Android's Messages, Dialer apps quietly sent text, call info to Google Google's Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe's data protection law. According to a research paper, "What Data Do The Google Dialer and Messages Apps …
This isn't really new news.
I've been using Signal for SMS instead of the default Messages.
Also I use K-9 email as the Android email client is really using Google servers not at local email client at all, so if you use the default Android email Google gets all the credentials and messages.
I use a third party keyboard. Yes, an evil one could be a security risk, but there are companies doing free touch keyboards that are less evil than Google.
The Google Gallery is also a problem. I have an alternate to that.
To think that we used to worry about Microsoft!
The core of the issue is the poison pill that was Doubleclick
If anyone's seen the Schlock B-movie "The Stuff", the plot seems vaguely familiar (carnivourous yoghurt that eats you from the inside - you love it and it loves you)
Google is a shuffling zombie at this point
"Why do Apps Google Maps & Amazon Kindle & Google Play Store Books start at boot?"
Because you did not delete them (if possible on "your" device)?
Much of the pre installed garbage (like "child mode", chrome, "digital wellbeing",drive, gogle, "google play music" and similar crap) cannot even be deinstalled and many other apps, like youtube (which i do not use at all on my "smart"phone) but also games and third party apps that you dont need permanently ready to run, are restarted without reboot whenever you stop them.
This might make sense for something like messages but youtube ? Games ? A permanently failing display app for how much is on my bonus card ?
Quite frankly, users should be used to the fact that they may own the hardware but not the software and do not have control over what their devices do in the background.
Windows has a poweruser but no real administrator since WinXP, Android was never meant to let the users have any significant control. Apple IOs... forget it.
And yes, of course i replaced the google keyboard as soon as it kept requesting microphone access. I also killed goggle maps as far as i could and "disabled" anything that let me at least do that...
But i refuse to give in to the illusion that my device is now "safe" or "protecting my privacy" as it was never designed to be any of those two.
They do not "think" it is their information. They assure it becomes their information by all means necessary.
The "smart" in these phones is how smart the controlling parties(*) have been to get their fingers in any and all possible information for analysis.
(*) controlling parties include google and apple but there are many more. The commercial entities may just be a front for more nefarious parties like NSA and other secret services.
The law seems strange. So I have an android with a Verizon contract. They need call logs. A local app would so it could show it to me. Google doesn't need to know, especially their Play organ.
I'm also curious about the legality. Most countries have legislation covering lawful intercept that attempts to regulate things like wire taps. There have been plenty of prosecutions in the past where people have illegally installed call & data loggers.
So why not prosecute, if the basic activity is fundamentally unlawful? Which may also be a consent issue because I think it gets legally tricky to consent to something illegal.
But any redress would require you to sue google. Then, in a class action, you can get maybe one million people in the class to get 500 Megabucks in a settlement. The lawyers take 50% of that and then you get vouchers for $250, which you may spend at the google play store.
Your data is still abused and you cannot get it back. Your data is used in aggregates, probably anonymized in a reversible way, and will never get deleted anyway. The three letter agencies from all over the world have copies of the data and you will never ever get them to admit to anything.
All in all, you are fucked over, regardless how illegal the actions have been. That is the problem with this digital data in the hands of anybody else than yourself. You can never get effective redress.
But this why we have governments. If something is illegal, they can prosecute. Which then may set precedent, and discourage other mass slurpers. Class action or maybe judicial review could have the same effect.
But it's always struck me as odd. LEOs have to obey surveillance laws, big tech gets allowed to do bulk data collection without much in the way of limitation or regulation. But I guess that's why they lobby so hard.
In theory yes - but given that governments get to decide whether or not their secret squirrels collection of every bit of data they can get their paws on, by far means or foul - well, I wouldn't expect too much trying to prosecute, never mnd the time, monetary and legal difficulties of trying to get a prosecution
=
But this is why we have governments. They have legislative and enforcement powers.
So suppose I plonk a Stingray or other IMSI trap outside the Parliament. I can then trawl through call logs. I'm pretty certain it's illegal for me to own & operate a Stingray, and the police and security services might take an interest. Saying it's so I can better target MPs probably won't help my defence.
So why then would it be legal for me to install a virtual Stingray on every Android phone, especially when the intercept capability is hidden, and users can't opt out?
> why then would it be legal for me to install a virtual Stingray on every Android phone
It would, if you spent enough money in lobbying. Money decides what's legal and what not. Buy some politicians, hire the best lawyers, and you'll get away with almost anything.
"But this why we have governments. If something is illegal, they can prosecute"
Unfortunately, data protection law in EEA/UK doesn't work proactively. There has to be a certain volume of complaints commensurate with the scale and significance of the infraction, then a decision has to be made about the economics of pursuing the matter, and any penalties are purely "administrative" not criminal sanctions. The law provides for the complainant to take action independently on their own behalf, but does not necessarily guarantee that a complaint will be pursued by the regulator. Finally, at least in the UK, the regulator has great difficulty enforcing its administrative penalties. On many occasions organisations have negotiated their penalties down to trivial levels or simply failed to pay up, and not a lot has been achieved in countering these abuses.
Recognising that many of the perpetrators have revenues that rival small countries and that the law is expensive, it's hard to see how things could be improved.
I'm pretty sure no law works proactively and all require some volume of complaints.
People complain that something must be done about 'X', the government says no! 'X' is either the ultimate evil and must be banned forever / 'X' is the natural order of things and only extremists would want to ban it (delete as appropriate)
Then enough public opinion gets behind banning/legalising 'X", a law is passed and nobody can ever believe that 'X" was ever illegal/tolerated
"But it's always struck me as odd. LEOs have to obey surveillance laws, big tech gets allowed to do bulk data collection without much in the way of limitation or regulation."
The difference is that LEOs observe people who do not know they are being observed and have no way to opt out. A judge has to agree that a suspect has almost certainly broken the law to a degree that warrants covert observation. Everyone can ultimately opt out of Google's data collection: don't use their devices. You agree to essential data being collected. Google chooses what that is.
Possibly why the "dumb-phone" market is surging at the moment. People opting out.
It's easier to apologize than ask for permission.
At least until those nasty multi-Billion Euro fines come along, but even those don't stop the abuses.
Few objected to US - UK Gov / Google / Microsoft / Meta / Apple et al pillaging of personal info. Now you've pretty much given up those rights for convenience. Getting them restored will take ten times the work of stopping it in the first place. Thank God the EU at least tries to keep them accountable.
"The only thing necessary for the triumph of evil is for good men to do nothing." - Edmund Burke.
China, Russia and North Korea are living examples of this. Where will you be in twenty years?
"Most countries have legislation covering lawful intercept that attempts to regulate things like wire taps"
Such things are trivial to add at the telco switch (including metadata loggers) - and more to the point they're normally very strictly controlled by legislation
This is overreach on steroids and it's utterly uncontrolled
I use a noroot firewall on my phone and have blocked these from connecting to the internet. I also use a feature phone for calls and texts precisely to prevent this sort of thing. It has the added benefit that in scam SMS with dodgy URLs if I accidentally click on the link it goes nowhere.
If the NSA want your call or text message logs they just will get them from the phone company because they are the NSA and that is what the NSA do, This is not google in bed with the NSA: this is google deciding that because they can't get the phone companies to go to bed with them (and who would want to go to bed with spotty googlers? not me) they will force themselves on their users, again and again. There is word for this.
Google is a more efficient and cheaper form of NSA. It does things that the NSA wishes it could do.
The problem is that when google finally fesses up, it ends up being, oh we didn't mean it, or it was collecting data for quality purposes, and is therefore never appropriately punished. The fines should increase exponentially (power of 2, say) for every offense.
Google is also a cheaper and more efficient way for the NSA, the FBI, the (corrupt and psychopathic) Met Police, or the Council Tax Office to inspect call and text message logs, rather than asking the phone companies.
It's one company, one point-of-contact and they have all the data about everyone.
Google has a special "law enforcement portal" where anyone with a government ID (hopefully with some clearance and relevance checks, but I wouldn't be surprised if there are none) can log in and get the God Mode access on anything they like.
I also doubt if there's a need for any old-fashioned wiretap warrants if you're not actually tapping any wires (you're just asking for a copy of a recording that has already been made)
>I also doubt if there's a need for any old-fashioned wiretap warrants if you're not actually tapping any wires
Certainly not that would be a terrible invasion of privacy. This is merely 'metadata', who you called, when you called them, who else that they called, which of your messages were passed on to who and so on - totally irrelevant metadata with no privacy implications whatsoever
But Google (along with other companies e.g. Microsoft for Teams, Amazon for Alexa) do store voice recordings, and use it for various purposes such as improving their language models. (This could include phone calls, if you happened to have call recording and google drive backup turned on on your android phone)
Would a (bent or otherwise) cop, or the NSA, need a specific wiretap warrant obtained from a judge, to download those from the Google law enforcement portal?
Also, I wouldn't say that the metadata that you mentioned is 'totally irrelevant with no privacy implications whatsoever'..!
How difficult would it be (for the NSA and Google) to take those MD5 hashes of text messages and crack them using a natural language model? If they crack one message, there are only a fairly small number of likely responses, (and the three most likely ones are often presented to you as 'quick reply options'!). If they crack a few in a row, then they can build their markov chain.
Google knows how you construct your sentences. And they know what you will (probably) say next.
And they could even improve their model incrementally, by predicting what the next MD5 hash will be.
Google is also a cheaper and more efficient way for the NSA, the FBI, the (corrupt and psychopathic) Met Police, or the Council Tax Office to inspect call and text message logs, rather than asking the phone companies.It's one company, one point-of-contact and they have all the data about everyone.
This would be nice for them if it was true. But it is not: there is Apple, there are non-smartphones, there are even probably Androidy phones which sterilise out the google toxins. There are numbers stations which any competent person will use (what, you still use that antique internet thing, shortwave, shortwave is future).
Any competent crime person will know which phone to choose.
If the NSA want your comms they must still talk to the phone companies.
Is just silly to assume google are doing this because of NSA: they are doing it because their business model is scraping layers from human souls and selling the rendered-down blood, flesh and bone to their customers and that has always been their business model and so what they do is scrape and scraoe because it is all they can do,
Yeah I don't think they are doing it because of the NSA. They are doing because they can make billions by tracking, modelling and manipulating every person on the planet that they can get their tentacles into. Just like Facebook, Amazon, Twitter, TikTok etc.
Even if you have an Apple phone or even /e/os, you will still have Google Firebase Analytics inside most of your apps etc. And apps don't come under the same cookie legislation that websites do.
But the NSA won't get much out of your phone company if you use WhatsApp for all your calls and text messages. But they might get something out of Facebook or Google, especially if you were silly enough to accept WhatsApp's default behaviour of saving all your messages unencrypted on your Google account.
My point wasn't that Google is snooping on everyone because the government told them to. It was more that The Governments (of the world) are snooping on everyone all the time now, because the tech companies like Google make it so easy for them to just tap into their handy APIs and portals.
> There are numbers stations which any competent person will use
Er, yes.. Funny definition of "any competent person" you have there. I wonder who you are working for... :P
>If the NSA want your call or text message logs they just will get them from the phone company because they are the NSA and that is what the NSA do
But that involves lots of paperwork if they are a French citizen in France (and so obviously an unpasteurised cheese eating threat to democracy) and a French phone company is likely to say Non (and shrug)
So it's easier if Google sell you a special government rate access all areas annual pass
No, it was the same programmer as the one from microsoft who also accidentally implemented the advertising code in that file explorer.
These programmers... They always move between jobs and employers. That is how all these accidents happen, you know. But some programmers are a little more accident-prone than others. Here we see an expert in both advertisement visualization and information gathering for direct targeting. I'm almost sure this guy is getting at least two paychecks each month.
I always thought the VW scandal began in a genuine way. Code was put there for debugging purposes and was never intended to run in a milestone test or final delivery.
But mistakes happen, and so a milestone test passed brilliantly, to the astonishment and delight of VW management. When the techies said, "Er, there's a problem here", the management answer was, "You are not going to be difficult about this, are you?".
I heard (it was on the Web) that the programmer studied what tests the cars would have to pass, then wrote engine management software which could detect those tests happening, and made sure the car passed them. This was as much reverse-engineering as cheating. There have been many court cases about such things.
The only way of stopping this sort of thing from happening again is fines levied on individuals: a sum about equal to 1 year's salary would be about right. This should be paid by the: programmers, their managers all the way to the top.
If it is a find paid by google then little will change.
Not fines. Jail terms
Some countries have done this as a C-level liabliity regarding certain corporate activities regardless of who actually does it within the company
The effect on company policies is..... encouraging (I recall getting a company-wide memo which started "As I have no desire whatsoever to face criminal charges over the actions of my employees, the following behaviours are utterly prohibited within this company and anyone found engaging in them will be instantly terminated without notice, regardless of whether the activities occur within or outside of employement hours")
"This very clearly violates the GDPR... intimate surveillance, undisclosed and therefore without opt-in (the legal requirement) let alone opt out"
Unfortunately, as this is all (according to the paper) personal information but not sensitive (special category) information, depending on the purpose for which the information collected is used the Legitimate Interest basis might potentially be arguable. That of course obviates any need to seek consent. One of the great weaknesses of the GDPR is the breadth of application that has allowed for the Legitimate Interest basis.
Two things that might trip them up though are the unavoidable requirement to agree to terms and conditions before seeing the privacy notice, and the general nature of the privacy notice that doesn't mention this telemetry specifically (again according to the paper).
Google is a multibillion dollar international internet advertising company. Stalking individuals is what they do. It is the job they have invented for themselves. Anyone with any sense has been shunning the slow-motion train-wreck that is now called alphagoo right from the git-go.
Two words about Google on this:
"Utter bastards".
There is simply nothing that they will not do to harvest data and make money. From my experience the Google Dialler is set as the default over anything that the phone manufacturer sets. If I have remembered correctly on my Sony, if you select a number in an email or web page, there is the option to use Google or Sony dialler but the default appears to be set as Google.
The way things have been going, they will pay nothing because something very bad has happened to the Irish Data Protection Commission. I imagine it looks like those science fiction shows where the terrible alien plague has left an area visibly undamaged but with every human instantly killed. At least that would explain how all the privacy risks under their jurisdiction continue completely unchecked. We may need GDPR 2.0 which is identical to the first version but says that any EU country can take any action named in the law, reserving none to the country in which the entity is based. It also has the benefits that many countries can assess their own 4% fines.
The thing that annoys me more than the fact that they just don't admit that they (US/UK) have more data on us than China have on their citizens is that with all this data why don't they just immediately go after all the Fiddlers & Glitters who communicate with each other, they have the data to link them but somehow leave it to under resourced cops to do that instead.
I'm all for privacy and abhor the fact that states spy on us citizens but its been happening for more than 50 years, they have the phone records, DNS records, IP src dst & port & time, mobile phone location details down to 3 meters plus all those pictures and videos we upload to the cloud plus face book & twitter & all the other socials I've never hear off.
I'd rather all agencies & nations just admit what data they have on us & when they've used our individual data and for what reason.
Yes most people won't like it but that's no reason to not tell people.
It’s amazing how this has been allowed to creep. I remember when Gmail launched (I’m getting so old!) but at the time everyone was a little edgy about the notion that Google would have access to your emails and potentially using them to pitch advertising to you, but then we all seemed to stop worrying and just gave them our data and continued to do so in ever broadening and depending ways.
We provide ludicrous amounts of personal data to some of these platforms, and it’s far from just Google, without thinking about it very much at all.
Over time we’ve become desensitised to not having an expectation of privacy and I would suspect it’s more a case of most people not understanding the potential consequences of that rather than not caring. The general public tend not to understand nebulous concepts like data protection, until something happens that impacts them in a tangible way, so we drift and drift further into this dystopian mess.
> it’s more a case of most people not understanding the potential consequences of that rather than not caring
Unfortunately it's really a case of "not caring".
I've talked a lot with people (otherwise intelligent, and even rather computer-literate) who are not only willing but even chose actively the less private solution, and the conclusion is that convenience trumps everything, every time, and Google knows how to be convenient...
I don't for one minute believe that Apple are any different. Their profit comes from hardware, services and advertising as well, they just have not been caught.
Because of the nature of the ecosystem it is a little more difficult to unpick what is going on.
So bluntly, none of these should be trusted, just because Apple appears to be more secretive does not mean the data is not being collect. Data is knowledge and power that can generate revenue. That we have no option but to provide it to use services or devices (although that distinction is blurring) even if it is not actually required, shows just how important the data is.
The evidence of their snooping and worse is there for everyone to see (if they take the blinkers off)
I gave limited my exposure to Google for almost 10 years. I'm now blocking close on 1,000 Google owned/operated domains at my firewall.
F U google.
You are the 51st state.
"I was surprised to see this data being collected by these Google apps," said Leith.
New to surveillance capitalism, I take it?
The entire Big Tech business model is based on the notion that any data they can observe is theirs to do with as they please. Like most Reg readers, I would've been far more surprised if Google did not secretly collect call and message logs.
The supposed changes that Google agreed to are basically 'Disclose it to users on page 387 of the Ferengi print so we can say we have consent,' and 'do a better job of hiding our data exfiltration going forward.'
E.g., "Halting the logging of call-related events in Firebase Analytics from both Google Dialer and Messages" =/= "Halting the logging of call-related events from both Google Dialer and Messages."
I only use an old GSM or landline for phone calls, but soon GSM will be switched off and landlines will be VOIP in the UK like the rest of the world.
I currently only use an Android phone for internet, but it has a reasonable Open Source firewall.
I don't trust new dumb phones which are mostly Google/Android underneath and I will not sell my soul to Apple instead.
I don't trust VOIP one inch, having been one of the early testers at a comms company last century, it is a just tailored for easy spam and hacking no matter how bad you think the old telecomms nettworks were.
When my current means of communication is not available I will probably be forced to use an Android phone using /e and possibly replace the landline with BT's own version of VOIP or another commercial version.
I am not looking forward to these changes - perhaps I should just handover my life to Google and the other crooks on the internet now and admit defeat.
My company installed Third Party software for anything Android.
Our 3/4/5G units don't even transmit hidden/secretive Baseband transmissions. And we have some units that don't even use SIMs! We also squeezed mechanical On/Off switches in our cases (requiring paperclip for operation).
Every technically-minded person should use an SDR to check out cellphone emissions.
Recently, I searched Google images for a topic and found a matching image. I was surprised to observe that its URL domain was https://encrypted-tbn0.gstatic.com/
I then copied path from the thumbnail results page and used Google's "Search by image" function using the URL and it returned a single match that turned out to be a PDF. Opening the file showed the image but it had been cropped when the PDF was designed (it was a marketing brochure). Whilst the Google copy was a thumbnail of the full size image.
So in its unrelenting indexing of everything it finds, it appears Google deconstructs PDFs into their constituent parts and catalogues them discretely.
:/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
