In the digital world where the ecosystem is only ruled by a selected few, tech giants and other companies have come under scrutiny on how they collect and use user data.
One of the biggest of them all, is Google. The company has focused on making privacy improvements to its products and services in response. However, a research found that its effort didn't go far enough.
It was revealed that Google's Messages and Dialer/Phone apps have been collecting and sending user data to its servers.
And they were doing that without showing any notice or taking user consent.
Douglas Leith, a computer science professor at the Trinity College Dublin, claims in his What Data Do The Google Dialer and Messages Apps on Android Send to Google? paper (PDF), that the two Google apps were collecting information about user communications.
The data include a SHA256 hash of the messages and their timestamp, phone numbers, incoming and outgoing call logs, call duration, and length.
The data that can be considered sensitive, is then uploaded to Google's servers, managed by Google Play Services Clearcut logger service and the Firebase Analytics service.
While there are boundaries that shouldn't be crossed when managing users' sensitive data, what is certain, apps should never collect user data without the users' consent.
And whenever an app needs to have access to users' data, it needs to have privacy policies to explain what data is being collected, the reason for the collection, and to whom the data is going to be shared with.
In this case, both Google's Messages and Dialer/Phone apps didn't have privacy policies that explain the intention.
And in cases where users want to actually read the privacy policies, they need to navigate through multiple menus and links, and when using Google Chrome, they also need to agree on additional terms and conditions.
Google was doing this so discreetly that the information is not even made available for download when users use Google Takeout to export the data associated with their account.
The issue here stems from the fact that users' data when using the two apps are tagged with an Android ID, which in turn is linking everything the apps collect to the user’s Google account, and also to the device/SIM identifiers.
As a result of this, Google can connect the person’s phone number, credit card/bank details and so forth, as well as their real identity.
What's more, Google/Firebase Analytics is tagged with a Google Advertising ID and the Firebase ID of the app, that could then be used for advertising-related purposes.
While Google Play Services does inform users that some data is collected for security and fraud prevention, but Google provided no explanation whatsoever on why exactly users' phone and message data are being collected.
Since the two apps are Google's, and have been installed on millions of Android devices worldwide, Google was indeed violating users' privacy.
This case is indeed a major privacy oversight.
Things get worse because Google is an advertising company that needs user data to improve the way it earns money.
For this reason, there is no way Google should avoid telling users the truth that the two apps are collecting users' information.
While Google does say that data it collects is either hashed, or encrypted, the research showed that it would be possible to more deeply link data about a particular person or to connect multiple people.
In response to a research paper outlining the data collected by Google’s Phone and Messages apps, including call and text records, Google has updated both apps to better respect privacy.
For each privacy violation, Trinity College has offered a recommendation of how Google can better generalize the information to simultaneously keep meaningful analytics and maintain an individual’s privacy.
Google has been working closely with Trinity College since then to implement a number of changes where appropriate.
For example, Google has updated the Phone app to only send phone number and the timestamp to Google's servers if users receive an incoming call while the 'See caller and spam ID', if the number is in the users' contact.
Additionally, Google Phone has been updated to only log anonymized data by rounding the incoming timestamps to the nearest hour.
And the app does that locally, meaning that Google's servers will never have the precise data.
As for Google Messages, it has been updated to have a similar logging system, and revised to only send hashed version of users' messages.
While Google has made the changes, Leith said that it's not clear whether Google's commitments fully address the concerns he has raised.
"In particular, they say they will introduce a toggle within the Messages app to allow users to opt out of data collection but that this opt out will not cover data that Google considers to be 'essential' i.e. they will continue to collect some data even when users opt out," he said. "In my tests I had already opted out of Google data collection by disabling the Google 'Usage and diagnostics' option in the handset Settings, and so the data I reported on was already judged to be somehow essential by Google. I think we’ll have to wait and see."
Leith also said that there are two larger matters related to Google Play Service, which is installed on almost all Android phones outside of China.
"The first is that the logging data sent by Google Play Services is tagged with the Google Android ID which can often be linked to a person’s real identity – so the data is not anonymous," he said. "The second is that we know very little about what data is being sent by Google Play Services, and for what purpose(s). This study is the first to cast some light on that, but it's very much just the tip of the iceberg."