface asking for the user's consent before 67allowing access to the contents of the shared storage over the USB port. 68 69 70### 9.8.4\. Network Traffic 71 72Device implementations: 73 74* [C-0-1] MUST preinstall the same root certificates for the system-trusted 75 Certificate Authority (CA) store as [provided](https://source.android.com/security/overview/app-security.html#certificate-authorities) 76 in the upstream Android Open Source Project. 77* [C-0-2] MUST ship with an empty user root CA store. 78* [C-0-3] MUST display a warning to the user indicating the network traffic 79 may be monitored, when a user root CA is added. 80 81If device traffic is routed through a VPN, device implementations: 82 83* [C-1-1] MUST display a warning to the user indicating either: 84 * That network traffic may be monitored. 85 * That network traffic is being routed through the specific VPN 86 application providing the VPN. 87 88If device implementations have a mechanism, enabled out-of-box by default, that 89routes network data traffic through a proxy server or VPN gateway (for example, 90preloading a VPN service with `android.permission.CONTROL_VPN` granted), they: 91 92* [C-2-1] MUST ask for the user's consent before enabling that mechanism, 93 unless that VPN is enabled by the Device Policy Controller via the 94 [`DevicePolicyManager.setAlwaysOnVpnPackage()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setAlwaysOnVpnPackage%28android.content.ComponentName, java.lang.String, boolean%29) 95 , in which case the user does not need to provide a separate consent, but 96 MUST only be notified. 97 98If device implementations implement a user affordance to toggle on the 99"always-on VPN" function of a 3rd-party VPN app, they: 100 101* [C-3-1] MUST disable this user affordance for apps that do not support 102 always-on VPN service in the `AndroidManifest.xml` file via setting the 103 [`SERVICE_META_DATA_SUPPORTS_ALWAYS_ON`](https://developer.android.com/reference/android/net/VpnService.html#SERVICE_META_DATA_SUPPORTS_ALWAYS_ON) 104 attribute to `false`. 105 106### 9.8.5\. Device Identifiers 107 108Device implementations: 109 110* [C-0-1] MUST prevent access to the device serial number and, where 111 applicable, IMEI/MEID, SIM serial number, and International Mobile 112 Subscriber Identity (IMSI) from an app, unless it meets one of the following 113 requirements: 114 * is a signed carrier app that is verified by device manufacturers. 115 * has been granted the `READ_PRIVILEGED_PHONE_STATE` permission. 116 * has carrier privileges as defined in [`UICC Carrier Privileges`](https://source.android.com/devices/tech/config/uicc). 117 * is a device owner or profile owner that has been granted the 118 `READ_PHONE_STATE` permission. 119 120### 9.8.6\. Content Capture 121 122Android, through the System API `ContentCaptureService`, or by other proprietary 123means, supports a mechanism for device implementations to capture the 124following interactions between the applications and the user. 125 126* Text and graphics rendered on-screen, including but not limited to, 127 notifications and assist data via [`AssistStructure`]( 128 https://developer.android.com/reference/android/app/assist/AssistStructure) 129 API. 130* Media data, such as audio or video, recorded or played by the device. 131* Input events (e.g. key, mouse, gesture, voice, video, and accessibility). 132* Any other events that an application provides to the system via the 133 [`Content Capture`]( 134 https://developer.android.com/reference/android/view/contentcapture/package-summary) 135 API or a similarly capable, proprietary API. 136 137If device implementations capture the data above, they: 138 139* [C-0-1] MUST encrypt all such data when stored in the device. This 140 encryption MAY be carried out using Android File Based Encryption, or any 141 of the ciphers listed as API version 26+ described in [Cipher SDK]( 142 https://developer.android.com/reference/javax/crypto/Cipher). 143* [C-0-2] MUST NOT back up either raw or encrypted data using 144 [Android backup methods]( 145 https://developer.android.com/guide/topics/data/backup) or any other back 146 up methods. 147* [C-0-3] MUST only send all such data and the log of the device using a 148 privacy-preserving mechanism. The privacy-preserving mechanism 149 is defined as “those which allow only analysis in aggregate and prevent 150 matching of logged events or derived outcomes to individual users”, to 151 prevent any per-user data being introspectable (e.g., implemented using 152 a differential privacy technology such as [`RAPPOR`]( 153 https://github.com/google/rappor)). 154* [C-0-4] MUST NOT associate such data with any user identity (such 155 as [`Account`](https://developer.android.com/reference/android/accounts/Account)) 156 on the device, except with explicit user consent each time the data is 157 associated. 158* [C-0-5] MUST NOT share such data with other apps, except with 159 explicit user consent every time it is shared. 160* [C-0-6] MUST provide user affordance to erase such data that 161 the `ContentCaptureService` or the proprietary means collects if the 162 data is stored in any form on the device. 163 164If device implementations include a service that implements the System API 165`ContentCaptureService`, or any proprietary service that captures the data 166as described as above, they: 167 168* [C-1-1] MUST NOT allow users to replace the content capture service with a 169 user-installable application or service and MUST only allow the 170 preinstalled service to capture such data. 171* [C-1-2] MUST NOT allow any apps other than the preinstalled content capture 172 service mechanism to be able to capture such data. 173* [C-1-3] MUST provide user affordance to disable the content capture 174 service. 175* [C-1-4] MUST NOT omit user affordance to manage Android permissions that 176 are held by the content capture service and follow Android permissions 177 model as described in [Section 9.1. Permission](#9_1_permissions.md). 178* [C-SR] Are STRONGLY RECOMMENDED to keep the content capturing service 179 components separate, for example, not binding the service or sharing process 180 IDs, from other system components except for the following: 181 182 * Telephony, Contacts, System UI, and Media 183 184### 9.8.7\. Clipboard Access 185 186Device implementations: 187 188 * [C-0-1] MUST NOT return a clipped data on the clipboard (e.g. via the 189 [`ClipboardManager`]( 190 https://developer.android.com/reference/android/content/ClipboardManager) 191 API) unless the app is the default IME or is the app that currently has 192 focus. 193 194### 9.8.8\. Location 195 196Device implementations: 197 198* [C-0-1] MUST NOT turn on/off device location setting and Wi-Fi/Bluetooth 199scanning settings without explicit user consent or user initiation. 200* [C-0-2] MUST provide the user affordance to access location related 201information including recent location requests, app level permissions and usage 202of Wi-Fi/Bluetooth scanning for determining location. 203* [C-0-3] MUST ensure that the application using Emergency Location Bypass API 204[LocationRequest.setLocationSettingsIgnored()] is a user initiated emergency 205session (e.g. dial 911 or text to 911). 206* [C-0-4] MUST preserve the Emergency Location Bypass API's ability to 207bypass device location settings without changing the settings. 208* [C-0-5] MUST schedule a notification that reminds the user after an app in 209the background has accessed their location using the 210[`ACCESS_BACKGROUND_LOCATION`] permission. 211