Google Messages and Phone apps could be sending personal data to Google without user consent

You may want to stop using Google Messages and Google Phone apps
This article has been updated for clarity with further information and context.

The article has further been updated with a statement from Google.

A spokesperson from Google contacted us with a statement. The statement is written below:

"Both Dialer and Messages use limited amounts of data for highly specific purposes that allow us to diagnose and resolve product functionality issues and ensure message delivery is consistently reliable. These technical logs are not – and were never – used for targeting ads and were protected by strict internal access controls.

Phone numbers and hashed SMS related data within Messages were only used in technical logs to debug app service issues. Phone numbers that were not saved in a user’s contact list are only used by Dialer to guard users against unwanted spam calls.

We’re committed to compliance with Europe’s privacy laws and apply strict privacy protections to data collected via our Dialer and Messages apps."

According to Douglas Leith, a computer science professor at Trinity College Dublin, the Google Messages and Google Phone apps have been collecting and sending data about users' communications to Google without specific notice or consent from their users.

According to Leith, users don't have an opt-out option from the data collection. This, as the professor stated in his paper titled "What Data Do The Google Dialer and Messages Apps on Android Send to Google?" potentially violates Europe's GDPR, which is Europe's data protection law (via Android Police).

What information do Google Messages and Google Phone apps send to Google?

In his paper, Leith explains that the data Google Messages sends contains a hash of the message, which allows for the message sender and receiver to communicate. Google Phone sends data to Google about your call time, duration, and phone numbers, which allows for again establishing communication between two phones. Both apps use the Google Play Services Clearcut logger and Google/Firebase Analytics to send the data to Google.

Leith also explains that, from a user's message, Google takes the content of the message and its timestamp; from there, it generates a hashed version of the message and sends a part of the hash to Google's Clearcut logger and Firebase Analytics.

In an email to The Register, Leith explained if the hashed messages could be undone: "I'm told by colleagues that yes, in principle this is likely to be possible. The hash includes a hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power."

Recommended Stories
According to the paper, Google indeed informs that some user data gets collected for security, fraud prevention, and for the app services to work correctly. But the paper also claims that Google does not explain why it collects the message content or the information of the callers and call recipients. In this regard, the paper stated, "Few details are given as to the actual data collected."

Also, according to Leith, Google Messages and Google Phone apps record the user interactions when users are using them and send the recordings to Google. Douglas Leith gave an example of a user that views an SMS conversation or searches for their contacts within the apps. The actions and their timing will be recorded and, afterward, sent to Google, which will allow a "detailed picture of app usage over time to be reconstructed." It is likely that Google uses these recordings to determine whether an app is successful or not and if users actually use it. But again, according to Leith, users can't opt-out of this data collection.

In his paper, Leith also stated that because the sent data is tagged with the user's Android ID, which is linked to their Google account because they are logged into their account on their phone, Google can probably see the real-world identity of users.

The most interesting part is that, as The Register reported, Google confirmed that Leith is right in his claims and further stated, "We welcome partnerships – and feedback – from academics and researchers, including those at Trinity College. We've worked constructively with that team to address their comments, and will continue to do so."

There are a few possibilities why Google might need personal information like the message content and the phone call logs. For example, the message hash could be collected to assist the company in detecting message sequencing bugs. Google could be gathering phone numbers in order to enhance message recognition in the messaging system. The technology uses RCS (Rich Communication Services), which is a new messaging protocol used for sending and receiving messages. The system uses One-Time Password (OTP) codes to authenticate users, and with the help of the phone numbers, Google improves recognition by verifying known OTP sender numbers.

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless