Does existing Android feature really threaten privacy of contact-tracing apps?
A study has flagged potential privacy concerns for contact-tracing-app users on Android, but is it a new concern?
By international standards, the Covid Tracker Ireland app – with more than 1.3m downloads and a model that could go global thanks to the Linux Foundation – can be considered a great success. The app, developed by Waterford-based Nearform, was built on the decentralised Google/Apple Exposure Notification (GAEN) API put forward as the most secure option when it comes to data privacy.
Yet recent findings published by Trinity College Dublin researchers Prof Doug Leith and Dr Stephen Farrell suggested that this is not the case when it comes to Android devices. They found that while app developers and health authorities have done a reasonable job in ensuring anonymity for the user, Google Play Services is “extremely troubling” from a privacy perspective.
What did they find and is this a new feature?
The short answer is that this is not a new discovery and has been flagged as a privacy concern in Android phones for years. However, this latest study is one of the first to analyse Google Play Services from the perspective of GAEN-based contact-tracing apps.
All GAEN contact-tracing apps on Android devices must be downloaded through the Google Play Store and connected to Google Play Services. This allows for the app to be updated once changes are available in the phone’s operating system and any made by the app’s developers.
However – as with any other app connected to Google Play Services – contact is made with Google servers at least every 20 minutes to share data including the phone IMEI, hardware serial number, SIM serial number, handset phone number and a Gmail address.
“This level of intrusiveness seems incompatible with a recommendation for population-wide usage,” the researchers wrote. “We note the health authority client app component of these contact tracing apps has generally received considerable public scrutiny and typically has a data protection impact assessment, whereas no such public documents exist for the GAEN component of these apps.”
While Android users can, in theory, opt to turn off Google Play Services, users of the Covid Tracker Ireland app and other national apps cannot turn it off if they want the contact-tracing element of an app to work. Google has said in the past that limiting its access to Google Play Services will affect how key aspects of the device function overall. This means the collection and use of this data is unavoidable for people who wish to use the app.
Critics of the study have argued it potentially threatens the success of contact-tracing apps by raising existing privacy concerns that apply to all apps using Google Play Services, rather than just GAEN apps.
How has Google responded?
Speaking to Siliconrepublic.com, a Google spokesperson said: “In keeping with our privacy commitments for the GAEN API, Google does not receive information about the end user, location data or information about any other devices the user has been in proximity of.”
Meanwhile, responding to the two researchers in the study, Google said: “We understand that the success of [contact-tracing apps] depends on people feeling confident that their private information is protected. Your identity is not shared with other users, Google or Apple.”
Google and Apple claim to have received feedback from hundreds of conversations with health authorities, NGOs, academics, government officials and privacy experts in dozens of countries prior to the launch of its API. It also continues to speak to researchers about aspects of Android that are flagged that could improve its security and design.
Were there any new findings on the Covid Tracker Ireland app?
This most recent research was focused on the GAEN aspect of all contact-tracing apps as opposed to just Covid Tracker Ireland or any other state-approved app. However, while noting that the public health authority component of these apps “generally share little data” and are “quite private”, Leith warned that the Irish app contained a type of ‘supercookie’.
This allows connections to be made by a phone be linked together with other devices over time which was not found on any other European contact-tracing app and called for it to be removed. The researchers also pointed to other vulnerabilities in apps in Denmark, Latvia, Poland and elsewhere.
Farrell, as co-author of the study, commented: “If there were a European league of Covid tracing apps, Ireland might be near the middle of the table at the moment. Google however deserve a yellow card for the privacy-invasive way in which they seem to have implemented their part of the overall tracing system.”
In a statement, the HSE stressed that this research was focused on the GAEN aspect of contact-tracing apps, rather than the Covid Tracker app itself.
“It has been globally accepted that the GAEN API is the best, most privacy preserving and universally accessible solution to the immediate challenge we are faced with by Covid-19 to support contact tracing with digital technology,” it said.