Google Messages and Phone collect a little too much data


The apps Google Messages And Telephone they share too much data with the servers of the Mountain View house. This is what is claimed by new research published in recent days by Professor Douglas J. Leith of Trinity College Dublin. Let’s see in more detail what it is, given that the apps are installed (and pre-installed) on millions and millions of Android devices.

Google Messages and Phone share too much data according to this research

We all know the Google Messages and Google Phone apps: the first is pre-installed on many Android smartphones, including flagships such as Samsung Galaxy S22, but the second is also present on different models as a default dialer (such as Xiaomi, Realme and Motorola devices. ).

The new academic publication by Professor Leith (a familiar name for previous research on data sent by Google and Apple and beyond) points out that both Big G apps have collected and sent some data to the company’s servers without prior notice and without explicit consent. . This would violate the GDPR currently in force within the European Union.

More specifically, the apps would collect information on user communications, including a SHA256 hash of text messages and their timestamps, phone numbers, incoming and outgoing call logs, and duration of phone calls. All this is sent to Google’s servers through Google Play Services Clearcut logger and Firebase Analytics.

The data sent by Google Messages includes a hash of the text of each message, which could allow you to link sender and recipient, while those sent by the Phone app include the time and duration of the calls, allowing the connection of the two devices engaged in the conversation . These hashes are designed to be difficult to reverse to reveal their contents, but according to Leith in the case of short messages it might be possible to recover at least part of it.

The research underlines that Google requires the developers of Play Store apps to comply with specific privacy policies for the explanation of the data collected, policies that paradoxically “lack” for Messages and Telephone. Google Play Services explains to users that some data is collected for security and fraud prevention, but we no longer go into specifics.

What should Google do

Leith sent the findings to Google in November, recommending nine changes:

  1. the data collected (with related reasons) should be clearly specified in the privacy policies.
  2. Privacy policies should be easily accessible to users and viewable without having to accept other terms and conditions first (like those of Chrome, for example).
  3. Data regarding user interaction with apps, such as app screens viewed, buttons and links clicked, or the action of sending / receiving / viewing messages and calls, is different in nature from app telemetry, such as the use of battery, memory and user interface operation. The user should be able to opt out of the collection of their interaction data.
  4. The latter should turn out accessible to users on the portal https://takeout.google.com/
  5. By collecting app telemetry data such as battery usage, memory usage, etc., it should only be tagged with short-lived session identifiers, not with persistent long-lived device / user identifiers such as theAndroid ID.
  6. When collecting data, they should not be used timestamp too precise, but only rounded to the nearest hour.
  7. It would go interrupted the collection of the sender’s telephone number through the source of the CARRIER_SERVICES register when a message is received and the collection of theICCID of the SIM by Google Messages when a SIM is inserted. Collecting a hash of the text of the sent / received message should also be stopped.
  8. The current service of spam protection transmits the phone number to Google’s servers. This system should be replaced with a more privacy-conscious one, such as the one used in the Safe Browsing anti-phishing service, which only partially uploads hashes to servers.
  9. The choice of a user to forgo the collection of “Use and diagnostics” data should be fully respected.

Google has positively received the indications and said it was willing as always to collaborate to improve the functioning of its products and services. The Mountain View company has agreed, among other things, to:

  • review the flow of information that is shown when apps are installed in order to make users more aware of the policies
  • stop the collection of certain information, such as the sender’s phone number, the ICCID of the SIM and the hashes of the texts of messages sent and received through the Google Messages app
  • stop logging call events in Firebase Analytics
  • use a less long-lived identifier possible for telemetry data, rather than linking it to the Android ID
  • make it clearer when Caller ID and Spam Protection features are enabled

In any case, Google has made it known that message hashes are collected for sequence error detection, that phone numbers are collected to improve regex pattern matching for automatic one-time password recognition sent via RCS, that the ICCID data is used to support Google Fi and that Firebase Analytics event logging is used to measure the effectiveness of app download promotions.

If you want to deepen the subject and consult the full publication of Professor Douglas J. Leith (with the complete answers from Google) you can follow this link.

You might be interested in: How to register in the Public Register of Oppositions for mobile phones

Leave a Comment