Google’s “Messages” and “Phone” applications, installed on more than a billion smartphones, record user activity and send this data to the firm’s servers. Users are not informed of this collection, which would not comply with the GDPR, and have no means of opposing it.
You will also be interested
[EN VIDÉO] Six months on Mars: Google helps Perseverance remember On August 18, 2021, the Perseverance rover celebrated its six months on Mars. The opportunity for Google to stage some of the more than 125,000 photos that the machine has already taken of the red planet. A most original marketing video. As if Perseverance used Google Photos to sort through its memories. And stumbled on two searches: “water” and “Martians”… © Google
Android users are used to alerts about fake apps who collect their data. However, this time it’s two apps legitimate apps pre-installed on recent versions of Android that send personal information at google…
The problem was discovered by Douglas Leithprofessor of computer science at Trinity College from Dublin. Two Google applications are in question, namely Messages (com.google.android.apps.messaging) and Telephone (com.google.android.dialer). With each text message sent or received, Messages sends a report to Google that includes the time and a digital fingerprint of the message. This data is transmitted through Google Play’s Clearcut registration service as well as the Firebase Analytics service.
Google can cross-reference the information to identify the sender and the recipient
The app uses the hash function SHA-256 to create a truncated hash, which is supposed to avoid revealing the contents of the message. However, this would be enough for Google to make the link between the sender and the recipient. The Phone app sends similar reports, with time and duration calls received or made. In addition, when protection against unwanted calls is activated, which is the case by default, the device also transmits the calling number to Google servers.
Both apps also send detailed information about their usage, such as when the user posts a message or searches their conversations. Google does not inform the user of the data collection at any time and does not offer any means of oppose it. The professor also questions the apps’ compliance with the General Data Protection Regulation (GDPR). This collection would not respect the three basic principles concerning anonymity, consent and a legitimate interest.
Particularly opaque operation
After reporting these issues to Google, the firm responded with some changes. Users will be notified that they are using a Google application with a link to the privacy policy. Messages will no longer collect the sender number, ICCID of the SIM card, as well as the fingerprint of the SMS. Both apps will no longer log call-related events in Firebase Analytics. The data gathering will use a temporary ID rather than the permanent Android ID. Finally, Google will more explicitly inform users when the spam call protection feature is activated, and is currently investigating how to use less information or more anonymous data.
The professor also indicated that Google plans to add an opt-out option to Messages. information gathering. However, this would not cover what the firm considers to be “essential” data. This is one of the first studies on the personal data transmitted by Google Play services, which remain largely opaque and could hide many other surprises…
Interested in what you just read?