New research has found that Google has been collecting data about calls and text messages through its Android operating system. Google has used Android apps to export data to its servers but without informing users or obtaining their consent, claimed the research paper authored by Professor Douglas J Leith, a researcher at the Trinity College of Dublin.
When an SMS message is sent/received, the Google Messages app sends a message to Google servers recording this event with the time when the message was sent/received and a truncated SHA256 hash of the message text. “The latter hash acts to uniquely identify the text message. The message sender’s phone number is also sent to Google, so by combining data from handsets exchanging messages the phone numbers of both are revealed,” the research paper read.
It also said that when a phone call is made/received through the Google Dialer app, the app logs this event to Google servers together with the time and the duration of the call.
It would be interesting to examine these practices through the lens of existing laws such as the European Union’s GDPR or even India’s impending data protection law.
Data is sufficient to discover real-world identities of people communicating: Research
When the data is sent to Google, it is tagged with the handset Android ID which is linked to the handset’s Google user account, which again is linked to a person’s real identity, the paper revealed.
“For example, a working phone number is required to create a Google account, and if the person has paid for an app on the Google Play store or uses Google Pay then their Google account is also linked to their credit card/bank details. In this way real-world identities of the pair of people communicating may be revealed to Google,” it said.
Apart from that, the Google Messages and Dialer apps send messages to Google recording user interactions with the app, the paper said. For instance, when the user views an app screen, an SMS conversation, or searches their contacts, the nature and timing of this interaction are sent to Google allowing a detailed picture of app usage over time to be reconstructed, it added.
The “See caller and spam ID” option is always enabled by default in the Google Dialer app. So, the paper said, when someone gets a call, the app sends the phone number of each incoming call to Google together with the time of the call.
“By combining data from handsets exchanging phone calls the phone numbers of both are therefore revealed. We note that sending of incoming phone numbers to Google is not necessary for call screening,” it said.
Google says it will remove logging of call-related events in Firebase analytics
The research said that Google Messages and Dialer apps send data to Google via two channels — Google Play Services Clearcut logger service and the Google/Firebase Analytics service. The paper noted that the data transmission is “largely opaque, being binary encoded with little public documentation”.
With these findings, the researcher reached out to Google, who said that it —
- Plans to change the app onboarding flow so that users are notified that this is a Google app with a link to Google’s consumer privacy policy. “This will include a new on/off toggle to cover data collection that Google does not consider to be essential for the app to function,” it said.
- Will halt the collection of the sender phone number and of a hash of sent/received message text by Google Messages (the latter change will be rolled out with version 10.9.160 of Google Messages, the other changes in the next release).
What will be the future of data privacy in India?
Do you want to keep track of data governance in India but don’t have the time? Relying on scattered content from across the web makes it feel harder than it needs to be.
Subscribe to MediaNama and get crisp, timely updates on tech policy developments in India and across the world.
Also Read:
- Google to let certain app developers use third-party payment options, with Spotify to start
- Google confirms phishing campaigns against Ukrainian organisations by Russian & Belarusian hacking groups
Have something to add? Subscribe to MediaNama here and post your comment.