1## 9.8\. Privacy
2
3### 9.8.1\. Usage History
4
5Android stores the history of the user's choices and manages such history by
6[UsageStatsManager](https://developer.android.com/reference/android/app/usage/UsageStatsManager.html).
7
8Device implementations:
9
10*   [C-0-1] MUST keep a reasonable retention period of such user history.
11*   [SR] Are STRONGLY RECOMMENDED to keep the 14 days retention period as
12    configured by default in the AOSP implementation.
13
14Android stores the system events using the [`StatsLog`](https://developer.android.com/reference/android/util/StatsLog.html)
15identifiers, and manages such history via the `StatsManager` and the
16`IncidentManager` System API.
17
18Device implementations:
19
20*   [C-0-2] MUST only include the fields marked with `DEST_AUTOMATIC` in the
21    incident report created by the System API class `IncidentManager`.
22*   [C-0-3] MUST not use the system event identifiers to log any other event
23    than what is described in the [`StatsLog`](https://developer.android.com/reference/android/util/StatsLog.html)
24    SDK documents. If additional system events are logged, they MAY use a
25    different atom identifier in the range between 100,000 and 200,000.
26
27### 9.8.2\. Recording
28
29Device implementations:
30
31*   [C-0-1] MUST NOT preload or distribute software components out-of-box that
32    send the user's private information (e.g. keystrokes, text displayed on the
33    screen, bugreport) off the device without the user's consent or clear
34    ongoing notifications.
35*   [C-0-2] MUST display and obtain explicit user consent that includes exactly
36    the same message as AOSP whenever screen casting or screen recording is
37    enabled via [`MediaProjection`](https://developer.android.com/reference/android/media/projection/MediaProjection)
38    or proprietary APIs. MUST NOT provide users an affordance to
39    disable future display of the user consent.
40*   [C-0-3] MUST have an ongoing notification to the user while screen casting
41    or screen recording is enabled. AOSP meets this requirement by showing an
42    ongoing notification icon in the status bar.
43
44If device implementations include functionality in the system that either
45captures the contents displayed on the screen and/or records the audio stream
46played on the device other than via the System API `ContentCaptureService`, or
47other proprietary means described in
48[Section 9.8.6 Content Capture](#9_8_6_content_capture), they:
49
50*   [C-1-1] MUST have an ongoing notification to the user whenever this
51    functionality is enabled and actively capturing/recording.
52
53If device implementations include a component enabled out-of-box, capable of
54recording ambient audio and/or record the audio played on the device
55to infer useful information about user’s context, they:
56
57*   [C-2-1] MUST NOT store in persistent on-device storage or transmit off the
58    device the recorded raw audio or any format that can be converted back into
59    the original audio or a near facsimile, except with explicit user consent.
60
61### 9.8.3\. Connectivity
62
63If device implementations have a USB port with USB peripheral mode support,
64they:
65
66*   [C-1-1] MUST present a user interface asking for the user's consent before
67allowing access to the contents of the shared storage over the USB port.
68
69
70### 9.8.4\. Network Traffic
71
72Device implementations:
73
74*   [C-0-1] MUST preinstall the same root certificates for the system-trusted
75    Certificate Authority (CA) store as [provided](https://source.android.com/security/overview/app-security.html#certificate-authorities)
76    in the upstream Android Open Source Project.
77*   [C-0-2] MUST ship with an empty user root CA store.
78*   [C-0-3] MUST display a warning to the user indicating the network traffic
79    may be monitored, when a user root CA is added.
80
81If device traffic is routed through a VPN, device implementations:
82
83*   [C-1-1] MUST display a warning to the user indicating either:
84    *   That network traffic may be monitored.
85    *   That network traffic is being routed through the specific VPN
86        application providing the VPN.
87
88If device implementations have a mechanism, enabled out-of-box by default, that
89routes network data traffic through a proxy server or VPN gateway (for example,
90preloading a VPN service with `android.permission.CONTROL_VPN` granted), they:
91
92*    [C-2-1] MUST ask for the user's consent before enabling that mechanism,
93     unless that VPN is enabled by the Device Policy Controller via the
94     [`DevicePolicyManager.setAlwaysOnVpnPackage()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setAlwaysOnVpnPackage%28android.content.ComponentName, java.lang.String, boolean%29)
95     , in which case the user does not need to provide a separate consent, but
96     MUST only be notified.
97
98If device implementations implement a user affordance to toggle on the
99"always-on VPN" function of a 3rd-party VPN app, they:
100
101*    [C-3-1] MUST disable this user affordance for apps that do not support
102     always-on VPN service in the `AndroidManifest.xml` file via setting the
103     [`SERVICE_META_DATA_SUPPORTS_ALWAYS_ON`](https://developer.android.com/reference/android/net/VpnService.html#SERVICE_META_DATA_SUPPORTS_ALWAYS_ON)
104     attribute to `false`.
105
106### 9.8.5\. Device Identifiers
107
108Device implementations:
109
110*   [C-0-1] MUST prevent access to the device serial number and, where
111    applicable, IMEI/MEID, SIM serial number, and International Mobile
112    Subscriber Identity (IMSI) from an app, unless it meets one of the following
113    requirements:
114    * is a signed carrier app that is verified by device manufacturers.
115    * has been granted the `READ_PRIVILEGED_PHONE_STATE` permission.
116    * has carrier privileges as defined in [`UICC Carrier Privileges`](https://source.android.com/devices/tech/config/uicc).
117    * is a device owner or profile owner that has been granted the
118      `READ_PHONE_STATE` permission.
119
120### 9.8.6\. Content Capture
121
122Android, through the System API `ContentCaptureService`, or by other proprietary
123means, supports a mechanism for device implementations to capture the
124following interactions between the applications and the user.
125
126*    Text and graphics rendered on-screen, including but not limited to,
127     notifications and assist data via [`AssistStructure`](
128     https://developer.android.com/reference/android/app/assist/AssistStructure)
129     API.
130*    Media data, such as audio or video, recorded or played by the device.
131*    Input events (e.g. key, mouse, gesture, voice, video, and accessibility).
132*    Any other events that an application provides to the system via the
133     [`Content Capture`](
134     https://developer.android.com/reference/android/view/contentcapture/package-summary)
135     API or a similarly capable, proprietary API.
136
137If device implementations capture the data above, they:
138
139*    [C-0-1] MUST encrypt all such data when stored in the device. This
140     encryption MAY be carried out using Android File Based Encryption, or any
141     of the ciphers listed as API version 26+ described in [Cipher SDK](
142     https://developer.android.com/reference/javax/crypto/Cipher).
143*    [C-0-2] MUST NOT back up either raw or encrypted data using
144     [Android backup methods](
145     https://developer.android.com/guide/topics/data/backup) or any other back
146     up methods.
147*    [C-0-3] MUST only send all such data and the log of the device using a
148     privacy-preserving mechanism. The privacy-preserving mechanism
149     is defined as “those which allow only analysis in aggregate and prevent
150     matching of logged events or derived outcomes to individual users”, to
151     prevent any per-user data being introspectable (e.g., implemented using
152     a differential privacy technology such as [`RAPPOR`](
153     https://github.com/google/rappor)).
154*    [C-0-4] MUST NOT associate such data with any user identity (such
155     as [`Account`](https://developer.android.com/reference/android/accounts/Account))
156     on the device, except with explicit user consent each time the data is
157     associated.
158*    [C-0-5] MUST NOT share such data with other apps, except with
159     explicit user consent every time it is shared.
160*    [C-0-6] MUST provide user affordance to erase such data that
161     the `ContentCaptureService` or the proprietary means collects if the
162     data is stored in any form on the device.
163
164If device implementations include a service that implements the System API
165`ContentCaptureService`, or any proprietary service that captures the data
166as described as above, they:
167
168*    [C-1-1] MUST NOT allow users to replace the content capture service with a
169     user-installable application or service and MUST only allow the
170     preinstalled service to capture such data.
171*    [C-1-2] MUST NOT allow any apps other than the preinstalled content capture
172     service mechanism to be able to capture such data.
173*    [C-1-3] MUST provide user affordance to disable the content capture
174     service.
175*    [C-1-4] MUST NOT omit user affordance to manage Android permissions that
176     are held by the content capture service and follow Android permissions
177     model as described in [Section 9.1. Permission](#9_1_permissions.md).
178*    [C-SR] Are STRONGLY RECOMMENDED to keep the content capturing service
179     components separate, for example, not binding the service or sharing process
180     IDs, from other system components except for the following:
181
182     *    Telephony, Contacts, System UI, and Media
183
184### 9.8.7\. Clipboard Access
185
186Device implementations:
187
188  * [C-0-1] MUST NOT return a clipped data on the clipboard (e.g. via the
189    [`ClipboardManager`](
190    https://developer.android.com/reference/android/content/ClipboardManager)
191    API) unless the app is the default IME or is the app that currently has
192    focus.
193
194### 9.8.8\. Location
195
196Device implementations:
197
198*   [C-0-1] MUST NOT turn on/off device location setting and Wi-Fi/Bluetooth
199scanning settings without explicit user consent or user initiation.
200*   [C-0-2] MUST provide the user affordance to access location related
201information including recent location requests, app level permissions and usage
202of Wi-Fi/Bluetooth scanning for determining location.
203*   [C-0-3] MUST ensure that the application using Emergency Location Bypass API
204[LocationRequest.setLocationSettingsIgnored()] is a user initiated emergency
205session (e.g. dial 911 or text to 911).
206*   [C-0-4] MUST preserve the Emergency Location Bypass API's ability to
207bypass device location settings without changing the settings.
208*   [C-0-5] MUST schedule a notification that reminds the user after an app in
209the background has accessed their location using the
210[`ACCESS_BACKGROUND_LOCATION`] permission.
211