Mar 22, 2022 15:00:00

Google apps pre-installed on Android smartphones send data to Google without user consent

Regarding the Google messaging app '

Google Messages ' and the Google calling app ' Google Dialer ' that are installed by default on many Android smartphones, 'Notification to users and specific consent' We collect and send data to Google without any, 'the researchers report. It is possible that it violates the EU General Data Protection Regulation (GDPR) due to lack of user control over the data collected and transmitted.

What Data Do The Google Dialer and Messages Apps On Android Send to Google?
(PDF file) https://www.scss.tcd.ie/doug.leith/privacyofdialerandsmsapps.pdf

Messages, Dialer apps sent text, call info to Google • The Register
https://www.theregister.com/2022/03/21/google_messages_gdpr/

In a paper published by Douglas Reese , a professor of computer science at Trinity College Dublin in Ireland, Google's text messaging app 'Messages' and the calling app 'Google Phone App' are Android system apps. It is pointed out that it is sent to the data collection service of Google Play Services and the Firebase Analytics service.

'The data sent by the'message'contains a hash of the messaging text, which allows us to link the sender and the recipient in the exchange of the message,' Reese said in a paper. 'Google The data sent by Phone by Google includes the time you started the call and the time of the entire call, allowing you to link the two devices making the call, and the phone number is also sent to Google. I will. '

Although the hash sent by the 'Messages' app is designed to be difficult to restore, it is not impossible to restore part of the message content if it is a short message.

Since 'Messages' and 'Google Phone App' are Google apps, they are pre-installed on more than 1 billion Android smartphones sold worldwide. Reese points out that these pre-installed apps lack the 'app-specific privacy policy that describes what data is collected' that Google requires from third-party developers. Also, even if you requested the data related to the Google account used for the test through

Google Takeout , the data provided by Google did not include the data that should have been collected.

Google Play Services, a system app that keeps pre-installed apps on Android up to date, provides services such as security measures, fraud prevention, maintenance of Google Play Services API and core services, and synchronization of bookmarks and contacts. , Explains that Google apps collect some data. However, it does not explain how to collect data such as the content of the message, the sender / receiver, the call duration, the caller and the called person, and there seems to be no way for the user to refuse to collect the data. 'I was surprised to see this data collected by these Google apps,' Reese said.

Mr. Reese disclosed the findings to Google in November 2021, and after several discussions with the engineering director in charge of the 'message' app, Google seems to have agreed to the following changes.

-Improve the application flow and notify that it is a Google app and a link to the consumer privacy policy.
-Stop collecting data such as the caller's phone number in 'Google Phone App' and the hash of text in 'Message'.
-Stop recording call-related events with Firebase Analytics in both 'Google Phone App' and 'Messages'.
-When collecting telemetry data, stop linking with the Android ID , which is a permanent identifier unique to Android devices, and switch to an identifier with the shortest valid period as much as possible.
Clarify when caller ID and spam protection are enabled and how they can be disabled, and consider ways to use more anonymous data to increase user security.

A Google spokeswoman told The Register that the interaction with Mr. Reese was as described in the treatise. 'We welcome partnerships and feedback with Trinity College scholars and researchers. We have been and will continue to work constructively with Mr. Reese's team to address their comments. We will continue to do so, 'said a spokeswoman.

The treatise also points out that a series of data acquisitions may violate the GDPR, but states that legal conclusions are outside the scope of analysis. Google also says it will introduce a way for users to opt out of data collection, but this opt-out does not turn off data collection that Google considers 'essential', so some data will opt out after choosing to opt out. May continue to be collected.

As a Google Play Services issue, Reese said, 'Although the data is anonymous because the log data sent to Google Play Services often contains an Android ID that is linked to an individual's identity. 'No,' 'I don't really know what data is being sent by Google Play Services for what purpose,' he said.