A computer science professor at Trinity College Dublin, Douglas Leith, released a paper disclosing the collection by the two Google owned applications. In the paper he shows how these two applications collect and send information that would allow for positive identification of the handset involved and may also include possible recovery of information inside of a tacked message if the message is short enough.
“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” and of the phone app “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”
The Messages and Phone app are the default pushed by many carriers including AT&T and T-Mobile when it comes to Android Phones. The use of other messaging applications like Signal, Telegram and others are becoming more popular and are sure to skyrocket after these revelations. However, when it comes to the phone dialer app, the use of a third-party applications can impact functionality. On some services like AT&T it can prevent the use of video calling which pushes the user back to the default option.
This push as the default option combined with no opt-out method is exceptionally underhanded and seems intentional. Leith’s paper and other reporting also found there is no mention of this data collection in privacy statements about the apps or on the general privacy statement from Google. This combination of factors would seem to be at odds with GDRP and other private data collection regulations. It is likely that we will see Google get hit with further fines and other penalties now that this has been revealed.
Google has confirmed that the information in Leith’s paper is accurate and have agreed to implement some changes to how they collect data. The do claim that some data collection is “essential” and will not discontinue that at all. Exactly what is essential data, Google has always chosen not to disclose. The paper also points out that the collection includes the Google Android ID, Ad ID and many other personally identifying items that Google tracks to uniquely identify someone. This means there is no anonymity associated with the data collected.
“The data logging that we report here is, for many people, not anonymous since it can be directly linked to their online and real-world identities.”
This type of behavior brings the recent acquisition of Mandiant into question. When we covered the announcement this type of behavior was part of our concerns around Google ownership of Mandiant’s forensic tools. If Google is willing to quietly collect this type of information with what they have now, how much farther will the data collection be extended with a new bag of tricks?