RESEARCHERS have raised concerns that data concerning Android users who have downloaded Covid-19 tracing apps is not being adequately protected.
A report by Prof Doug Leith and Dr Stephen Farrell, at Trinity College Dublin, has found Android users may be vulnerable to having their information shared due to a Google Play Services component of the apps.
The researchers described this as “extremely troubling from a privacy viewpoint” after discovering that Google Play Services contacts Google servers roughly every 10-20 minutes, “allowing fine-grained location tracking via IP address”.
Prof Leith, Chair of Computer Systems at Trinity College Dublin, said the contact-tracing app for Android phones are “far from private”.
“This is the first study of its type on the privacy of contact tracing apps actually deployed in the 'wild'. We found that the public health authority component of these apps generally shares little data and is quite private.
“However, on Android devices we found that the Google component of the apps is far from private and continuously shares a great deal of data with Google servers.”
The report examines data transmitted to back-end servers by contact tracing apps deployed by health authorities in Germany, Italy, Switzerland, Austria, Denmark, Spain, Poland, Latvia and Ireland.
The researchers explained that the apps consist of two separate components: a “client” app managed by the national public health authority and the Google/Apple Exposure Notification service, which, on Android devices, is part of Google Play Services.
They found Google Play also shares the phone IMEI, hardware serial number, SIM serial number, handset phone number and user email address with Google, together with fine-grained data on the apps running on the phone.
Dr Farrell and Dr Leith have deemed the app to be “incompatible with a recommendation for population-wide usage”.
They say the Irish app sets a type of “supercookie” that allows connections made by the same phone to be linked together.
The experts said other European apps do not this and are recommending it be removed.
Prof Leith added: "Unlike most other apps the HSE app also encourages people to opt in to collection of metrics. That’s not necessarily a problem in itself but these metrics include a mix of operational and health-related data and we recommend that these different types of data be kept securely separate from one another so that access can be separately controlled.
"When first installed the HSE app uses Google's SafetyNet service and so shares data with Google, including the phone hardware serial number. Most of the other European apps don’t do this (the Polish app is the exception) and we recommend the HSE app should avoid it too.
“We also found that the Danish app fails to verify it is securely communicating with the correct server and so, for example, the act of uploading keys following a positive test phone call might be logged by an employer's network security devices.
"We recommend that they fix this and also that they make their app open source (only the Danish and Latvian apps are closed source). We also found the Latvian and Polish contact tracing apps make use of Google’s Firebase service and so share data with Google. We recommend that this be discontinued."
Prof Leith and Dr Farrell say they had informed Google, the Health Service Executive (HSE) and the developers of SmitteStop, Apturi Covid and ProteGO Safe, of the findings and delayed publication to allow them to respond.
Dr Farrell said if there were a European league of Covid-19 tracing apps, "Ireland might be near the middle of the table at the moment," but that Google "deserve a yellow card for the privacy-invasive way in which they seem to have implemented their part of the overall tracing system."
In a statement responding to the researcher's claims, the HSE said it welcomes any evidence based research and opportunities to improve the app, adding that "it is also very important not to conflate issues noted by researchers with how Google or Apple enable all their users’ apps through their stores, with the functionality of the HSE’s COVID Tracker app."
The HSE said that the app "puts user’s privacy and security first and foremost."
It added: "We have been guided by feedback from the Data Protection Commission on Data Protection throughout development of the app. The data processors are listed in the DPIA. We have and will continue to take this advice to ensure the app is compliant with European data protection legislation.
"Google and Apple have provided assurances to governments and health services around the world that they do not have access to personal data through the Exposure Notification System that they co-developed. They have further committed to decommission this functionality once the pandemic is over."
A spokesperson for Google said: "In keeping with our privacy commitments for the Exposure Notification API, Google does not receive information about the end user, location data, or information about any other devices the user has been in proximity of.”