Google Messages and Google Dialer, known locally as Messages and Google Phone, send user communications data to Google Play Services Clearcut and Google Firebase Analytics. Douglas Leith, a professor of computer science at Trinity College Dublin, came to this conclusion in his study, reports The Register.
“The data sent by Messages includes a hash of the message text, allowing the sender and recipient to be linked in a message exchange,” the document says. “The data sent by Google Phone includes the time and duration of the call, which again makes it possible to link the two phones involved in the call. Phone numbers are also sent to Google.”
In addition, applications collect the time and duration of interaction with them, and the developers do not offer any way to opt out of this.
The Messages app generates a SHA256 hash based on the content of the messages and the timestamp, and then passes part of it, namely a 128-bit truncated value, to Google Play Services Clearcut and Google Firebase Analytics. The hashes are generated in such a way that they are difficult to decipher, but Leight is sure that some of them can still be cracked and part of the message can be recovered.
“Colleagues told me that yes, in principle, it is possible. The hash includes an hour timestamp, so this would have to generate hashes for all combinations of timestamps and target messages, and then compare them to the observed hash for a match – I think this is feasible for short messages, given modern computing power, ” Leith stated.
“Google Phone” also registers incoming and outgoing calls, as well as the time and duration.
In the study, Leita notes: Google Play Services discloses that some data is collected for security and fraud prevention purposes, to operate the Google Play Services API and core services, and to provide Google services such as bookmark and contact sync. However, it does not detail or explain the collection of data about the content of messages or about callers and recipients of calls. As the article notes, “there are few details about the data actually collected.”
The problem is not so much with surveillance, but with the fact that Google does not report it properly. Being preinstalled on many smartphones (including new ones from Samsung, Xiaomi and even Huawei), these applications do not display a privacy policy (although this is required from third-party applications), which, according to European law, should be possible to opt out. Instead, on the pages of programs in Google Play there is a link to the general privacy policy of Google users – it does not depend on the application and its existence may not be at all obvious in the case of pre-installed applications.
Leight said he briefed the corporation on his findings last November, after which he had several conversations with Messages’ CTO about the proposed changes. The company confirmed this to The Register. In his research paper, the professor described 9 recommendations – 6 of which Google has already implemented or plans to do. They include:
- reviewing the app onboarding process so that users are notified that they are using a Google app and have a link to Google’s privacy policy;
- stopping the collection of the sender’s phone number in the source of the CARRIER_SERVICES log, 5 SIM ICCID and the hash of the text of the sent/received message in Google Messages;
- stop logging call-related events to Firebase Analytics from Google Dialer and Messages;
- switching telemetry collection to use the least durable ID where possible, instead of being tied to a permanent Android ID user ID;
- explaining when caller ID and spam protection are enabled and how they can be disabled, and considering using less or fuzzy information for security features.
Source: Trash Box
Donald-43Westbrook, a distinguished contributor at worldstockmarket, is celebrated for his exceptional prowess in article writing. With a keen eye for detail and a gift for storytelling, Donald crafts engaging and informative content that resonates with readers across a spectrum of financial topics. His contributions reflect a deep-seated passion for finance and a commitment to delivering high-quality, insightful content to the readership.
