Your mobile carrier isn’t the only conglomerate that has access to your messages and calls.
We use our smartphone devices for everything.
Our phones contain everything from banking data to medical data from devices measuring our heart rates and sleeping cycles.
Smartphone users voluntarily give up that data in exchange for the convenience of being able to pay for items, or have access to our biometric rhythms, with the tap of a button.
Losing some privacy for the sake of convenience is a trade off most people are OK with as long as the understanding is that the data being collected is safe.
Explicit consent is also usually a prerequisite for giving up digital privacy.
But with this week’s hacks of major tech companies and a new research paper shining the light on previously undisclosed data collection, Google (GOOGL) – Get Alphabet Inc. Class A Report may be failing its users on multiple fronts.
Android Is Collecting More Data Than You Think
Google’s Messages and Dialer apps have been sending data to the company’s servers without receiving explicit user consent, according to a recent paper from Douglas Leith, a computer science professor at the Trinity College Dublin.
The paper, which is titled “What Data Do the Google Dialer and Messages Apps on Android Send to Google?,” claims that those apps tell Google when messages and phone calls are made and received.
The data sent by Messages includes a hash of the message text, which allows for a third party to link the sender and receiver in a message exchange.
Dialer also sends data to Google servers, including call time and duration along with phone numbers, again allowing a third party to unmask everyone on the call.
There is no opt out from this data collection, according to the paper, and the data is sent via Google Play Services Clearcut logger and Google/Firebase Analytics.
“The data sent to Google is tagged with the handset Android ID, which is linked to the handset’s Google user account and so often to the real identity of the person involved in a phone call or SMS message,” Leith said.
“For example, a working phone number is required to create a Google account, and if the person has paid for an app on the Google Play store or uses Google Pay then their Google account is also linked to their credit card/bank details. In this way real-world identities of the pair of people communicating may be revealed to Google.”
Leith said he delayed publishing his paper for several months in order to engage with Google. The company has told the professor that it plans to make multiple changes to the apps.
A Loose Grip on Your Data
Google Messages is installed on most Android devices worldwide, including the popular Samsung (SSNLF) Galaxy S22 device.
Leith’s paper offered nine solutions for plugging the data leak, Android Police reports that Google has implemented six of them.
The company also provided explanations for some of its data collection practices, including saying that message hash is collected for detecting message sequencing bugs and phone numbers are collected to improve regex pattern matching for automatic recognition of one-time passwords sent over RCS (rich communication service) messaging.
One of the biggest issues with the data collection from big tech is that its not secure.
In December, Google said it took action against a major hacking operation that it suspected infected more than 1 million devices with malware.
“We understand and recognise the threats the Internet faces, and we are doing our part to address them,” Google said at the time, according to the New York Post.
This week, a hacking group calling itself Lapsus$ claims to have leaked the source code for Bing, Cortana and other projects that it stole from Microsoft’s (MSFT) – Get Microsoft Corporation Report internal Azure DevOps server.
The group posted a torrent containing source code of over 250 projects that they say belong to Microsoft.
Okta (OKTA) – Get Okta, Inc. Class A Report shares dropped Tuesday after the tech group, which manages network access for thousands of U.S. companies, began investigating reports of an illegal data breach.
Lapsus$ was reportedly behind that hack also.
These hacks beg the question: if the companies who are collecting our data can not protect their own data from being compromised, how much trust should be really be putting into them?
