[car_analogy]

Gathering SMS sent&received times and content hashes, and call times and durations, that, together with the Android ID, allow them to reconstruct who is calling or messaging who. And there is no opt-out..

"Privacy issues" is an understatement. When does this become criminal hacking? Were users informed? There might be something buried deep in a EULA, but if polled, would anyone have been found aware of this?

If I installed a trojan to millions of phones that did this, I'd go to jail for criminal hacking. If Google does it.. I guess clicked-through agreements trump law?

[car_analogy]

This gives me an idea - if you bury deep in your website clickthrough EULA that, by clicking accept, users authorize you to hack their phone and exfiltrate the same information that Google took, would you be legally in the clear?

And why not? One could argue that users weren't meaningfully informed, or that such a clause isn't expected for a website, or that you have no legitimate interest in that information.. but all of these arguments apply to what Google did as well!

The only difference seems to be that people are accustomed Google's spying, so they couldn't have been too surprised by this. But that's totally backwards - habitually and publicly breaking the law should result in harsher penalties, not milder!