Google's “Messages” and “Phone” applications, installed on more than a billion smartphones, record user activity and send this data to the firm's servers. Users are not informed of this collection, which would not comply with the GDPR, and have no means of opposing it.
Android users are used to alerts about fake apps that collect their data. However, this time it's two legitimate apps pre-installed on recent versions of Android that send personal information to Google ...
The problem was discovered by Douglas Leith , professor of computer science at Trinity College Dublin. Two Google applications are in question, namely Messages (com.google.android.apps.messaging) and Telephone (com.google.android.dialer).
 |
| Filed under: SMARTPHONE , ANDROID , GOOGLE |
With each text message sent or received, Messages sends a report to Google that includes the time and a digital fingerprint of the message. This data is transmitted through Google Play's Clearcut registration service as well as the Firebase Analytics service.
Google can cross-reference the information to identify the sender and the recipient
The app uses the SHA-256 hash function to create a truncated fingerprint, which is supposed to avoid revealing the contents of the message. However, this would be enough for Google to make the link between the sender and the recipient.
The Phone application sends similar reports, with the time and duration of calls received or made. In addition, when protection against unwanted calls is activated, which is the case by default, the device also transmits the calling number to Google servers
 |
| Graph on the link between the data collected and the real identity, via an Android ID, linked to the identifiers of the device and the SIM card, as well as to the Google account, itself linked to the telephone number and bank cards . |
Both apps also send detailed information about their usage, such as when the user posts a message or searches their conversations. Google does not inform the user of the data collection at any time and does not offer any means of opposing it .
The professor also questions the applications' compliance with the General Data Protection Regulation (GDPR). This collection would not respect the three basic principles concerning anonymity, consent and a legitimate interest.
Particularly opaque operation
After reporting these issues to Google, the firm responded with some changes. Users will be notified that they are using a Google application with a link to the privacy policy . Messages will no longer collect sender number, SIM card ICCID, and SMS fingerprint.
Both apps will no longer log call-related events in Firebase Analytics. Data collection will use a temporary ID rather than the permanent Android ID. Finally, Google will more explicitly notify users when the spam call protection feature is activated, and is currently investigating how to use less information or more anonymous data.
The professor also said Google plans to add an opt-out option to Messages . However, this would not cover what the firm considers to be “essential” data. This is one of the first studies on the personal data transmitted by Google Play services, which remain largely opaque and could hide many other surprises...
Add Comments