Don’t worry, no one’s reading your texts
In recent years, tech giants and other companies have come under scrutiny on how they collect and use user data. Google itself has focused on making privacy improvements to its products and services in response. However, it looks like its efforts did not go far enough. A new research paper reveals that Google's Messages and Dialer/Phone apps have been collecting and sending scrambled user data to its servers, potentially violating the European Union's GDPR.
Douglas Leith, a computer science professor at the Trinity College Dublin, claims in his "What Data Do The Google Dialer and Messages Apps on Android Send to Google?" paper that Google's Messages and Dialer apps have been sending data to the company's servers without taking explicit user consent. More specifically, these apps collect information about user communications, including an SHA256 hash of the messages and their timestamp, phone numbers, incoming and outgoing call logs, call duration, and length. This is then shared with Google's servers using Google Play Services Clearcut logger service and the Firebase Analytics service. The data helps the company link the message sender and receiver and/or the two devices in the call, enabling features like spam filtering and business caller IDs.
While only a 128-bit value of the message hash is shared with Google's server, Leith believes that for short texts, it is possible to reverse the hash to reveal its content. "I’m told by colleagues that yes, in principle this is likely to be possible," Leith told The Register. "The hash includes a hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power." However, we haven't seen any hard evidence on anyone actually breaking the encryption — this is just hearsay.
The research paper further highlights that both Google apps do not feature privacy policies to explain what data is being collected, which the company itself requires from third-party apps on the Play Store. In fact, the information is not even made available for download when one uses Google Takeout to export the data associated with their account. Google Play Services does inform users that some data is collected for security and fraud prevention, but there's no explanation on why exactly message content and call info are collected.
The Google Messages app is installed on millions of Android devices worldwide, including the Samsung Galaxy S22 series. The Phone app is also the default dialer app on smartphones from manufacturers like Xiaomi, Realme, and Motorola, so this is a major privacy oversight. Going by Google's previous track record, though, the company could have intentionally avoided taking user consent and hid information on the data it was collecting.
Leith first detailed his findings to Google in November last year, which is also why he had to delay posting his paper publicly. He recommended the following changes to Google, out of which six have already been implemented:
Google has provided an explanation of some of its data collection practices:
There's still no clarity on whether the Google apps adhere to the GDPR and if they have been violating them so far. It is possible that the company will now be subjected to a GDPR investigation and slapped with a fine if the apps are found in violation.
Expanded Google statement
A Google spokesperson has reached out to us, hoping to offer a little more insight into its privacy practices here:
We’re committed to compliance with Europe’s privacy laws and apply strict privacy protections to data collected via our Dialer and Messages apps.
Both Dialer and Messages use limited amounts of data for highly specific purposes that allow us to diagnose and resolve product functionality issues and ensure message delivery is consistently reliable. These technical logs are not – and were never – used for targeting ads and were protected by strict internal access controls.
Phone numbers and hashed SMS related data within Messages were only used in technical logs to debug app service issues. Phone numbers that were not saved in a user’s contact list are only used by Dialer to guard users against unwanted spam calls.
We hear you — our initial title didn't fit the story, making the matter appear more dire than it is. We've updated the title to be more accurate and adjusted parts of the story. Thanks, everyone who commented!
Rajesh Pandey started following the tech field right around the time Android devices were going mainstream. He closely follows the latest development in the world of smartphones and what the tech giants are up to. He loves to tinker around with the latest gadgets to see what they are capable of.
Don’t worry, no one’s reading your texts