What Your Phone and Computer Send Home — OS Telemetry Explained

The TLDR

Your operating system is a commercial product, and its maker wants data about how you use it. Android phones contact Google servers an average of 340 times per day. iPhones contact Apple servers even when you’ve turned off every analytics toggle you can find. Windows sends “basic diagnostic data” that includes your hardware configuration, installed apps, crash dumps, and browsing data from Edge. None of this requires your explicit consent because you agreed to it when you set up the device. The settings that reduce this collection exist, but they’re buried, and some telemetry can’t be turned off without replacing the OS.

The Reality

A 2021 study by Professor Douglas Leith at Trinity College Dublin measured the data transmitted by stock Android and iOS devices at rest — sitting on a table, not being used. Findings:

• Android contacted Google servers ~340 times per day, transmitting ~1MB of data
• iOS contacted Apple servers ~52 times per day, transmitting ~42KB of data
• Both transmitted device identifiers, location data, cookies, and local network details
• Google collected approximately 20x more data than Apple from an idle device

This is before you open a single app. This is the OS itself, doing what it was built to do.

How It Works

iOS Telemetry

Apple’s privacy marketing is the best in the business. The reality is more nuanced.

What Apple collects by default:

• Analytics and Improvements: Crash logs, app usage statistics, performance data, Siri voice recordings (anonymized, but still collected)
• Significant Locations: Your iPhone tracks locations you visit frequently and stores them locally — but also uses them for predictive features that phone home
• iCloud Analytics: If you use iCloud, Apple collects metadata about your usage patterns
• App Store data: What you search for, what you browse, what you download

The $95 million Siri settlement: In 2024, Apple settled a class action over Siri activating without the trigger phrase and recording conversations that were then reviewed by human contractors. Apple said recordings were anonymized. Plaintiffs argued the recordings contained identifiable personal information, medical discussions, and intimate conversations.

“On-device processing”: Apple frequently claims data is “processed on device.” This is real for some features (Face ID biometrics never leave the device). But for others, “processed on device” means the raw data is processed locally and the results are sent to Apple’s servers. The distinction matters.

Settings that actually reduce collection:

• Settings → Privacy & Security → Analytics & Improvements → turn off everything
• Settings → Privacy & Security → Location Services → System Services → turn off Significant Locations
• Settings → Siri & Search → turn off “Listen for ‘Hey Siri’” if you’re uncomfortable with always-on microphone
• Settings → Privacy & Security → Apple Advertising → turn off Personalized Ads

Android Telemetry

Android’s relationship with telemetry is more complex because there are two layers: Google’s Android services and the device manufacturer’s additions.

Google’s layer:

• Google Play Services is effectively mandatory and runs constantly in the background. It collects device identifiers, location (even with Location History “off”), app usage, WiFi network data, and crash reports.
• The Advertising ID (GAID) is a device-level tracking identifier used across all apps. You can reset it, but apps often also collect hardware identifiers that survive a reset.
• Google Account sync reports your app installations, settings, contacts, calendar, and browsing history (if using Chrome) to Google’s servers.

Manufacturer additions (Samsung, OnePlus, Xiaomi, etc.): The Trinity College study found that Samsung, Xiaomi, and Huawei phones all transmit telemetry to their own servers in addition to Google’s collection. Samsung’s telemetry included device identifiers, app usage logs, and call/text metadata sent to Samsung Analytics servers.

Settings that actually reduce collection:

• Settings → Google → Ads → Delete advertising ID (Android 12+)
• Settings → Google → turn off Web & App Activity, Location History, YouTube History
• Settings → Privacy → turn off Usage & Diagnostics
• Consider using a Google-free Android ROM (GrapheneOS, CalyxOS) if your threat model warrants it

Windows Telemetry

Windows is the most aggressive desktop OS for telemetry collection.

The four telemetry levels (Windows 10/11):

• Security: Minimal — Connected User Experience (just security data). Only available on Enterprise editions.
• Basic (Required): Device configuration, hardware capabilities, installed apps, crash dumps, basic performance data, Edge browsing data. This is the lowest level available to Home and Pro editions.
• Enhanced: Everything in Basic plus detailed usage data, app usage time, feature usage frequency.
• Full (Optional): Everything above plus diagnostic data content, memory snapshots, and “inking and typing data” — yes, what you type.

What “basic” diagnostic data actually includes:

• Your hardware configuration and peripherals
• Installed applications and their versions
• Crash dump data (which can contain fragments of whatever was in memory)
• Edge browsing history and search data
• Network configuration

Microsoft Connected Experiences is a separate data collection system built into Office 365. It analyzes your document content to provide features like “smart suggestions” — which means Microsoft is reading your documents on their servers.

Settings that reduce collection:

• Settings → Privacy & Security → Diagnostics & Feedback → set to “Required diagnostic data” (can’t go lower on Home/Pro)
• Settings → Privacy & Security → Activity History → turn off everything
• Settings → Privacy & Security → General → turn off advertising ID, website language list, suggested content, app launch tracking
• Group Policy Editor (Pro/Enterprise only) allows more granular control

macOS

Apple’s Mac telemetry is generally less aggressive than Windows but not zero.

Gatekeeper’s reporting: When you open an application, macOS contacts Apple’s OCSP (Online Certificate Status Protocol) server to check the developer certificate. This means Apple receives a log of every application you open, timestamped and tied to your IP address. Apple says they don’t log IPs — but the connection is made.

In 2020, this system caused a major incident when Apple’s OCSP server went down, and Macs couldn’t open applications because the certificate check couldn’t complete.

How It Gets Exploited

Geofence Warrants and OS Location Data

Law enforcement uses geofence warrants to demand location data from Google’s Sensorvault — a database built entirely from Android telemetry. Google reported receiving over 11,000 geofence warrants in 2020. You don’t have to be a suspect — you just have to have been in the area.

Apple has received similar requests but maintains that their location data collection is more limited and stored locally. The difference between Android and iOS here is meaningful — Google stores your location history on their servers by default; Apple stores Significant Locations primarily on device.

Insurance and Health Data

Apple Health and Google Fit data, collected through OS-level fitness tracking, can be accessed by insurance companies through data broker pipelines. John Hancock’s Vitality program explicitly ties life insurance premiums to fitness tracking data. The data flows from the OS health API → fitness app → data broker → insurance company.

Targeted Advertising from OS Data

Both Google and Apple use OS-level telemetry to power their advertising businesses. Google’s is more direct (advertising is their primary revenue model). Apple’s is more indirect (App Store ads, Apple Search Ads) but growing. The telemetry data feeds the targeting.

What You Can Do

The honest answer: you cannot fully stop OS telemetry without replacing the OS. What you can do is reduce it significantly.

1. Review every privacy setting on your device — don’t trust defaults
2. Turn off analytics sharing on iOS and Android
3. Delete your advertising ID (Android 12+) or limit ad tracking (iOS)
4. Use a VPN to prevent your ISP from correlating your device’s telemetry connections with your browsing
5. For maximum privacy: Consider GrapheneOS (Android without Google) or Linux (desktop without Microsoft/Apple telemetry)

The corporate giants designed these systems to collect data. The settings to reduce collection exist because of regulatory pressure, not because the companies want you to use them.

Sources & Further Reading

• Trinity College Dublin: Mobile Handset Privacy — the definitive study comparing Android and iOS telemetry
• EFF: Surveillance Self-Defense — practical device privacy guidance
• Microsoft Windows Diagnostic Data — Microsoft’s own documentation of what they collect
• Apple Privacy Report — Apple’s privacy documentation and reports
• GrapheneOS — privacy-focused Android without Google services