Google is constantly making improvements to the Play Store (opens in new tab) to prevent Android apps (opens in new tab) from spying on users but a new report claims that the company's own apps have been collecting and sending user data back to the search giant.
In a new research paper (opens in new tab), computer science professor at Trinity College Dublin, Douglas Leith has revealed that both Google Messages and Google Dialer have been sending data about user communications to the Google Play Services Clearcut logger service and to Google's Firebase Analytics service.
While the data sent by Google Messages (opens in new tab) includes a hash of the message text that makes it possible to link the sender and receiver in a text message, the data sent by Google Dialer includes the time and duration of phone calls as well as the phone numbers themselves.
What's particularly troubling about this is the fact that there are currently over three billion Android smartphones (opens in new tab) in use today and devices from Huawei, Samsung, Xiaomi and other smartphone makers often ship with Google Messages and Google Dialer pre-installed.
No opt-out notice
As part of his research into the matter, Leith made a Google Takeout (opens in new tab) request for his Google Account data associated with both Google Messages and Google Dialer. While Google did send over this data, the telemetry data observed by Leith wasn't included.
These days most apps collect some data on their users but they also give them a way to opt-out to remain in compliance with GDPR (opens in new tab), CCPA (opens in new tab) and other data protection laws. With Google's own apps that come pre-installed on many Android smartphones, there is currently no ability to opt-out of data collection.
At the same time, the pre-installed versions of both apps lack app-specific privacy policies which explain what data gets collected. Although Google requires app-specific privacy policies (opens in new tab) from third-party apps, it's own apps don't need to meet this same requirement.
While Google Play Services (opens in new tab) collects some data for security and fraud prevention purposes and to maintain Google Play Services APIs and Google's core services, the company does not provide details or explain why it collects message content data or data on callers and call recipients.
> Google will stop tracking you across Android, but not any time soon (opens in new tab)
> These Android spyware apps are spreading like wildfire (opens in new tab)
> Google Play users need to watch out for this password-stealing Android app (opens in new tab)
After sharing his findings with Google back in November of last year, Leith has participated in several conversations with the company's director of Google Messages about making changes to the company's pre-installed messaging app. In an email to The Register (opens in new tab), he provided details on the changes the company has planned and how they may not do much when it comes to data collected by the search giant, saying:
"In particular, they say they will introduce a toggle within the Messages app to allow users to opt out of data collection but that this opt out will not cover data that Google considers to be 'essential' i.e. they will continue to collect some data even when users opt out. In my tests I had already opted out of Google data collection by disabling the Google 'Usage and diagnostics' option in the handset Settings, and so the data I reported on was already judged to be somehow essential by Google. I think we’ll have to wait and see."
- We've also highlighted the best privacy apps (opens in new tab) and the best identity theft protection (opens in new tab)
Via The Register (opens in new tab)