Covid-19 tracker apps ‘extremely troubling’
Professor Doug Leith and Dr Stephen Farrell have co-authored a report which found that user privacy is not protected adequately in Covid-19 tracking apps, including the Irish tracker app that has been downloaded some 1.3 million times.
The research team examined what data was transmitted to backend servers by the applications that have been deployed by health authorities in Germany, Italy, Switzerland, Austria, Denmark, Spain, Poland, Latvia and Ireland.
Examining and evaluating user privacy, the resultant report concludes that applications are “extremely troubling from a privacy viewpoint”.
The report says the applications consist of two separate components, a “client” app which is managed by the national public health authority and the Google/Apple Exposure Notification service, which, on Android devices, is part of Google Play Services. The researchers singled out the Google Play Services component of these apps as “extremely troubling”.
They report that Google Play Services contacts Google servers approximately every 10-20 minutes, allowing “fine-grained location tracking,” using the IP address. In addition, the report says Google Play also shares the phone IMEI, hardware serial number, SIM serial number, handset phone number and user email address with Google, together with “fine-grained data” on the apps running on the phone.
The researchers concluded this level of intrusiveness “seems incompatible with a recommendation for population-wide usage”.
“Extending public governance to the full contact tracing ecosystem, not just of the health authority client app component, therefore seems to be urgently needed if public confidence is to be maintained, the report recommended,” said the researchers.
The report also emphasised the researchers had informed Google of the findings, delaying publication to allow for a response.
Having collaborated with the Health Service Executive (HSE) as the Irish app was being developed, the researchers also report having informed the HSE of their findings regarding the CovidTracker app and delayed publication to allow them time to respond, and similarly the developers of SmitteStop, Apturi Covid and ProteGO Safe.
“We looked at the network traffic between Europe’s Google/Apple API contact sharing apps and their backend servers,” said Prof Doug Leith, chair of Computer Systems, TCD. “This is the first study of its type on the privacy of contact tracing apps actually deployed in the “wild”. We found that the public health authority component of these apps generally shares little data and is quite private. However, on Android devices we found that the Google component of the apps is far from private and continuously shares a great deal of data with Google servers. This data includes the phone IMEI, hardware serial number, SIM serial number, handset phone number, the Wi-Fi MAC address and approximate phone location. It’s hard to imagine a more intrusive data collection setup and its obviously troubling.”
“While there has been a great deal of public scrutiny of the public health authority component of these apps, including detailed Data Protection Impact Assessments and governance arrangements, there has been almost no public scrutiny of the Google/Apple component of the apps, and few governance measures put in place, despite the fact that it is the Google/Apple component which does most of the “heavy lifting” in the apps. We think that needs to change, and quickly, bearing in mind that these are public health apps sponsored by national governments and health authorities and have been installed by millions of people in good faith.”
“We found that the Irish HSE app sets a type of “supercookie” that allows connections made by the same phone to be linked together over time. None of the other European apps do this and we recommend it be removed. Unlike most other apps the HSE app also encourages people to opt in to collection of metrics. That’s not necessarily a problem in itself but these metrics include a mix of operational and health-related data and we recommend that these different types of data be kept securely separate from one another so that access can be separately controlled. When first installed the HSE app uses Google’s SafetyNet service and so shares data with Google, including the phone hardware serial number. Most of the other European apps don’t do this (the Polish app is the exception) and we recommend the HSE app should avoid it too.”
“We also found that the Danish app fails to verify it is securely communicating with the correct server and so, for example, the act of uploading keys following a positive test phone call might be logged by an employer’s network security devices. We recommend that they fix this and also that they make their app open source (only the Danish and Latvian apps are closed source). We also found the Latvian and Polish contact tracing apps make use of Google’s Firebase service and so share data with Google. We recommend that this be discontinued,” concluded Prof Leith.
“If there were a European league of Covid-19 tracing apps, Ireland might be near the middle of the table at the moment,” said Dr Stephen Farrell, senior research fellow, School of Computer Science and Statistics, TCD. “Google, however, deserve a yellow card for the privacy-invasive way in which they seem to have implemented their part of the overall tracing system.”
The report concludes that the level of intrusiveness of the tracker apps “seems incompatible with a recommendation for population-wide usage”.
It goes on to say it is also incompatible with a statement from Google:
“We understand that the success of this approach depends on people feeling confident that their private information is protected. The Exposure Notifications System was built with your privacy and security central to the design. Your identity is not shared with other users, Google or Apple.”
The report goes on to say: “We note the health authority client app component of these contact tracing apps has generally received considerable public scrutiny and typically has a Data Protection Impact Assessment, whereas no such public documents exist for the GAEN component of these apps. Extending public governance to the full contact tracing ecosystem, not just of the health authority client app component, therefore seems to be urgently needed if public confidence is to be maintained.”