The data Google collects from its users has been a hot topic for several years now, but a recently reported research paper could prompt further questions, especially regarding messages and phone calls. According to the paper, led by computer science professor Douglas Leith at Trinity College Dublin, the company could be in violation of European GDPR regulations. In particular, by sending user data from its Messaging and Dialer/Phone apps to its servers.
What did the research paper find about data in Google Messages and Calling Apps?
The data that Google collects comes from the messages and calls for a specific purpose, according to Mr. Leith. Namely to help with protective functions. Such as filtering spam, displaying business caller IDs and other related functions. In addition, the data is sent over a SHA256 – a 128-bit hash value is sent to the servers. So it is effectively encrypted.
In principle, however, according to Mr. Leith, it is possible to read short texts after an inverse of the hash. Although that hasn’t happened yet. The company also shares the hash with its Google Play Services Clearcut logger service and Firebase Analytics to match the message’s sender, recipient, and devices. But the problem is not necessarily in how the data is transferred or stored.
The specific data that is collected and the lack of privacy policies describing the data collection appear to be the root of the potential problem. According to Mr Leith, the collection revolves around a great many details. Includes timestamps, phone numbers, incoming or outgoing logs, call duration and message length.
Some of these issues have already been addressed
Now, Mr Leith has reportedly contacted Google about the issues outlined in the research paper late last year and it has already started making some changes in line with its recommendations. The search giant has also set out more clearly how it uses the data it collects from messages and calls.
For example, the company says that the message hash is collected to detect bugs that affect the “sequencing” of messages. And that phone numbers are collected to improve “pattern matching for automatic recognition of one-time passwords” sent via RCS. In addition, according to Google, the ICCID data put forward in the report is used solely to “support” Google Fi.
Finally, it says that Firebase Analytics’ event logging does not include phone numbers. And that it is used to measure whether downloaded apps have been downloaded once. Basically, to measure app download promotions and their effectiveness.
At the time of writing, however, not every point has been addressed. And it remains to be seen if any regulatory bodies decide to investigate the collections further, as has happened in the past.