This article has been updated to clarify that Google Messages transmits a partial SHA256 hash, which makes it possible to determine the content of the message only in the case of SMS.
What you need to know
- A new study found that messaging and phone apps were quietly sending your text message and call information to Google.
- Both communication apps did not obtain user consent and did not offer users the opportunity to opt out, which could violate the EU’s General Data Protection Regulation (GDPR).
- The new findings were revealed by a professor of computer science at Trinity College Dublin.
In what could be another case of Data privacy breachGoogle’s Messages and Phone apps were found to secretly send text messages and call logs to their servers.
According to a research paper published by Douglas Leith, professor of computer science at Trinity College Dublin, Google’s messaging and communication apps collected user communication data without giving them a prior alert (via record). In effect, this deprived users of the opportunity to opt out of data collection.
The paper states that “the data transmitted by Google Messages includes a hash of the message body, which allows linking the sender and recipient in the exchange of messages.” “The data sent by the Google Dialer includes the time and duration of the call, which again allows the two phones involved in a phone call to be linked.”
It should be noted that messages only send a 128-bit value of the message hash to the Google server. However, Leith believes that although the hash is difficult to reverse, some content can still be identified in the case of SMS.
“Colleagues have told me yes, in principle, it’s probably possible,” Leith told The Register. “The hash includes an hourly timestamp, so it would involve creating a hash of all target groups of timestamps and messages and comparing it with the observed hash for matching – which is feasible for SMS given the power of modern computing.”
Phone numbers and logs of incoming and outgoing calls were also collected as part of the process. This information is then sent to Google’s servers via the Clearcut Recorder Service for Google Play Services and the Firebase Analytics Service.
According to the paper, the Google app does not have a privacy policy that explains what data it collects. Ironically, this is a strict requirement for third-party apps on the Play Store.
To be fair, Google Play Services makes it clear to users that it collects certain data for security and fraud prevention purposes. However, it is largely unclear why data collection includes the content of messages and call logs.
a lot of Best Android Phonesincluding Samsung Galaxy S22 Series and Google Pixel, it comes preloaded with the Google Messages app. The phone app, meanwhile, is the default dialer app on many models from Chinese brands such as Xiaomi and Realme.
This means that both apps are installed on millions of devices sold worldwide. Given the sheer size of their reach, the recent results should be a major privacy concern for the people who use these apps.
Leith provided Google with a list of recommendations for changes, including adding app privacy policies to both apps that clearly explain what data is being collected and why.
Google has so far implemented six of Leith’s nine recommendations. This includes adding a link to Google’s consumer privacy policy. But there is more work to be done.