Google’s Dialer and Messaging apps have been collecting and sending data without users’ consent and an opt-out option, according to a new report. The practice potentially violates Europe’s GDPR laws and other privacy laws across the globe.
Trinity College Dublin’s Professor Douglas Leith recently released a report, called “What Data Do The Google Dialer and Messages Apps on Android Send to Google?” Google’s Messages and Dialer send data to Google’s Firebase Analytics and Google Play Services Clearcut.
“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” the paper says. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”
The apps are the default on many Android devices, including those sold by US carriers T-Mobile and AT&T, and those offered by OEMs such as Samsung, Xiaomi, and Huawei.
From the Messages app, Google gets a SHA256 hash generated from the content and timestamp. The hash is hard to decipher, but Leith believes it can be reversed allowing the content of the message to be recovered.
“I’m told by colleagues that yes, in principle this is likely to be possible,” Leith said in an email to The Register. “The hash includes an hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power.”
From the Dialer app, Google logs outgoing and incoming calls, as well as the time and duration of calls.
Leith’s research paper states that Google Play Services discloses that it does collect some data for security purposes, to prevent fraud and other maintenance reasons. However, it does not detail exactly what is collected from the Dialer and Messages app.
In November, Leith did make his findings known to Google, and his recommendations. Google has since made some changes. Still, he is not confident that the data collected from these apps is not in violation of GDPR, and he is also not confident the changes made addressed all his concerns.