Google just got caught red-handed. A study conducted by Douglas Leith, professor of computer science at Trinity College Dublin, reveals that the American giant steals the personal data of Android smartphone users without their consent.
More precisely, Google uses its Messages and Phone apps to collect user information. Both of these apps come pre-installed on billions of devices worldwide.
According to the study conducted by Douglas Leith, Google recovers the hash of messages sent via the Messages application. The hash makes it possible to link the sender of a message and its recipient. Even worse, the American retrieves the times and duration of incoming and outgoing calls through the Phone app. And as long as it does, it collects the associated phone numbers along the way.
Once harvested, this information is sent to Google Play and Google Firebase Analytics services which makes it possible to study the behavior of users. Then, Google is completely free to resell this data, or even to establish standard profiles, or even to resell the conclusions of its analyses.
Google, not very GDPR
Through these practices, Google is blatantly violating the framework established by the GDPR. Indeed, this European law obliges digital players to notify users when they collect their data. Above all, they must ask for their consent before any recovery of this data.
However, Messages and Telephone are not accompanied by any request for consent. The two applications being pre-installed, the user is never asked if he agrees to the collection of his data. And no matter how hard you look in the settings of the applications or the phone, there is no way to deactivate the collection of information by these services.
Finally, Google Takeout – a service that downloads a copy of the personal data that Google has on a user – does not include data collected on Messages and Phone. Basically, it’s the Wild West and there’s nothing users can do about it.
According to Douglas Leith’s study, it is mentioned in Google Play Services that certain data is collected for security purposes to limit fraud. But Google never specifies what data is recovered, or how.
Google has not yet given any explanation for these practices. Recall that WhatsApp had been pinned in Ireland for non-compliance with the GDPR. He was then fined a record 225 million euros.