According to a new study report, Google‘s Messages and Phone apps have been collecting and sharing user data to its servers without warning or consent, potentially in violation of the European Union’s General Data Protection Regulation (GDPR).
In his study titled “What Data Do The Google Dialer and Messages Apps on Android Send to Google?” Douglas Leith, a computer science lecturer at Trinity College Dublin, asserts. Google’s Messages and Dialer apps were found to be transferring data to the company’s servers without express user agreement.
These apps, in particular, gather information about user communications, such as a SHA-256 hash of the messages and their timestamps, phone numbers, incoming and outgoing call records, and call durations.
The Google Play Services Clearcut logger service and the Firebase Analytics service are then used to share this with the company’s servers.
The information assists the company in connecting the message sender and receiver, or the two devices participating in a call.
While just a 128-bit value of the message hash is shared with Google, Leith believes that for short texts, the hash may be reversed to reveal the text’s contents. However, for the time being, this is only an assumption, and no solid proof of concept exists.
The study paper also points out that the privacy policies for both Google apps do not explicitly reference data collection via third-party apps.
In reality, when one uses Google Takeout to export the data linked with their account, the information is not even made available for download.
While Google Play Services informs users that some data is being collected for security and fraud prevention purposes, there is no explanation as to why this data is being collected.
Given that the Google Messages app is deployed on millions of Android devices around the world, and that the phone app is the default dialer software on many smartphones from manufacturers such as Xiaomi, Realme, and Motorola, this is a serious privacy issue.
However, based on Google’s track record, it’s possible that the firm purposefully skipped obtaining user consent in order to conceal the information on the data it was collecting.
Despite this, it remains unclear if the Google apps are in violation of the GDPR. However, it is probable that the corporation will now be exposed to a GDPR inquiry and fined.
To read our blog on “Google has invented a new method of Tracking you,” click here.