According to a new research paper, Google’s Messages and Phone apps have been collecting and sending user data to its servers without warning or taking user consent, potentially violating the European Union’s General Data Protection Regulation (GDPR).
Douglas Leith, a computer science professor at the Trinity College Dublin, claims in his paper titled, “What Data Do The Google Dialer and Messages Apps on Android Send to Google?” that Google’s Messages and Dialer apps have been sending data to the company’s servers without taking explicit user consent.
More specifically, these apps collect information about user communications, including an SHA-256 hash of the messages and their timestamp, phone numbers, incoming and outgoing call logs as well as call durations. This is then shared with the company’s servers using Google Play Services Clearcut logger service and the Firebase Analytics service. The data helps the company link the message sender to the receiver or the two devices involved during a call.
While only a 128-bit value of the message hash is shared with Google’s server, Leith believes that for short texts, it is possible to reverse the hash to reveal the contents of the text. However, for now, this is just an assumption and there’s no solid proof of concept.
The research paper further highlights that both Google apps do not clearly mention the collection of data via third-party apps in its privacy policy. In fact, the information is not even made available for download when one uses Google Takeout to export the data associated with their account. While the Google Play Services does inform users that some data is being collected for security and fraud prevention, there’s no explanation on why exactly this data is being collected.
Given that the Google Messages app is installed on millions of Android devices worldwide, with the phone app being the default dialer app on many smartphones from manufacturers like Xiaomi, Realme, and Motorola, this is a major privacy failure. Going by Google’s previous track record, though, there’s a likely possibility that the company has intentionally avoided taking user consent, with an aim to hide the information on the data it was collecting.
Despite all this, there’s still no clarity on whether or not the Google apps are violating the GDPR. It is possible, however, that the company will now be subjected to a GDPR investigation and slapped with a fine.
Stay Connected with ProPakistani
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.
