Android's Messages, Dialer Apps Quietly Sent Text, Call Info To Google

Google's Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe's data protection law. From a report: According to a research paper, "What Data Do The Google Dialer and Messages Apps On Android Send to Google?" [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google's Firebase Analytics service.

"The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange," the paper says. "The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google." The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection. [...] Both pre-installed versions of these apps, the paper observes, lack app-specific privacy policies that explain what data gets collected -- something Google requires from third-party developers. And when a request was made through Google Takeout for the Google Account data associated with the apps used for testing, the data Google provided did not include the telemetry data observed.

Recommendations?

[jwdb]

I've got a good message alternative (QKSMS), but can anyone suggest a good alternative dialer app?

Re:

[K. S. Kyosuke]

Have you tries Simple Mobile Tools? It should have alternatives to pretty much everything relevant.

Re:

[jwdb]

Have you tries Simple Mobile Tools? It should have alternatives to pretty much everything relevant.

Thanks for the suggestion - I already use their gallery app since it has edit functionality. Will try the dialer.

Re:

[WhatAreYouDoingHere]

Only a few days ago I started using both qksms and simple mobile contacts. Coincidence?

Re:

[CrankyOldEngineer]

I've been using Signal almost exclusively for about a year. Text, voice, and video calls. Got most of my friends and family on board. A few friends insist on using Whatsapp exclusively, but Signal lets me text them using SMS.

Re:

[Plugh]

I switched from Signal to Briar [briarproject.org] about a year ago. Never going back.

Re:

[aRTeeNLCH]

Whilst you're plugging it, care to enlighten those who've but heard of that what the advantages are? With Signal, it's hard enough to get people to use it, but it's received lots of press since a year or two. What's Briar got that makes it good/better? Even fewer people who use it?

Re:

[Meneth]

Signal uses a central server to connect users together. This is theoretically vulnerable to an adversary who could take control of the server, such as the government where the server is hosted, or an advanced hacker, or if the Signal team themselves become corrupted.

Briar does not have any servers. Instead, you use your contact's Tor address (appearing as a long base-36 string) to connect directly from your phone to theirs.

Re:

[aRTeeNLCH]

Technically, that sounds awesome. Practically, it will be useless to me, since I won't have anyone to talk with. I doubt have many friends maybe I'd find some new ones, and for many in my family asking to install Signal was already too much... But if it works for you/ others, more power to you!

Re: Recommendations?

[CrankyOldEngineer]

Signal and Briar are for different uses. Signal is not perfect, but a vast improvement in security with minimal loss of convenience. Signal can send and receive SMS which lets me stay in contact with my friends who are trapped in Zuckworld.

Re:

[Rotting]

Replace the entire OS and install https://grapheneos.org/ [grapheneos.org]

Seriously, fuck Google.

Re:

[jwdb]

Did that with my last phone. Fine if you want to treat your phone as a project, but I need it to be an appliance.

Re:

[StormReaver]

GrapheneOS is not, and most likely never will be, an option of any sort for the vast majority of people, as it only supports Pixel phones (perhaps not even all of them). The PinePhone, even though it's totally unusable as a phone, stands a better chance of being useful.

Re:

[aRTeeNLCH]

I was just going to ask if others also use that one. It's my favourite open source SMS app. From F-droid, in my case. Tip the developer if you like it.

Re:

[coofercat]

I've used Signal as my messenger for years - it uses Signal if the recipient has it, or SMS if not. They do calls and video now too.

I do have one friend who signed up for Signal but doesn't have it installed on his phone. That's a pain in the backside - he SMSes me, I Signal back :-(

You asked about diallers - and no, not found one that didn't look like it was "dodgy" :-(

Re:

[dbitter1]

If you want it FOSS, try Koler off of F-Droid. I like it better than Simple tools.

Re:

[jwdb]

Only in the Play version of the app, if I'm reading correctly. F-Droid version does not use Firebase, according to the ticket below.

https://github.com/moezbhatti/... [github.com]

Re:

[WaffleMonster]

QKSMS uses Google Firebase, you're back to square one.

The F-droid version does not. I would also recommend QKSMS.

which domain names?

[Anonymouse Cowtard]

Does it say in the PDF? Sounds like a job for your Pi-hole. PersonalDNSfilter for Android blocks 90% of the connection requests on my pho^H^H^Htracking device.

Re:

[GigaplexNZ]

You could just try looking at the PDF instead of waiting for a commenter to answer this.

Spoiler: Yes, it does say it.

Re: which domain names?

[Anonymouse Cowtard]

You bastard

Re: which domain names?

[Anonymouse Cowtard]

Yes, the pi-hole needs an upstream provider, and you can set that to Google (8.8.8.8) or OpenDNS or some other.

"Dumb" phones looking better and better

[quonset]

Last year, 1 billion "dumb" phones were sold compared to 1.4 billion "smart" phones. Articles like this show why more and more people [bbc.com] are ditching phones which occupy their lives for no reason other than to enrich someone else.

Re:

[Walt Dismal]

That would be the way to go except that phone service providers are cutting off dumb phone service now. AT&T, Boost, others have cut off the 3G service that flip phones use, leaving users no choice but to upgrade to a 4G-or-better phone. Many older dumb phones are now unusable, as well as appliance IoTs that used 3G. This leaves decade-old cars dead in the water too.

Re:

[quonset]

AT&T, Boost, others have cut off the 3G service that flip phones use, leaving users no choice but to upgrade to a 4G-or-better phone.

I have AT&T and use a flip phone without any issue. They gave it to me free because I held out for so long to upgrade. My dad was in the same boat for his Tracfone. We went out and picked up the same phone I have and he's off and running without any issues.

You were saying?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[quonset]

Walt Dismal is absolutely right. "Talk and data services will only work for AT&T WirelessSM phones and devices that support at least 4G LTE and HD Voice." Link has a PDF to check your phones serial number to know if it's affected.

https://www.att.com/support/ar... [att.com]

Reading comprehension isn't your best suit, is it? AT&T gave me an upgraded phone for free, one that works on its network. What I did not say is it 4G LTE capable.

If it's now March and AT&T cut off 3G phone service, how could I be using my phone?

Re:

[Tony Isaac]

For those who just can't part with their flip phones, there are at least new versions of them that work over 5G.

https://www.washingtonpost.com... [washingtonpost.com]

Re:

[AvitarX]

Decade old?

My 2016 i3 lost connected drive in February.

Can't even pay for the replacement part even though the cell module from the 2017s works (the device is needs to be registered).

Re:

[Tony Isaac]

So you think your dumb phone service provider isn't collecting your call data? Really?

Re:

[quonset]

So you think your dumb phone service provider isn't collecting your call data? Really?

How much data are they collecting if all I'm doing is making and receiving phone calls? They get my location and who I'm calling/getting calls from. That's about six or seven phone numbers over and over. They also see I don't answer the phone if I don't who the caller is. Yeah, that's help them out a lot.

Re:

[Tony Isaac]

That is the entire complaint of the article we are discussing, that Google Phone app is recording what numbers you call, and to whom, and for how long, to Google. And yes, flip phone users send and receive texts all the time, and that covers the other half of the complain of TFA.

Re:

[aRTeeNLCH]

Well, Google has no business knowing who you call when for how long. Your phone network service provider does, and for billing they have to keep records too.

Re:

[aRTeeNLCH]

Sorry for countering in the negative, can you explain need to know basis for apps one created? This has never been the case with any open or closed source, so if you want to twist reality to that point, you will need to clarify yourself. And yes, there are such laws, GDPR comes to mind, and such ethics - spying is generally frowned upon, at least where I've bothered to look around. And claiming that all the party apps are more messy with my data is whataboutism, so not, thanks.

Re:

[aRTeeNLCH]

Decent websites offer to take only functional cookies, and do that up front. And yes, I've been praying attention all along. Google doesn't sell any tracking data. Apple doesn't sell any tracking data. Microsoft Windows enterprise doesn't collect data as far as I know, and Microsoft also doesn't sell any such data to my knowledge. RedHat doesn't sell any tracking data, I doubt they collect any. Yes, I know, if you didn't pay for it, you're the product. But your hyperbole of every commercial OS tracks you an

Re:

[K. S. Kyosuke]

A local mobile operator is at least easier to reach for local law enforcement.

Re:

[Tony Isaac]

Who said anything about "local" mobile operators? Most dumbphones are connected to nationwide carriers like:
- Cricket (owned by AT&T)
- Boost Mobile (owned by Dish Network)
- Walmart Mobile (TracFone)

Each major cell company (T-Mobile, Verizon, AT&T) also operates prepaid networks that are very popular with flip phone users.

Flip phone does not imply small mom-and-pop wireless provider.

Re:

[K. S. Kyosuke]

Uh, what? "Local" == "nationwide". "Global" == "HQ somewhere else, commonly in the United States" -- like, say, Google, which this article is about --- you may have noticed that? If my country has a problem with what O2 does with the data of local users, the management responsible is in our capital. If my country has a problem with what Google does with the data of local users, the management responsible would have to be extradited from the US. See the difference?

Re:

[Tony Isaac]

Oh, I see, so you want to work with companies based in your own country. I guess then to us in the US, that would make Google a "local" company. Well fine, do business with only companies based in your country, and see how far you get with that!

Re:

[K. S. Kyosuke]

It's exactly what I've been doing.

Re:

[Tony Isaac]

So you don't use the Google Phone app or Android or iPhone? None of these are from companies in your own country.

Re:

[K. S. Kyosuke]

I'm using de-googled Android. I'm not dealing with Google's services, especially not in the "doing business" sense.

Re:

[Tony Isaac]

Well, good for you. For most people, that's not a good option.

Re:

[K. S. Kyosuke]

There *should* be options. It's embarrassing that there aren't.

Re:

[bill_mcgonigle]

That's the thing - Google is getting the same data as Verizon et al. and using it for antispam and such.

It's about at the bottom of the list of things Google does that piss me off.

PSTN is nearly obsolete, fortunately.

Re: "Dumb" phones looking better and better

[SleepingEye]

Not correct. According to the article, Google only gets a hash. Vzn actually gets the actual message

Re:

[WaffleMonster]

So you think your dumb phone service provider isn't collecting your call data? Really?

Dumb phone provider collecting call data is better than dumb phone provider plus Google collecting your data. One giant hole below the water line is better than two giant holes.

The dumb phone however is significantly worse when using a software program you trust to privately communicate over a hostile network.

It's just sad we/me still haven't got our shit together and put POTS/SMS out of business. Carriers desperately need to be relieved of the burden of doing anything other than forwarding opaque datagra

Re:

[Tony Isaac]

One giant hole below the water line is better than two giant holes

And yet you are using THIS web site, which sends your data to:
- Google (hole #2)
- aaxads.com (Acceptable Ads Exchange)
- taboola.com ("Content discovery and native advertising")
- slashdotstore.com (of course)
- ml314.com (Data Co-op...that contributes content consumption data to a massive pooled data set that details the buying intent of a company.
- LinkedIn.com

That's just what I can see from looking at "View Page Source" for this web page, and I stopped counting.

If you're really worried about "two holes unde

Re:

[angel'o'sphere]

What has that to do with the topic?

Your phone provider collects YOUR calls and only YOUR calls to bill you according to your plan

And after 90 days: the data is deleted!!

Re:

[Tony Isaac]

Oh you really have drunk the kool-aid! So you think your cell provider uses your call information just for billing?

From the cell carriers' own web sites:
T-Mobile: https://www.t-mobile.com/priva... [t-mobile.com]
AT&T: https://about.att.com/privacy/... [att.com]
Verizon: https://www.verizon.com/about/... [verizon.com]

Basically, these "privacy policies" state that they will use information about everything you do on your phone, in order to sell your data to marketers.

Deleted after 90 days? Yeah right.

Re:

[angel'o'sphere]

Yes,
my cell-provider only uses call information for billing.
And after 90 days he deletes the data, as he is only required by law to keep it 90 days, and is also required by law to delete it after 90 days.

Oh ... you live in a 3rd world country ... never mind then.

Re:

[Tony Isaac]

And you believe the marketing of your cell provider.

LineageOS or bust

[WaffleMonster]

Picked up a new phone a few months ago and couldn't believe just how evil and rotten Google had become. Just for grins while waiting for OEM unlock...

Tried disabling "Google play" and was treated to a hilarious infinite nag fest of basically every app in the system whining in unison. Yes I'm not kidding even the fucking calculator app popped up an enable Google play notice and was using data to boot. Yes the calculator is spying on you. No messaging, no phone, no keyboard, no basic component without Google and all constantly spying using your data and battery to do it.

Between the phone and adb you can disable or remove most of it and install alternatives yet this is labor intensive and simply isn't an option for mortals.

It's easier just to install LineageOS than to replace everything individually. Going that route you at least get the ability to firewall apps which is huge and bypass carrier fuckery but honestly this too is a big pain and beyond the reach of mortals.

The whole thing is intentionally designed with the upmost contempt and disrespect.

Re:

[Luckyo]

This isn't actually about google, but about app makers. Google offers a lot of libraries as a part of Play package. App makers can use these libraries, or include their own.

Most choose the convenience of well tested and well maintained play libraries of Google Play over having to do the work of including their own.

Re:

[Mononymous]

That's why there's microG. [microg.org] They've managed to replace a lot of these libraries, so the handful of closed-source apps I don't want to give up can still work without any Google apps on my phone.
Last week I bought a Moto G7 Plus, and yesterday I installed LineageOS for microG [microg.org] on it. The last time I did this, there were a few apps that wouldn't work, but they've come a long way since 2019. So far everything I want to do is working great!

Re:

[Luckyo]

That's great news if true. The only microG app I use is youtube vanced, and that is sadly going away. But I've seen problems that people who root their phone and install another version of android without Google Play have all kinds of compatibility problems.

If microG has solved most of the library related issues with phones that don't have Google Play, it makes Google less dominant on android. Which is a good thing.

Re:

[thegarbz]

Yes the calculator is spying on you.

No it's not. Google Play Services provides programming APIs as well as update management for apps. Just because you tried disabling a core part of the OS and apps which depend on it complained doesn't mean the app is spying on you.

Also the "using the battery" comment just shows how out of touch you really are. Core system services consume basically no battery these days compared to using the screen on. I don't even charge my phone over night knowing fully well that it'll still be at 99% when I wake up.

Pleas

Re:

[WaffleMonster]

No it's not. Google Play Services provides programming APIs as well as update management for apps. Just because you tried disabling a core part of the OS and apps which depend on it complained doesn't mean the app is spying on you.

GPS is not a core part of android. Hence the reason android continues to work without it. Neither is the above the reason for my assertion. The reason I said calculator is spying on you is because the calculator app is using data. Either the calculator is offloading basic arithmetic "to the cloud" or it is collecting usage data.

Just look at the permissions on Google play for their calculator app:

full network access
prevent device from sleeping

Re:

[AmiMoJo]

Many Android apps rely on a common set of services, normally supplied by Google. However, you can replace them, e.g. with microg.

https://microg.org/ [microg.org]

Re:

[WaffleMonster]

LineageOS still connects to Google servers quite often. You're still riding the Google bandwagon.... just more ignorantly.

The nice thing about LineageOS it comes preinstalled with tcpdump. You don't have to guess you can collect data and see what your operating system and apps are doing. There is some truth to this there are a few extra tweaks needed to gps.conf, webview, captive portal/network check...etc but not a big list and not a big deal to fix.

If you want to officially remove 100% Google services .... look into CalyxOS

I don't want to get off one bandwagon just to hop on a different one.

Ok, for clarification

[Dirk Becher]

This means the default SMS app and default phone call app on Samsung Galaxy etc. phones, right?

Re:

[LostMonk]

That's correct... if you want to share your data with Samsung.

Re:

[Dirk Becher]

I don't understand.

At least Android allows you to choose app defaults

[virtig01]

If you use Signal already, try it for the default SMS app. As a bonus you get message backup-and-restore too.

Re:

[aRTeeNLCH]

Does Signal play nice with dual SIM in the mean time? That's what made it unusable for SMS for me some time ago...

This was obvious...

[Darkling-MHCN]

It's been a while since I upgraded, but when bought a phone with Android 11.

I was surprised to see whilst exchanging SMS messages with people, I was receiving notifications when the other person was drafting a SMS message to me, like I was using messenger or whatsapp. Obviously this isn't supported by SMS, I had to be receiving push notifications from google, and the other person's phone must have been sending information as the other person was drafting an SMS notifying google of who they were messaging.

Re:

[Darkling-MHCN]

forgive the grammar

Re: This was obvious...

[Anonymouse Cowtard]

Ok, but consider this your final notice.

Re:

[larwe]

All of that stuff is part of RCS https://www.techspot.com/news/83194-google-finishes-us-rollout-rcs-replacement-sms.html [techspot.com] and is a feature, not a bug (you can also disable it). It's not _technically necessary_ to use Google's RCS gateway but it is _practically necessary_ because the carrier gateways were/are either nonexistent or riddled with problems.

The serial privacy rapists caught raping again

[sinij]

Is anyone shocked by this?

Re:

[Luckyo]

Yes. I'm shocked that this isn't included in TOS and this metadata isn't sent as a result of data request from Google Takeout. This seems like a really, really stupid oversight on part of Google that's just asking to get fined by data protection authorities in EU.

Re: The serial privacy rapists caught raping again

[SleepingEye]

A truncated sha256 hash that includes the time? That is near useless for short or long messages.

Re:

[Luckyo]

How useful it is is irrelevant. Upon data request holder of data is required to send all data that is being stored about the customer. A lot of stuff you get when requesting this data is probably even more irrelevant in most cases.

OMG!

[Fuzi719]

I'm so scared of my communications being spied on, I wiped all the Google apps from my life, installed a third-party OS, and posted on TikTok and Facebook all about how to free yourself from the evil spies! /s

Re:

[taustin]

At this point? When was there a time when that wasn't the way to bet?

Re:

[darkain]

Yeah, before Google bought Android! :D

Re: Yeah OK

[SleepingEye]

So your option is to go apl, where your privacy is definitely raped because they force you (socially and tech) to route all your messages through their servers.

Re:

[fluffernutter]

As opposed to iOS where I can't even put files directly in the filesystem of my own device. I'll take Android.

Re:

[nospam007]

"At this point if you have an Android phone and don't just assume that everything you do with it is sent to Google, you pretty much deserve what you get."

Yes, we get rush hour info, traffic, route blockages, the best times to use a business, movie theater or restaurant because of that.
I really like that.
But I bought an iPhone nonetheless.

Re:

[swillden]

At this point if you have an Android phone and don't just assume that everything you do with it is sent to Google, you pretty much deserve what you get.

This paper proves the opposite, actually.

To be clear, the thing this paper found is very bad, and very dumb, and must be removed. But the fact that it was found easily demonstrates that Android is far too open and accessible to researchers to allow Google to effectively hide data collection even if they want to. You seem to be assuming that there's a lot more data being reported back than this, but if there were, it would be found, like this was. Or will be found.

Also, the particular nature of this look

Re:

[AleRunner]

There are brands which are deliberately not doing this. I do not mean Apple, though their spying is more limited in several ways. I mean Librem, for example [puri.sm] and e solutions [esolutions.shop] or a Fairphone 3 [fairphone.com] with LineageOS [lineageos.org] and MicroG [microg.org] installed on them. Some of these things cost a little more. Some of them require a little more work. All of them are practical and so the fact people choose to sell their privacy cheap is a clear decision.

You can get a network contract with an EU provider instead of one in the states, in which

Re:

[GigaplexNZ]

There are brands that claim that they're not doing it. That doesn't mean they don't actually do it.

Re:

[AleRunner]

There are brands that claim that they're not doing it. That doesn't mean they don't actually do it.

For Apple, you have a point, it is difficult to check. For the ones I listed, however, most of the software is fully F/OSS with serious community involvement which means that you can check and people are already doing that. Whist it's true that checking everything is difficult, the fact that even the device drivers in Librem phones are free means I'm pretty convinced they are more or less clean.

Re: Yeah OK

[SleepingEye]

Why do you need to check? Your messages are DEFINITELY being sent to their servers through their im

Re:

[aRTeeNLCH]

You're responding to a message listing open source phone operating systems. Any messaging on those devices will have to be done through 3rd party apps and servers. Except SMS, which will go through the network operator servers.

Re:

[Plugh]

I am loving my PinePhone Pro [pine64.org] running Mobian [mobian-project.org]. I like knowing that my phone is NOT spying on me.

Re:

[DamnOregonian]

Are you really?

I've got a PinePhone Pro and a PineNote... and I'm glad I bought them, because 1) I support what they're trying to do from a vote-with-your-wallet perspective, and 2) I'm a tinkerer. Always have been. I purchase pretty much any device I run into that lets me modify its firmware.

But realistically speaking, the software on both is a dumpster fire. They're both usable (and I use my PineNote daily to take notes during meetings) but they're both so janky.

Re:

[UpnAtom]

Sailfish is €50 or free if you don't need Android emulation.

If you do need Android emulation, you're currently limited to a couple of Sony phones though they're planning to sell it to all Linux users.

Re:

[aRTeeNLCH]

I tried that, but never got my banking apps to work. Jolla just says they never guaranteed that, and user forums didn't know further either. YMMV.

Re:

[Computershack]

And the banking apps never will work, the vast majority won't work on jailbroken phones either because they poll the OS for things like kernel versions, whether the bootloader has been unlocked etc so any modified OS or bootloader shipped in any state other than the manufacturer installed/updated one will stop you from using banking software.

Re:

[aRTeeNLCH]

And yet I'm using LineageOS (with gapps) with Magisk hide and all my banking apps work. Just one of those 4 worked on SailfishOS. But indeed it's getting increasingly difficult to get stuff working with custom ROMs. And now that more and more manufacturers (Fairphone, Nokia?, Samsung?) are delivering 5 year updates, that may be the preferred way.

Re:

[theadviceboat]

LineageOS still phones home to Google... you havnt removed Google.... just ignorantly assuming you did. If you want to remove the last bit of phone home that LineageOS does.... watch this video: (How to De-Google LineageOS) https://www.youtube.com/watch?... [youtube.com]

Re:

[AleRunner]

Nice video and fair comment. Note, though, that it's not LineageOS themselves that gets the data and the services used (e.g. DNS / captive portal etc.) and these are the services that must go somewhere. Running your own recursive DNS and pointing your phone at it might be a valid option.

By the time you are using these services, however, you are connecting to a network no matter what. That means that having an EU SIM card to get you under the wings of the GDPR is probably one of your better options. Note, if

Re:

[dbitter1]

You can get a network contract with an EU provider instead of one in the states

For those of us too lazy to spend half the day looking, do you have a recommendation for one of these that allows a US address, reasonable SMS, voice and data while "roaming" on US carriers? In my travels in Europe, most countries wanted a passport or similar absurd amount of paperwork to associate with a SIM- the Netherlands was the only one where EUR20 got a sim card from a vending machine in the airport with no questions asked.

Re:

[mspohr]

https://youtu.be/UfsAuR3Mg8E [youtu.be]
De-googled phone

Re:

[DamnOregonian]

I want to know what the fuck happened to your brain.

Re:

[thegarbz]

If Google want to continuously pay a voluntary break-the-law tax then by all means they are free to do so. Europe doesn't need the money, in fact they quite clearly state that paying it is entirely optional and even give written guidance on how to not do so.

Re:

[Errol backfiring]

No, Google needs a non-corrupt government.

Re:

[MachineShedFred]

I challenge you to point to such an entity, because every government has some level of corruption present.

Re:

[Aristos Mazer]

Those do not need to be shared with Google. They need to be shared with the cell service provider. That makes it a violation of the European law. The standard citation of the law is:

EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ