Ratgeber

Google’s Private Data Retention

Ein Artikel von , veröffentlicht am 01.07.2016

Google apparently stores phone numbers, calling-party numbers, duration of calls, and many other telephony metadata when people place and receive calls using Android phones. Peter Schaar, former German federal commissioner for data security, has severe doubts that this practice is legal and asks for the EU commission to step in immediately

Yesterday, we reported (German language article only) that Google in its privacy policy informs Android users that “When you use our services or view content provided by Google, we automatically collect and store certain information in server logs. This includes: […] telephony log information, such as your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.”

What specific data Google stores is not clear since it is encrypted on the Android device. We did find out though that immediately after a call was made the phone established a connection to Google’s servers and transmitted data.

A spokesperson for Google Germany did not answer questions concerning which data the company collects and why. He did claim that Google has the right to store the data based on the consent given by Android users, who need to accept Google’s privacy policy to be able to use Android. Peter Schaar, former German federal commissioner for data security and chairman of the ARTICLE 29 Data Protection Working Party of the EU, says this is not the case and Google’s practices may even violate fundamental rights.

 

mobilsicher.de: Mr Schaar, Google says it stores “telephony log information, such as your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls” when making phone calls using an Android device. Data protection rules allow users to agree with informed consent to data storage and processing by private companies. Fair enough?

Schaar: Not at all. Companies need either a legal authority or consent if they want to process personal data. In this case, I do not see a legal basis for the comprehensive processing of the data concerned. Data may be used if it is necessary to establish a connection. To do this, it needs not be transferred to a Google server.

At the same time I see no valid consent to a general transmission of the data to Google. Firstly, most users do not expect that all of their personal data and that of the calling-party is stored by Google. This absence of clarity means that a general transmission of data cannot be justified.

Additionally, consent means a “freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” We can hardly assume this consent here if the alternative to consent is that you cannot use your phone to make calls in case you don’t agree that all this data ends up on Google’s servers.

mobilsicher.de: What about the fact that Google says it stores the data of people calling Android phones, not using Android phones themselves?

Schaar: If that is really the case, it's just another reason why this alleged agreement cannot be effective. We’re talking about third-party data here. It is evident that I cannot effectively consent to Google storing data of a third party, say someone who calls me or someone I call from an Android phone.

mobilsicher.de: So if we cannot assume effective consent, what then?

Schaar: That depends on which data is collected and processed. Do you know what Google collects?

mobilsicher.de: No, we could not yet find out, because the data is encrypted on the device. Data is being transferred, but we do not know which. When asked what data they collect, Google declined to answer.

Schaar: If Google really collects all the traffic data generated by a call this would violate privacy regulations. It might even be a criminal offense. It must be examined to what extent Google is bound to the secrecy of telecommunications, given that the company is party to providing telecommunications services. In that case the data processing without a legal basis could be a criminal offense. In addition, it needs to be clarified if data is illegally processed for commercial purposes without the knowledge of the data subject. That could constitute a criminal privacy violation under German law.

mobilsicher.de: What does all this mean for users?

Schaar: Google has an obligation to immediately tell us what data it stores, for what purpose, for how long it stores the data, where it is stored and how it is used. This is the only way the company can counter accusations that this – again – is an enormous breach of users’ trust.

Using piecemeal tactics, conceding only what can no longer be denied, as it has been the case in the covert acquisition of wireless data as part of the Street View programme, would be unbearable. The issue here has a new, much larger dimension. We’re talking about the secrecy of telecommunications here, not - as in the Wi-Fi scan case – about signals that everyone could have collected in the streets.

If it turns out Google actually learns about who calls whom when and for how long, this would have further consequences. German law provides for privileged communications of certain professions that are bound to secrecy: doctors, employees of addiction counselling centres, lawyers and social workers.

They would be liable to prosecution if they disclose protected information without authorization to third parties. So if Google should learn about the communication between a patient and a doctor because the doctor uses an Android phone, the doctor can be accused of committing an unlawful disclosure. Lawyers, doctors, priests and journalists could not legally use Android phones any more.

mobilsicher.de: So who needs to step up now?

Schaar: This is an issue for the data protection authorities - not just in Germany. We have to find out which data has actually been processed. If it is true what you suspect, based on the available information, this would entail a dimension that also needs the EU Commission to step up.

Google has a very strong, possibly dominant position in the smartphone market with its Android operating system. This is the reason why European Commission is investigating Google in an antitrust case. If Android is used to collect confidential data of European citizens and transmit it to the US, then this could constitute a violation of fundamental rights.

We also need to take into account the on-going discussion about Safe Harbor and Privacy Shield, regulating the transmission of data to the US. The EU Commission must get a clear picture of what is happening here as soon as possible. Moreover, US authorities need to get into the game, the Federal Trade Commission in particular.

Der Autor

E-Mail

m.spielkamp@mobilsicher.de

PGP-Key

0x2E968D2EA92D8822

Fingerprint

D6DF 3C0E 2F0A 3EC6 1FE0 BA54 2E96 8D2E A92D 8822

Matthias Spielkamp

Matthias Spielkamp ist geschäftsführender Redakteur bei mobilsicher.de. Er berichtet seit langem über Themen an der Schnittstelle von Recht und Digitalisierung und versucht seit 15 Jahren, Menschen davon zu überzeugen, ihre E-Mails zu verschlüsseln.

Weitere Artikel

App-Test 

Telefon-App Truecaller: Privatsphäre light (Android)

Die Telefon-App Truecaller ist mit 250 Millionen Nutzern extrem beliebt. Wichtigste Funktion: Unbekannte Anrufer können dank einer riesigen Datenbank mit Namen angezeigt werden. Dafür sammelt der Dienst nicht nur die eigene Nummer, sondern auch Nummern von Dritten, die Nutzer hochladen. Für reinen Spamschutz gibt es bessere Alternativen.

Mehr
App-Test 

Musik-App Shazam im Test (iOS)

Mit der App "Shazam" kann man sich den Song anzeigen lassen, der gerade läuft. Unser Test zeigt: Der Dienst erhebt reichlich Daten, darunter auch den Standort. Mindestens acht andere Unternehmen erhalten ebenfalls Daten aus der App.

Mehr
Kostenfallen 

Abofalle? Drittanbieter-Sperre einrichten

Vor Abofallen schützt am besten eine Drittanbieter-Sperre. Für sie gibt es inzwischen viele komfortable Optionen, von denen nur wenige Kunden wissen. Welche das sind, wer sie anbietet und was man beachten muss, erklären wir in unserer Anleitung.

Mehr
Kinder und Jugendliche 

Musical.ly: Unheimliche Parallelwelt im Kinderzimmer

Das soziale Netzwerk musical.ly beflügelt bei Kindern und Jugendlichen den Traum, selbst ein Popstar zu sein. Aber ist die Plattform zum Teilen selbstgedrehter Musikvideos harmlos? Ein Leserinnenhinweis führte uns in eine erschreckende Welt voll offener sexueller Nötigung von Mädchen.

Mehr