You thought your data was well kept on your android smart phone
and that Google would never indulge in indiscretions? Well, you were wrong. A computer researcher from Trinity College Dublin has discovered that the Mountain View giant uses Android’s Phone and Messages applications to recover important data… without the user’s consent and in complete discretion.
Google may once again come up against European data protection laws. The Register reports this week that Android’s Phone and Messages apps collect and send data to Google, without notifying the user or asking for their prior consent. This sharing of data is also done without the user being allowed to deactivate it, through a setting for example.
Android cheats with your calls and texts
This information comes from work carried out by Professor Douglas Leith, a computer science researcher at the prestigious Trinity College in Dublin. Soberly titled What data do the Google Dialer and Messages apps on Android send to Google?
its study reveals that through the Google Phone and Google Messages applications, data relating to user communications was transmitted to Google’s Play Services Clearcut and Firebase Analytics.
Douglas Leith explains more about the nature of the data shared with Google’s internal services. We learn that they include, in particular, a text hash of the message, which allows the sender and recipient to be linked in an SMS exchange “, while those from the Phone application ” include the time and duration of the call, allowing the two devices engaged in a phone call to be linked “. ” Phone numbers are also sent to Google adds the researcher.
As a reminder, the Messages and Phones applications are installed by default on all Google Pixel devices, but also on most recent Android mobiles. So both are widely used applications… and neither clearly explains what data is collected using them.
These two applications from Google therefore do not apply the rules that Google imposes on applications from third-party developers.
Google admits, and claims to want to fix things
Contacted by The Register About these discoveries, Google indicated that the information shared by Douglas Leith was correct. ” We welcome partnerships – and feedback – from scholars and researchers, including those at Trinity College “said a spokesperson for the group. ” We have worked constructively with this team to address their feedback, and will continue to do so. “, he added.
Douglas Leith is however quite cautious about the changes that Google proposes to make. ” They promise to introduce an option in the Messages app to allow users to opt out of data collection, but that this option will not cover data that Google considers “essential”, i.e. they will continue to collect certain data even if users opt out », he explains.
” In my tests, I had already opted out of accepting data collection for Google, by disabling the “Usage and diagnostics” option in the device settings, and the data I submitted was therefore already considered as essential by Google “.
Another reason for concern for the researcher: the anonymization of this data collected and shared with Google is obviously not there. ” Login data sent by Google Play Services is marked with the Google Android ID, which can often be associated with a person’s real identity – so the data is not anonymous “, he adds.
Long story short, Google is visibly up to speed with GDPR only on the front end.
On the same subject :
Is Google Analytics illegal under the GDPR? Everything you need to know about the CNIL’s decision
Source: The Register
42