Google Messages and Phone apps could be sending personal data to Google without user consent
This article has been updated for clarity with further information and context.
The article has further been updated with a statement from Google.
A spokesperson from Google contacted us with a statement. The statement is written below:
"Both Dialer and Messages use limited amounts of data for highly specific purposes that allow us to diagnose and resolve product functionality issues and ensure message delivery is consistently reliable. These technical logs are not – and were never – used for targeting ads and were protected by strict internal access controls.
Phone numbers and hashed SMS related data within Messages were only used in technical logs to debug app service issues. Phone numbers that were not saved in a user’s contact list are only used by Dialer to guard users against unwanted spam calls.
We’re committed to compliance with Europe’s privacy laws and apply strict privacy protections to data collected via our Dialer and Messages apps."
"Both Dialer and Messages use limited amounts of data for highly specific purposes that allow us to diagnose and resolve product functionality issues and ensure message delivery is consistently reliable. These technical logs are not – and were never – used for targeting ads and were protected by strict internal access controls.
We’re committed to compliance with Europe’s privacy laws and apply strict privacy protections to data collected via our Dialer and Messages apps."
--------------------------------------------------------------------------
According to Douglas Leith, a computer science professor at Trinity College Dublin, the Google Messages and Google Phone apps have been collecting and sending data about users' communications to Google without specific notice or consent from their users.
According to Leith, users don't have an opt-out option from the data collection. This, as the professor stated in his paper titled "What Data Do The Google Dialer and Messages Apps on Android Send to Google?" potentially violates Europe's GDPR, which is Europe's data protection law (via Android Police).
What information do Google Messages and Google Phone apps send to Google?
In his paper, Leith explains that the data Google Messages sends contains a hash of the message, which allows for the message sender and receiver to communicate. Google Phone sends data to Google about your call time, duration, and phone numbers, which allows for again establishing communication between two phones. Both apps use the Google Play Services Clearcut logger and Google/Firebase Analytics to send the data to Google.
In an email to The Register, Leith explained if the hashed messages could be undone: "I'm told by colleagues that yes, in principle this is likely to be possible. The hash includes a hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power."
In his paper, Leith also stated that because the sent data is tagged with the user's Android ID, which is linked to their Google account because they are logged into their account on their phone, Google can probably see the real-world identity of users.
There are a few possibilities why Google might need personal information like the message content and the phone call logs. For example, the message hash could be collected to assist the company in detecting message sequencing bugs. Google could be gathering phone numbers in order to enhance message recognition in the messaging system. The technology uses RCS (Rich Communication Services), which is a new messaging protocol used for sending and receiving messages. The system uses One-Time Password (OTP) codes to authenticate users, and with the help of the phone numbers, Google improves recognition by verifying known OTP sender numbers.
Things that are NOT allowed: