Google to make changes to apps after TCD study finds privacy issues

Concerns raised about its Dialer and Messages apps pre-installed on Android phones

Google is to make changes to its Dialer and Messages apps on Android phones after privacy concerns were raised about the implications of data collected.

A study led by Prof Doug Leith at the Connect SFI Research Centre for Future Networks at Trinity College Dublin details the extensive data collected via the use of these apps.

The apps, used to make and receive calls or to send and receive SMS and other messages, are pre-installed on many Android phones.

According to Google, more than a billion phones have both. In the United States, AT&T and T-Mobile recently announced that all Android phones on their networks will use the Google Messages app and the app also comes pre-loaded on Samsung, Xiaomi and Huawei handsets.

The TCD study established that the Messages app tells Google whenever a message is sent or received.

The information sent includes the time and an ID code created from the message text that uniquely identifies the message. This allows Google to discover whether two handsets are communicating, and at what times.

The Google Messages app transmits the sender’s phone number to Google, so by combining data from communicating handsets the phone numbers of both are revealed.

The Dialer app tells Google whenever a phone call is made/received. The information sent includes the time and the call duration. This allows Google to discover whether two handsets are calling one another, and at what times and for how long.

Each app also tells Google about user interactions with it, such as whenever the user views an app screen, an SMS conversation or searches their contacts. This allows a detailed picture of app usage over time to be reconstructed by Google.

No opt-out

The data sent to Google is tagged with the handset Android ID. This is linked to the handset’s Google user account and often to personal details such as email, phone number, or credit card details of the person involved in a phone call or SMS message. There is no opt-out from this data collection.

Previous studies by the group have noted the large volume of data sent by Google Play Services to Google servers (up to 20 times the data that iPhones send to Apple), and the “opaque nature” of this data collection.

This latest study is one of the first to cast light on the content of the data sent by Google Play Services.

“I was surprised to see such obviously sensitive data being collected by these Google apps,” said Prof Leith. “It’s not at all clear what the data is being used for and the lack of an opt-out is extremely concerning.

“This work was triggered by our study of the privacy of Covid contact-tracing apps. While we found these apps to generally be quite privacy respecting, our measurements highlighted the tremendous volume of data being sent to Google by Google Play Services on Android phones.

“Hopefully our work will act as a wake-up call to the public, politicians and data regulators. It really is time we started to take meaningful action to give people full information on the data that leaves their phones, details as to what it is being used for and, mostly importantly, the ability to opt out from this data collection.”

Google told the Trinity research team that, in light of the report’s findings, it plans to make changes to its Messages and Dialer apps.