Android's Messages, Dialer Apps Quietly Sent Text, Call Info To Google (theregister.com) 140
Google's Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe's data protection law. From a report: According to a research paper, "What Data Do The Google Dialer and Messages Apps On Android Send to Google?" [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google's Firebase Analytics service.
"The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange," the paper says. "The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google." The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection. [...] Both pre-installed versions of these apps, the paper observes, lack app-specific privacy policies that explain what data gets collected -- something Google requires from third-party developers. And when a request was made through Google Takeout for the Google Account data associated with the apps used for testing, the data Google provided did not include the telemetry data observed.
"The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange," the paper says. "The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google." The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection. [...] Both pre-installed versions of these apps, the paper observes, lack app-specific privacy policies that explain what data gets collected -- something Google requires from third-party developers. And when a request was made through Google Takeout for the Google Account data associated with the apps used for testing, the data Google provided did not include the telemetry data observed.
Recommendations? (Score:2)
I've got a good message alternative (QKSMS), but can anyone suggest a good alternative dialer app?
Re: (Score:2)
Re: (Score:2)
Thanks for the suggestion - I already use their gallery app since it has edit functionality. Will try the dialer.
Re: (Score:2)
Only a few days ago I started using both qksms and simple mobile contacts. Coincidence?
Re: (Score:2)
I've been using Signal almost exclusively for about a year. Text, voice, and video calls. Got most of my friends and family on board. A few friends insist on using Whatsapp exclusively, but Signal lets me text them using SMS.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Signal uses a central server to connect users together. This is theoretically vulnerable to an adversary who could take control of the server, such as the government where the server is hosted, or an advanced hacker, or if the Signal team themselves become corrupted.
Briar does not have any servers. Instead, you use your contact's Tor address (appearing as a long base-36 string) to connect directly from your phone to theirs.
Re: (Score:2)
Re: Recommendations? (Score:2)
Signal and Briar are for different uses. Signal is not perfect, but a vast improvement in security with minimal loss of convenience. Signal can send and receive SMS which lets me stay in contact with my friends who are trapped in Zuckworld.
Re: (Score:2)
Replace the entire OS and install https://grapheneos.org/ [grapheneos.org]
Seriously, fuck Google.
Re: (Score:2)
Did that with my last phone. Fine if you want to treat your phone as a project, but I need it to be an appliance.
Re: (Score:2)
GrapheneOS is not, and most likely never will be, an option of any sort for the vast majority of people, as it only supports Pixel phones (perhaps not even all of them). The PinePhone, even though it's totally unusable as a phone, stands a better chance of being useful.
Re: (Score:2)
Re: (Score:2)
I've used Signal as my messenger for years - it uses Signal if the recipient has it, or SMS if not. They do calls and video now too.
I do have one friend who signed up for Signal but doesn't have it installed on his phone. That's a pain in the backside - he SMSes me, I Signal back :-(
You asked about diallers - and no, not found one that didn't look like it was "dodgy" :-(
Re: (Score:2)
If you want it FOSS, try Koler off of F-Droid. I like it better than Simple tools.
Re: (Score:2)
Only in the Play version of the app, if I'm reading correctly. F-Droid version does not use Firebase, according to the ticket below.
https://github.com/moezbhatti/... [github.com]
Re: (Score:2)
QKSMS uses Google Firebase, you're back to square one.
The F-droid version does not. I would also recommend QKSMS.
which domain names? (Score:2)
Re: (Score:2)
Spoiler: Yes, it does say it.
Re: which domain names? (Score:2)
Re: which domain names? (Score:2)
"Dumb" phones looking better and better (Score:2)
Last year, 1 billion "dumb" phones were sold compared to 1.4 billion "smart" phones. Articles like this show why more and more people [bbc.com] are ditching phones which occupy their lives for no reason other than to enrich someone else.
Re: (Score:2)
Re: (Score:2)
AT&T, Boost, others have cut off the 3G service that flip phones use, leaving users no choice but to upgrade to a 4G-or-better phone.
I have AT&T and use a flip phone without any issue. They gave it to me free because I held out for so long to upgrade. My dad was in the same boat for his Tracfone. We went out and picked up the same phone I have and he's off and running without any issues.
You were saying?
Re: (Score:2)
Re: (Score:2)
Walt Dismal is absolutely right. "Talk and data services will only work for AT&T WirelessSM phones and devices that support at least 4G LTE and HD Voice." Link has a PDF to check your phones serial number to know if it's affected.
https://www.att.com/support/ar... [att.com]
Reading comprehension isn't your best suit, is it? AT&T gave me an upgraded phone for free, one that works on its network. What I did not say is it 4G LTE capable.
If it's now March and AT&T cut off 3G phone service, how could I be using my phone?
Re: (Score:2)
For those who just can't part with their flip phones, there are at least new versions of them that work over 5G.
https://www.washingtonpost.com... [washingtonpost.com]
Re: (Score:2)
Decade old?
My 2016 i3 lost connected drive in February.
Can't even pay for the replacement part even though the cell module from the 2017s works (the device is needs to be registered).
Re: (Score:2)
So you think your dumb phone service provider isn't collecting your call data? Really?
Re: (Score:2)
So you think your dumb phone service provider isn't collecting your call data? Really?
How much data are they collecting if all I'm doing is making and receiving phone calls? They get my location and who I'm calling/getting calls from. That's about six or seven phone numbers over and over. They also see I don't answer the phone if I don't who the caller is. Yeah, that's help them out a lot.
Re: (Score:2)
That is the entire complaint of the article we are discussing, that Google Phone app is recording what numbers you call, and to whom, and for how long, to Google. And yes, flip phone users send and receive texts all the time, and that covers the other half of the complain of TFA.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Who said anything about "local" mobile operators? Most dumbphones are connected to nationwide carriers like:
- Cricket (owned by AT&T)
- Boost Mobile (owned by Dish Network)
- Walmart Mobile (TracFone)
Each major cell company (T-Mobile, Verizon, AT&T) also operates prepaid networks that are very popular with flip phone users.
Flip phone does not imply small mom-and-pop wireless provider.
Re: (Score:2)
Re: (Score:2)
Oh, I see, so you want to work with companies based in your own country. I guess then to us in the US, that would make Google a "local" company. Well fine, do business with only companies based in your country, and see how far you get with that!
Re: (Score:2)
Re: (Score:2)
So you don't use the Google Phone app or Android or iPhone? None of these are from companies in your own country.
Re: (Score:2)
Re: (Score:2)
Well, good for you. For most people, that's not a good option.
Re: (Score:2)
Re: (Score:2)
That's the thing - Google is getting the same data as Verizon et al. and using it for antispam and such.
It's about at the bottom of the list of things Google does that piss me off.
PSTN is nearly obsolete, fortunately.
Re: "Dumb" phones looking better and better (Score:2)
Re: (Score:2)
So you think your dumb phone service provider isn't collecting your call data? Really?
Dumb phone provider collecting call data is better than dumb phone provider plus Google collecting your data. One giant hole below the water line is better than two giant holes.
The dumb phone however is significantly worse when using a software program you trust to privately communicate over a hostile network.
It's just sad we/me still haven't got our shit together and put POTS/SMS out of business. Carriers desperately need to be relieved of the burden of doing anything other than forwarding opaque datagra
Re: (Score:2)
One giant hole below the water line is better than two giant holes
And yet you are using THIS web site, which sends your data to:
- Google (hole #2)
- aaxads.com (Acceptable Ads Exchange)
- taboola.com ("Content discovery and native advertising")
- slashdotstore.com (of course)
- ml314.com (Data Co-op...that contributes content consumption data to a massive pooled data set that details the buying intent of a company.
- LinkedIn.com
That's just what I can see from looking at "View Page Source" for this web page, and I stopped counting.
If you're really worried about "two holes unde
Re: (Score:2)
What has that to do with the topic?
Your phone provider collects YOUR calls and only YOUR calls to bill you according to your plan
And after 90 days: the data is deleted!!
Re: (Score:2)
Oh you really have drunk the kool-aid! So you think your cell provider uses your call information just for billing?
From the cell carriers' own web sites:
T-Mobile: https://www.t-mobile.com/priva... [t-mobile.com]
AT&T: https://about.att.com/privacy/... [att.com]
Verizon: https://www.verizon.com/about/... [verizon.com]
Basically, these "privacy policies" state that they will use information about everything you do on your phone, in order to sell your data to marketers.
Deleted after 90 days? Yeah right.
Re: (Score:2)
Yes,
my cell-provider only uses call information for billing.
And after 90 days he deletes the data, as he is only required by law to keep it 90 days, and is also required by law to delete it after 90 days.
Oh ... you live in a 3rd world country ... never mind then.
Re: (Score:2)
And you believe the marketing of your cell provider.
LineageOS or bust (Score:3)
Picked up a new phone a few months ago and couldn't believe just how evil and rotten Google had become. Just for grins while waiting for OEM unlock...
Tried disabling "Google play" and was treated to a hilarious infinite nag fest of basically every app in the system whining in unison. Yes I'm not kidding even the fucking calculator app popped up an enable Google play notice and was using data to boot. Yes the calculator is spying on you. No messaging, no phone, no keyboard, no basic component without Google and all constantly spying using your data and battery to do it.
Between the phone and adb you can disable or remove most of it and install alternatives yet this is labor intensive and simply isn't an option for mortals.
It's easier just to install LineageOS than to replace everything individually. Going that route you at least get the ability to firewall apps which is huge and bypass carrier fuckery but honestly this too is a big pain and beyond the reach of mortals.
The whole thing is intentionally designed with the upmost contempt and disrespect.
Re: (Score:2)
This isn't actually about google, but about app makers. Google offers a lot of libraries as a part of Play package. App makers can use these libraries, or include their own.
Most choose the convenience of well tested and well maintained play libraries of Google Play over having to do the work of including their own.
Re: (Score:2)
That's why there's microG. [microg.org] They've managed to replace a lot of these libraries, so the handful of closed-source apps I don't want to give up can still work without any Google apps on my phone.
Last week I bought a Moto G7 Plus, and yesterday I installed LineageOS for microG [microg.org] on it. The last time I did this, there were a few apps that wouldn't work, but they've come a long way since 2019. So far everything I want to do is working great!
Re: (Score:2)
That's great news if true. The only microG app I use is youtube vanced, and that is sadly going away. But I've seen problems that people who root their phone and install another version of android without Google Play have all kinds of compatibility problems.
If microG has solved most of the library related issues with phones that don't have Google Play, it makes Google less dominant on android. Which is a good thing.
Re: (Score:2)
Yes the calculator is spying on you.
No it's not. Google Play Services provides programming APIs as well as update management for apps. Just because you tried disabling a core part of the OS and apps which depend on it complained doesn't mean the app is spying on you.
Also the "using the battery" comment just shows how out of touch you really are. Core system services consume basically no battery these days compared to using the screen on. I don't even charge my phone over night knowing fully well that it'll still be at 99% when I wake up.
Pleas
Re: (Score:2)
No it's not. Google Play Services provides programming APIs as well as update management for apps. Just because you tried disabling a core part of the OS and apps which depend on it complained doesn't mean the app is spying on you.
GPS is not a core part of android. Hence the reason android continues to work without it. Neither is the above the reason for my assertion. The reason I said calculator is spying on you is because the calculator app is using data. Either the calculator is offloading basic arithmetic "to the cloud" or it is collecting usage data.
Just look at the permissions on Google play for their calculator app:
full network access
prevent device from sleeping
Re: (Score:2)
Many Android apps rely on a common set of services, normally supplied by Google. However, you can replace them, e.g. with microg.
https://microg.org/ [microg.org]
Re: (Score:2)
LineageOS still connects to Google servers quite often. You're still riding the Google bandwagon.... just more ignorantly.
The nice thing about LineageOS it comes preinstalled with tcpdump. You don't have to guess you can collect data and see what your operating system and apps are doing. There is some truth to this there are a few extra tweaks needed to gps.conf, webview, captive portal/network check...etc but not a big list and not a big deal to fix.
If you want to officially remove 100% Google services .... look into CalyxOS
I don't want to get off one bandwagon just to hop on a different one.
Ok, for clarification (Score:2)
This means the default SMS app and default phone call app on Samsung Galaxy etc. phones, right?
Re: (Score:2)
That's correct... if you want to share your data with Samsung.
Re: (Score:2)
I don't understand.
At least Android allows you to choose app defaults (Score:2)
If you use Signal already, try it for the default SMS app. As a bonus you get message backup-and-restore too.
Re: (Score:2)
This was obvious... (Score:2)
It's been a while since I upgraded, but when bought a phone with Android 11.
I was surprised to see whilst exchanging SMS messages with people, I was receiving notifications when the other person was drafting a SMS message to me, like I was using messenger or whatsapp. Obviously this isn't supported by SMS, I had to be receiving push notifications from google, and the other person's phone must have been sending information as the other person was drafting an SMS notifying google of who they were messaging.
Re: (Score:2)
forgive the grammar
Re: This was obvious... (Score:2)
Re: (Score:2)
The serial privacy rapists caught raping again (Score:2)
Re: (Score:2)
Yes. I'm shocked that this isn't included in TOS and this metadata isn't sent as a result of data request from Google Takeout. This seems like a really, really stupid oversight on part of Google that's just asking to get fined by data protection authorities in EU.
Re: The serial privacy rapists caught raping again (Score:2)
Re: (Score:2)
How useful it is is irrelevant. Upon data request holder of data is required to send all data that is being stored about the customer. A lot of stuff you get when requesting this data is probably even more irrelevant in most cases.
OMG! (Score:2)
Re: (Score:2)
At this point? When was there a time when that wasn't the way to bet?
Re: (Score:3)
Yeah, before Google bought Android! :D
Re: Yeah OK (Score:2)
Re: (Score:2)
Re: (Score:2)
"At this point if you have an Android phone and don't just assume that everything you do with it is sent to Google, you pretty much deserve what you get."
Yes, we get rush hour info, traffic, route blockages, the best times to use a business, movie theater or restaurant because of that.
I really like that.
But I bought an iPhone nonetheless.
Re: (Score:2)
At this point if you have an Android phone and don't just assume that everything you do with it is sent to Google, you pretty much deserve what you get.
This paper proves the opposite, actually.
To be clear, the thing this paper found is very bad, and very dumb, and must be removed. But the fact that it was found easily demonstrates that Android is far too open and accessible to researchers to allow Google to effectively hide data collection even if they want to. You seem to be assuming that there's a lot more data being reported back than this, but if there were, it would be found, like this was. Or will be found.
Also, the particular nature of this look
Re: (Score:3)
There are brands which are deliberately not doing this. I do not mean Apple, though their spying is more limited in several ways. I mean Librem, for example [puri.sm] and e solutions [esolutions.shop] or a Fairphone 3 [fairphone.com] with LineageOS [lineageos.org] and MicroG [microg.org] installed on them. Some of these things cost a little more. Some of them require a little more work. All of them are practical and so the fact people choose to sell their privacy cheap is a clear decision.
You can get a network contract with an EU provider instead of one in the states, in which
Re: (Score:2)
Re: (Score:2)
There are brands that claim that they're not doing it. That doesn't mean they don't actually do it.
For Apple, you have a point, it is difficult to check. For the ones I listed, however, most of the software is fully F/OSS with serious community involvement which means that you can check and people are already doing that. Whist it's true that checking everything is difficult, the fact that even the device drivers in Librem phones are free means I'm pretty convinced they are more or less clean.
Re: Yeah OK (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I've got a PinePhone Pro and a PineNote... and I'm glad I bought them, because 1) I support what they're trying to do from a vote-with-your-wallet perspective, and 2) I'm a tinkerer. Always have been. I purchase pretty much any device I run into that lets me modify its firmware.
But realistically speaking, the software on both is a dumpster fire. They're both usable (and I use my PineNote daily to take notes during meetings) but they're both so janky.
Re: (Score:3)
Sailfish is €50 or free if you don't need Android emulation.
If you do need Android emulation, you're currently limited to a couple of Sony phones though they're planning to sell it to all Linux users.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Nice video and fair comment. Note, though, that it's not LineageOS themselves that gets the data and the services used (e.g. DNS / captive portal etc.) and these are the services that must go somewhere. Running your own recursive DNS and pointing your phone at it might be a valid option.
By the time you are using these services, however, you are connecting to a network no matter what. That means that having an EU SIM card to get you under the wings of the GDPR is probably one of your better options. Note, if
Re: (Score:2)
You can get a network contract with an EU provider instead of one in the states
For those of us too lazy to spend half the day looking, do you have a recommendation for one of these that allows a US address, reasonable SMS, voice and data while "roaming" on US carriers? In my travels in Europe, most countries wanted a passport or similar absurd amount of paperwork to associate with a SIM- the Netherlands was the only one where EUR20 got a sim card from a vending machine in the airport with no questions asked.
Re: (Score:2)
https://youtu.be/UfsAuR3Mg8E [youtu.be]
De-googled phone
Re: (Score:2)
Re: (Score:2)
If Google want to continuously pay a voluntary break-the-law tax then by all means they are free to do so. Europe doesn't need the money, in fact they quite clearly state that paying it is entirely optional and even give written guidance on how to not do so.
Re: (Score:2)
Re: (Score:2)
I challenge you to point to such an entity, because every government has some level of corruption present.
Re: (Score:2)
Those do not need to be shared with Google. They need to be shared with the cell service provider. That makes it a violation of the European law. The standard citation of the law is:
EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ