New Trinity College research raises concerns over Google data collection

Claire Young

New research raises concerns over Google data collection, according to a study by Trinity College Professor, Douglas J. Leith 

The research, which analyses the Google Messages and Google Dialer apps when used on Android handsets, found that call time and duration, the phone numbers of both callers and the timing and duration of other user interactions were sent to Google, with no opt-out option available. 

“This study is therefore one of the first to cast light on the actual telemetry data sent by Google Play Services, which to date has largely been opaque,” Leith said. 

The Google Messages app is a service which allows users to send and receive SMS messages and Google Dialer is used to make phone calls. 

Both apps have been installed in more than a billion devices and The Google Messages App comes pre-downloaded on newer Samsung, Xiaomi and Huawei models. 

This data is sent to the Google Play Services Clearcut logger and Google Firebase Analytics, which allows app developers to provide an insight into app usage and engagement. 

When two users engage in a phone call, Google records both phone numbers of participants, therefore being able to collect data about who is communicating with one another. 

Data from the app is tagged with the handset Android ID, which is linked to the user’s Google account and if they have ever paid for an app on Google Play Store or used Google Pay will have a credit card connected with the account. 

Through this connection, Google may be able to decipher the “real-world” identities of the two people communicating. 

The process in order to view the privacy policy of the Google Message app is described as “not straightforward,” by Leith. 

First a user must open the Setting menu, find the “About, terms and privacy,” link, open a new menu, click on the “privacy policy” link, which opens a Google Chrome window, agree to a set of Chrome terms and conditions which sends a message to Google Analytics, recording that the privacy policy page had been visited. 

Agreeing to these conditions loads a secondary page, which redirects to the privacy policy and during this time “20 connections are made to event sending what appears to be telemetry,” (data collection) and also creates further connections to analytics pages.

“We informed Google of our findings, delayed publication to allow them to respond and in fairness to Google they have engaged positively with us,” Leith said in the report. Google’s response included changing the apps with the introduction of a new software update, an option to opt out of data collection considered unessential for apps to function, the removal of any call related logging and will stop collecting sender’s phone numbers.

Claire Young