Google has been collecting data from Android devices and sending the information to its servers each time a call or message is sent or received, Douglas J. Leith, a professor at Trinity College Dublin, reveals in a research paper, "What Data Do The Google Dialer and Messages Apps On Android Send to Google?"
“When an SMS message is sent/received the Google Messages app sends a message to Google servers recording this event, the time when the message was sent/received and a truncated SHA256 hash of the message text,” he writes. “The latter hash acts to uniquely identify the text message. The message sender’s phone number is also sent to Google, so by combining data from handsets exchanging messages the phone numbers of both are revealed.”
The study focuses on technical aspects of privacy rather than legal ones like GDPR and reports on measurements of the data sent to Google by the Google Messages and Google Dialer apps on an Android handset.
Researchers found that the apps tell Google when messages and phone calls are made and received.
“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” Leith wrote. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call.”
Phone numbers are sent to Google, along with the timing and duration of other user interactions with the apps. There is no opt out from this data collection. The data is sent via the Google Play Services Clearcut logger and Google/Firebase Analytics.
Leith wrote in the paper that the group informed Google of the findings, even delayed publication for several months to talk through the findings. Google said they plan to make multiple changes to their Messages and Dialer apps.
The data sent to Google gets tagged with the handset Android ID, which is linked to the handset’s Google user account. Many times, it’s also linked to the real identity of the person involved in a phone call or SMS message.
For example, Leith wrote, a working phone number is required to create a Google account, and if the person has paid for an app on the Google Play store or uses Google Pay then their Google account is also linked to their credit card and bank details. In this way real-world identities of the pair of people communicating may be revealed to Google.
"Both Dialer and Messages use limited amounts of data for highly specific purposes that allow us to diagnose and resolve product functionality issues and ensure message delivery is consistently reliable,” a Google spokesperson wrote in an email to Search & Performance Marketing Daily. “These technical logs are not – and were never – used for targeting ads and were protected by strict internal access controls.
Phone numbers and hashed SMS related data within Messages were only used in technical logs to debug app service issues. Phone numbers that were not saved in a user’s contact list are only used by Dialer to guard users against unwanted spam calls, the spokesperson wrote.
“We’re committed to compliance with Europe’s privacy laws and apply strict privacy protections to data collected via our Dialer and Messages apps." The Google spokesperson wrote.
But the paper points to GDPR data protection regulations in Europe, lack of anonymity, lack of consent and lack of app-specific privacy policies. It also provides a list of recommendations to Google based on the observations.