This article has been updated to clarify that Google Messages transmits a partial SHA256 hash, which makes it possible to determine the message content only in the case of short texts.
what do you want to know
- A new study found that the Messages and Phone apps were silently sending your text and call information to Google.
- Both communication apps did not obtain user consent or provide users with an opportunity to opt out, potentially violating the EU GDPR.
- The new findings were disclosed by a computer science professor at Trinity College Dublin.
In what could be another case of a data privacy breach, Google’s Messages and Phone apps were secretly sending your text messages and call logs to their servers.
Google’s messaging and dialer app collected users’ communication data without informing them (via The Register), according to a research paper published by Douglas Leith, professor of computer science at Trinity College Dublin. In fact, it denied users the opportunity to opt out of data collection.
“The data sent by Google Messages includes the hash of the message text, which allows the sender and receiver to be linked in the exchange of the message,” the paper says. “The data sent by the Google dialer includes the time and duration of the call, again allowing the joining of two handsets engaged in a phone call.”
It should be noted that the message only sends the 128-bit value of the message hash to Google’s servers. Although Leith believes that hashes are difficult to reverse, some of the content can be determined in the case of smaller messages.
“I’ve been told by coworkers that yes, in theory it’s likely to be possible,” Leith told The Register. “The hash includes an hourly timestamp, so this would involve generating a hash for all combinations of the timestamp and target messages and comparing that with the hashes observed for a match – I think modern compute power given the shorter messages.” is possible.”
Phone numbers, as well as incoming and outgoing call logs, were also collected as part of the process. These pieces of information were then transmitted to Google’s servers through the Google Play Services Clearcut Logger service and the Firebase Analytics service.
To be fair, Google Play Services makes it clear to users that it collects certain data for security and fraud prevention purposes. However, it is largely unclear why data collection includes message content and call logs.
Many of the best Android phones, including the Samsung Galaxy S22 series and the Google Pixel lineup, come preloaded with Google’s Messages app. The Phone app, meanwhile, is the default dialer app on many models from Chinese brands such as Xiaomi and Realme.
This means that both the apps are installed on millions of devices sold around the world. Due to the vast amount of their reach, the latest findings should be a major privacy concern for people using these apps.
Leith presented Google with a list of recommendations for changes, including adding app privacy policies to both apps that clearly state what data is being collected and why.