This article has been updated to make it clear that Google Messages transmits a partial SHA256 hash, making it possible to determine the message content only in the case of short texts.
What you need to know
- A new study found that the Messages and Phone apps were quietly sending your text and call information to Google.
- Both communications apps did not get user consent or offer users the opportunity to opt out, potentially violating the EU's GDPR.
- The new findings were revealed by a computer science professor at Trinity College Dublin.
In what could be yet another case of data privacy violation, Google's Messages and Phone apps were found to be secretly sending your text messages and call logs to its servers.
According to a research paper published by Douglas Leith, a computer science professor at Trinity College Dublin, Google's messaging and dialer apps collected users' communications data without giving them a heads-up (via The Register). In effect, this deprived users of the chance to opt out of data collection.
"The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange," the paper states. "The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call."
It should be noted that Messages only sends a 128-bit value of the message hash to Google's server. However, Leith believes that while hashes are difficult to reverse, some of the content can still be determined in the case of short messages.
"I’m told by colleagues that yes, in principle this is likely to be possible," Leith told The Register. "The hash includes a hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power."
Phone numbers, as well as incoming and outgoing call logs, were also collected as part of the process. These pieces of information were then transmitted to Google's servers via the Google Play Services Clearcut logger service and the Firebase Analytics service.
According to the paper, neither Google app has a privacy policy that explains what data it collects. This is, ironically, a strict requirement for third-party apps on the Play Store.
To be fair, Google Play Services makes it clear to users that it collects certain data for security and fraud prevention purposes. However, it's largely unclear why the data collection includes message content and call logs.
Many of the best Android phones, including the Samsung Galaxy S22 series and Google Pixel lineup, come preloaded with Google's Messages app. The Phone app, meanwhile, is the default dialer app on several models from Chinese brands such as Xiaomi and Realme.
This means both apps are installed on millions of devices sold worldwide. Because of the sheer volume of their reach, the latest findings should be a major privacy concern for people who use these apps.
Leith has presented Google with a list of recommendations for changes, including adding app privacy policies to both apps that clearly state which data is being collected and why.
Google has so far implemented six items out of Leith's nine recommendations. These include adding a link to Google’s consumer privacy policy. But more work needs to be done.
