Do Android’s Phone and Messages apps send information to Google without your knowledge?

February 28 Douglas Leith, lecturer in computer science at Trinity College Dublin, he published an article entitled “What Data Do The Google Dialer and Messages Apps On Android Send to Google?“ie “What data does the Google Phone and Messages app, pre-installed on Android, send to Google itself?”.
The answer should be “none”. Or rather, “no one, without the user’s consent.”
However, according to this article, some data seems to be actually sent to Google, without you realizing it.

Google and privacy: Douglas Leith’s research

The article, which you can find here in full version, explains what Professor Douglas Leith discovered: the Phone and Messages apps, present on millions of Android devices, it seems they send a lot of information to Google’s servers, including times and recipients of messages and call log. This data is shared with Google Play Services Clearcut and Firebase Analytics and allows you to associate sender and recipient.

Okay, that said it doesn’t actually seem like a huge privacy issue.
Leigh however explained to The Register that there is the possibility that the data related to the messages, especially if the content is short, can be decrypted, thus allowing you to read the contents of this SMS.
Neither the Phone app nor the Messages app has a privacy policy that illustrates how and what data is shared with Big G. It is therefore necessary to refer to that of Google Play Services which, however, does not seem to explain why the American giant collects the information. linked to messages and calls.

Douglas Leith was directly looking for some answers, and he reported his search to Google e suggested the following changes to the Mountain View company, six of which have already been made:

The data collected by the Phone and Messages apps and the specific purpose for which they are collected should be clearly indicated in the privacy policy of both applications;

The privacy policy of the apps should be easily accessible to users and viewable without first having to accept other terms and conditions (e.g. those of Google Chrome). Viewing the privacy policy should not involve the collection and tracking of data before the user has given his consent.

The data concerning the interactions with an app – for example, the screens viewed, the buttons clicked, the actions such as sending, receiving and viewing messages and calls – are different from those concerning the telemetry of the app itself, such as energy consumption , memory usage, UI slowdown. Users should be able to refuse the collection of data related to the interaction.

The data related to the interactions that are collected by Google should be accessible to users, using the portal https://takeout.google.com which already allows them to download other information related to their Google account.

When collecting telemetry data such as battery drain and memory usage, the data should be associated with short-lived identifiers, not long-lived identifiers like Android ID.

During data collection, timestamps should be coarse, for example rounded to the nearest hour. The current approach, which involves millisecond precision, risks providing too many indications. It would be better to use a histogram linked to the time of connection to the network, which would still allow to identify any problems.

Stop the collection of the sender’s phone number through the source of the CARRIER_SERVICES register when a message is received and stop the collection of the ICCID of the SIM by Google Messages when the aforementioned SIM is inserted into the smartphone. Stop collecting the message text hash.

The current spam protection and detection system sends incoming call data to Google’s servers. It would be advisable to change the approach, for example the one used by the Google antiphising system, which provides for the upload of only a part of the data.

A user’s decision not to share usage and diagnostic data should be respected.

Google’s answer

Google has provided some information regarding this data collection. Specifically, the company explained that the message hash is used to detect any bugs while phone numbers are for recognize all those SMS that contain the codes that we need to authorize operations ranging from access to an account to a bank transfer.

The US company also explained that the data relating to the ICCID (Integrated Circuit Card-Identity), that is the 19-digit code that uniquely identifies the SIM, is used to support Google Fi, Google’s telecommunications service.
Finally, events logged and shared with Firebase Analytics are used for understand the effectiveness of those promotions that invite you to download an app. Specifically, they allow you to know if the suggested application has actually been downloaded and then used.

“We welcome collaborations – and feedback – from academia and researchers, including those from Trinity College. We have worked constructively with that team taking into account their suggestions and will continue to do so, ”explains a spokesperson for Google.