The recent study, by Professor Doug Leith at the CONNECT SFI Research Centre for Future Networks, details the extensive data collected via the use of these apps.
The apps, used to make and receive calls or to send and receive SMS and other messages, are pre-installed on many Android phones. According to Google, more than one billion phones have both. In the US, AT&T and T-Mobile recently announced that all Android phones on their networks will use the Google Messages app and the app also comes pre-loaded on Samsung, Xiaomi and Huawei handsets.
Study findings
- The Messages app tells Google whenever a message is sent/received. The information sent includes the time and a hash (an ID code created from the message text) that uniquely identifies the message. This allows Google to discover whether two handsets are communicating, and at what times.
- The Messages app transmits the sender’s phone number to Google, so by combining data from communicating handsets the phone numbers of both are revealed.
- The Dialer app tells Google whenever a phone call is made/received. The information sent includes the time and the call duration. This allows Google to discover whether two handsets are calling one another, and at what times and for how long.
- Each app also tells Google about user interactions with it. For example, whenever the user views an app screen, an SMS conversation or searches their contacts. This allows a detailed picture of app usage over time to be reconstructed by Google.
- The data sent to Google is tagged with the handset Android ID. This is linked to the handset’s Google user account and so often to the personal details (email, phone number, credit card details etc) of the person involved in a phone call or SMS message.
- There is no opt-out from this data collection.
Previous studies by Prof Leith’s group at Trinity have noted the large volume of data sent by Google Play Services to Google servers (up to 20 times the data that iPhones send to Apple), and the opaque nature of this data collection. This latest study is one of the first to cast light on the content of the data sent by Google Play Services.
Obviously sensitive data
Prof Leith, professor of computer systems at Trinity, said: "I was surprised to see such obviously sensitive data being collected by these Google apps. It’s not at all clear what the data is being used for and the lack of an opt-out is extremely concerning.
"This work was triggered by our study of the privacy of Covid contact tracing apps. While we found these apps to generally be quite privacy respecting, our measurements highlighted the tremendous volume of data being sent to Google by Google Play Services on Android phones.
"Hopefully our work will act as a wake-up call to the public, politicians and data regulators. It really is time we started to take meaningful action to give people full information on the data that leaves their phones, details as to what it is being used for and, mostly importantly, the ability to opt out from this data collection."
Google has told the Trinity research team that, in light of the report’s findings, it plans to make changes to the Google Messages and Dialer apps.