According to a new paper, Google’s Messages and Phone applications collect and send user data to the company’s servers without user consent, very possibly breaking privacy rules such as Europe’s GDPR or similar regulations in other countries.
Given that the Phone and Messages applications are installed by default on millions of Android devices, this serious breach of privacy is, at the very least, a huge oversight by Google.
Trinity College professor Douglas J. Leith claims in his study paper “What Data Do The Google Dialer and Messages Apps On Android Send to Google?” that the Messages and Dialer apps send data to Google without user authorization.
Google Messages provides information such as the time the message was received or delivered, a shortened hash of the message content, and the sender’s phone number. The same is true for Google Dialer: the data includes the time and length of the call.
Professor Leith stated that:
“The hash includes an hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern computer power.
Researcher said that the data transferred to Google is “tagged with the handset Android ID.” The ID is connected to Google user accounts and hence the user’s identity.
As per The Register, Google confirmed on Monday that the paper’s representations about its interactions with Leith are accurate. They stated “We welcome partnerships – and feedback – from academics and researchers, including those at Trinity College,” they also added “We’ve worked constructively with that team to address their comments, and will continue to do so.”
What’s worse still is that there is no opt-out mechanism in place to prevent the data from being transmitted to Google.
Android users can install alternative apps that provide the same functionality as the Dialer and Messages apps. Tech-savvy users may even opt to install a privacy-oriented operating system, such as GrapheneOS (Compatible with Google Pixel phones), or other, more customizable, open-source OSs.