Does existing Android feature threaten privacy of contact-tracing apps?

27 Jul 2020

The Covid Tracker Ireland app. Image: Luke Maxwell/Siliconrepublic.com

A study has flagged potential privacy concerns for contact-tracing app users on Android, but is it a new concern?

By international standards, the Covid Tracker Ireland app – with more than 1.3m downloads and a model that could go global thanks to the Linux Foundation – can be considered a success. The app, developed by Waterford-based Nearform, was built on the decentralised Google Apple Exposure Notification (GAEN) API that was put forward as the most secure option when it comes to contact-tracing and data privacy.

Yet recent findings published by Trinity College Dublin researchers Prof Doug Leith and Dr Stephen Farrell suggested that there may still be privacy concerns when it comes to using GAEN-based apps on Android devices.

While app developers and health authorities have done a reasonable job in ensuring anonymity for the user, they said, Android users must have another app, Google Play Services, running in the background for these contact-tracing apps to work. The way that Google Play Services sends personal data to Google is “extremely troubling” from a privacy perspective, they added.

What did they find and is this a new feature?

The short answer is that this is not a new discovery and has been flagged as a privacy concern in Android phones for years. However, this latest study is one of the first to analyse Google Play Services from the perspective of GAEN-based contact-tracing apps.

All GAEN contact-tracing apps on Android devices must be downloaded through the Google Play Store and connected to Google Play Services. This allows for the app to be updated once any changes are made by developers and available in the phone’s operating system.

However – as with any other app connected to Google Play Services – contact is made with Google servers at least every 20 minutes to share data, including the phone IMEI, hardware serial number, SIM serial number, handset phone number and a Gmail address.

“This level of intrusiveness seems incompatible with a recommendation for population-wide usage,” the researchers wrote.

“We note the health authority client app component of these contact-tracing apps has generally received considerable public scrutiny and typically has a data protection impact assessment, whereas no such public documents exist for the GAEN component of these apps.”

While Android users can, in theory, opt to turn off Google Play Services, users of the Covid Tracker Ireland app and other similar apps cannot turn it off if they want the contact-tracing element to work. Google has said in the past that limiting access to Google Play Services will affect how key aspects of apps function overall. This means the collection and use of this data is unavoidable for people who wish to use the app.

Critics of the study have argued it potentially threatens the success of contact-tracing apps by raising existing privacy concerns that apply to all apps using Google Play Services, and not just GAEN apps.

How has Google responded?

Speaking to Siliconrepublic.com, a Google spokesperson said: “In keeping with our privacy commitments for the GAEN API, Google does not receive information about the end user, location data or information about any other devices the user has been in proximity of.”

Meanwhile, responding to the two researchers of the study, Google said: “We understand that the success of [contact-tracing apps] depends on people feeling confident that their private information is protected. Your identity is not shared with other users, Google or Apple.”

Google and Apple claim to have received feedback from hundreds of conversations with health authorities, NGOs, academics, government officials and privacy experts in dozens of countries prior to the launch of its API. It also continues to speak to researchers about aspects of Android that are flagged that could improve its security and design.

Were there any new findings on the Covid Tracker Ireland app?

This most recent research was focused on the GAEN aspect of contact-tracing apps, rather than just Covid Tracker Ireland or any other state-approved app. However, while noting that the public health authority components of these apps “generally share little data” and are “quite private”, Leith warned that the Irish app contained a type of ‘supercookie’.

This allows connections made by a phone to be linked together over time, which was not found on any other European contact-tracing app. The researchers also pointed to other vulnerabilities in apps in Denmark, Latvia, Poland and elsewhere.

Farrell, co-author of the study, commented: “If there were a European league of Covid tracing apps, Ireland might be near the middle of the table at the moment. Google however deserve a yellow card for the privacy-invasive way in which they seem to have implemented their part of the overall tracing system.”

In a statement, the HSE stressed that this research was focused on the GAEN aspect of contact-tracing apps, rather than the Covid Tracker Ireland app itself.

“It has been globally accepted that the GAEN API is the best, most privacy preserving and universally accessible solution to the immediate challenge we are faced with by Covid-19 to support contact tracing with digital technology,” the HSE said.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com