A Trinity researcher said there is no opt-out on the ‘sensitive data’ being collected from two Google apps that are installed on more than 1bn Android handsets.
Researchers at Trinity College Dublin have shared privacy concerns with Google around the level of personal data being collected by its Messages and Dialer apps on Android phones.
A study analysed the data sent to Google by these apps on Android, which handle SMS text messages and calls received and sent by devices. It noted that these apps are pre-installed on many Android phones and more than 1bn devices worldwide have both.
The study was conducted by Prof Doug Leith from Connect, the Science Foundation Ireland research centre for future networks based at Trinity, and the university’s School of Computer Science and Statistics.
It suggested these apps send a large amount of data to Google, such as letting the tech giant know whenever a message is sent or received, and noted there is no option to opt out of the data collection.
It said the data collected from Messages includes a timestamp and hash that uniquely identifies the message, as well as the sender’s phone number, which lets Google see which devices are communicating and at what times.
“I was surprised to see such obviously sensitive data being collected by these Google apps,” Leith said. “It’s not at all clear what the data is being used for and the lack of an opt-out is extremely concerning.”
Similarly, the study said the Dialer app can let Google see whether two handsets are calling one another, at what times and for how long.
It added that these apps give Google information such as when the app is accessed or a message is viewed. The data sent to Google is tagged with the handset’s Android ID, which is linked to the user’s Google account. This account can contain personal user info such as their email address and credit card details.
Leith’s research team said it informed Google of the findings and delayed publishing the study for several months to engage with the company.
“On foot of this report, Google say that they plan to make multiple changes to their Messages and Dialer apps,” the study said.
The study is a technical one, not a legal one, but it added that the findings raise “obvious questions regarding GDPR data protection regulators in Europe”.
Leith’s team has previously researched how Android and iPhone handsets share data with Google and Apple. The latest research was triggered by a previous study on the privacy of Covid-19 contact-tracing apps.
“While we found these apps to generally be quite privacy respecting, our measurements highlighted the tremendous volume of data being sent to Google by Google Play Services on Android phones,” Leith said.
“Hopefully our work will act as a wake-up call to the public, politicians and data regulators. It really is time we started to take meaningful action to give people full information on the data that leaves their phones, details as to what it is being used for and, mostly importantly, the ability to opt out from this data collection,” he added.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.