Google Messages and Phone apps could be sending personal data to Google without user consent
This article has been updated for clarity with further information and context.
The article has further been updated with a statement from Google.
A spokesperson from Google contacted us with a statement. The statement is written below:
"Both Dialer and Messages use limited amounts of data for highly specific purposes that allow us to diagnose and resolve product functionality issues and ensure message delivery is consistently reliable. These technical logs are not – and were never – used for targeting ads and were protected by strict internal access controls.
Phone numbers and hashed SMS related data within Messages were only used in technical logs to debug app service issues. Phone numbers that were not saved in a user’s contact list are only used by Dialer to guard users against unwanted spam calls.
We’re committed to compliance with Europe’s privacy laws and apply strict privacy protections to data collected via our Dialer and Messages apps."
"Both Dialer and Messages use limited amounts of data for highly specific purposes that allow us to diagnose and resolve product functionality issues and ensure message delivery is consistently reliable. These technical logs are not – and were never – used for targeting ads and were protected by strict internal access controls.
We’re committed to compliance with Europe’s privacy laws and apply strict privacy protections to data collected via our Dialer and Messages apps."
--------------------------------------------------------------------------
According to Douglas Leith, a computer science professor at Trinity College Dublin, the Google Messages and Google Phone apps have been collecting and sending data about users' communications to Google without specific notice or consent from their users.
According to Leith, users don't have an opt-out option from the data collection. This, as the professor stated in his paper titled "What Data Do The Google Dialer and Messages Apps on Android Send to Google?" potentially violates Europe's GDPR, which is Europe's data protection law (via Android Police).
What information do Google Messages and Google Phone apps send to Google?
In his paper, Leith explains that the data Google Messages sends contains a hash of the message, which allows for the message sender and receiver to communicate. Google Phone sends data to Google about your call time, duration, and phone numbers, which allows for again establishing communication between two phones. Both apps use the Google Play Services Clearcut logger and Google/Firebase Analytics to send the data to Google.
Leith also explains that, from a user's message, Google takes the content of the message and its timestamp; from there, it generates a hashed version of the message and sends a part of the hash to Google's Clearcut logger and Firebase Analytics.
In an email to The Register, Leith explained if the hashed messages could be undone: "I'm told by colleagues that yes, in principle this is likely to be possible. The hash includes a hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power."
In his paper, Leith also stated that because the sent data is tagged with the user's Android ID, which is linked to their Google account because they are logged into their account on their phone, Google can probably see the real-world identity of users.
The most interesting part is that, as The Register reported, Google confirmed that Leith is right in his claims and further stated, "We welcome partnerships – and feedback – from academics and researchers, including those at Trinity College. We've worked constructively with that team to address their comments, and will continue to do so."
Things that are NOT allowed: