Google may need to clarify about data it collects from messages and calls

Google App Logo DG AH 2020

The data Google collects from its users has been a hot topic for several years now, but a recently reported research paper could prompt further questions, especially regarding messages and phone calls. According to the paper, led by computer science professor Douglas Leith at Trinity College Dublin, the company could be in violation of European GDPR regulations. In particular, by sending user data from its Messaging and Dialer/Phone apps to its servers.

What did the research paper find about data in Google Messages and Calling Apps?

The data that Google collects comes from the messages and calls for a specific purpose, according to Mr. Leith. Namely to help with protective functions. Such as filtering spam, displaying business caller IDs and other related functions. In addition, the data is sent over a SHA256 – a 128-bit hash value is sent to the servers. So it is effectively encrypted.

In principle, however, according to Mr. Leith, it is possible to read short texts after an inverse of the hash. Although that hasn’t happened yet. The company also shares the hash with its Google Play Services Clearcut logger service and Firebase Analytics to match the message’s sender, recipient, and devices. But the problem is not necessarily in how the data is transferred or stored.

The specific data that is collected and the lack of privacy policies describing the data collection appear to be the root of the potential problem. According to Mr Leith, the collection revolves around a great many details. Includes timestamps, phone numbers, incoming or outgoing logs, call duration and message length.

Conversely, Google apps don’t have a privacy policy to explain that. Despite that, third-party apps in the Google Play Store do. And users don’t necessarily have access to that information either. Because the details don’t show up even when users use a service like Google Takeout to export the data associated with their account. Google Play Services informs users that some data is collected for security and fraud prevention, but there is no explanation as to why exactly message content and call information is collected.

Some of these issues have already been addressed

Now, Mr Leith has reportedly contacted Google about the issues outlined in the research paper late last year and it has already started making some changes in line with its recommendations. The search giant has also set out more clearly how it uses the data it collects from messages and calls.

For example, the company says that the message hash is collected to detect bugs that affect the “sequencing” of messages. And that phone numbers are collected to improve “pattern matching for automatic recognition of one-time passwords” sent via RCS. In addition, according to Google, the ICCID data put forward in the report is used solely to “support” Google Fi.

Finally, it says that Firebase Analytics’ event logging does not include phone numbers. And that it is used to measure whether downloaded apps have been downloaded once. Basically, to measure app download promotions and their effectiveness.

At the time of writing, however, not every point has been addressed. And it remains to be seen if any regulatory bodies decide to investigate the collections further, as has happened in the past.

Leave a Reply

Your email address will not be published. Required fields are marked *