21 July 2020
Experts have today raised the alarm about serious privacy and data harvesting concerns related to Google Play Services. This software component must be running on the phones of all Android users who wish to use the Covid-19 contact-tracing app rolled out in Ireland. It is also turned on by default on almost all Android phones.
Professor Douglas Leith and Dr Stephen Farrell, of Trinity College Dublin, have discovered that Google Play Services sends highly sensitive personal data to Google servers every 20 minutes and this potentially allows for IP address-based location tracking of the phone user. Even where users turn Google Play Services off, data is still collected, possibly in contravention of GDPR.
While Android users can, in theory, opt to turn off Google Play Services, users of the Covid-19 contact-tracing app in Ireland cannot turn the surveillance off if they want the contact-tracing app to work. This means the collection and use of this data is unavoidable for people who wish to use the app.
The data shared includes long-term, unchangeable identifiers of the phone users, including their phone’s IP address, WiFi MAC address, International Mobile Equipment Identity (IMEI) number, SIM serial number, phone number and Gmail address, as well as fine-grained data from other, potentially sensitive apps, such as banking, dating or health apps. This is data which, when considered together, has the potential to draw a very detailed map of our lives and activities.
The two scientists made the discovery while examining the privacy of the Google/Apple Exposure Notification (GAEN) service, the technology which allows public health contact-tracing apps, including that of the HSE, operate across both Android phones and iPhones.
Professor Leith commented:
“This is extremely troubling from a privacy viewpoint, and of course it goes way beyond the HSE contact-tracing app. But given that governments and public health authorities are strongly encouraging their entire populations to use these apps, and hence are (wittingly or not) pressurising their entire populations to take part in this corporate surveillance, we think they should be telling Google to immediately fix this problem. This level of intrusiveness is simply incompatible with a recommendation for population-wide usage.”
Elizabeth Farries, Director of the Information Rights programme at ICCL commented:
“The HSE has been celebrated in Ireland and beyond for its transparent approach to developing the Covid-tracker app. However, Google Play Services represent a significant component of the app which is completely opaque – to users and the HSE themselves. Most people, even app developers, are unaware of this level of invasiveness. Without the independent research of these TCD scientists members of the public would not have known that Google is capturing via dragnet significant personal information of all Android app users – with or without the Covid Tracker app.”
ICCL flagged concerns about transparency surrounding Google and Apple’s involvement in the HSE app in person with the previous Minister for Health. In our submission to the COVID-19 Oireachtas Committee, we also said the Government must “push for international companies such as Apple and Google to be completely transparent about how their Covid-tracking software works”.
The Irish Council for Civil Liberties is Ireland’s oldest independent human rights campaigning organisation. We monitor, educate and campaign to secure human rights for everyone in Ireland.
Read the nine principles for the contact-tracing app developed by ICCL and our colleagues here: https://www.iccl.ie/news/data-protection-experts-publish-human-rights-principles-for-contact-tracing-app/
Find our joint submission to the Oireachtas COVID-19 Committee here:
Olga Cronin, Policy Officer, ICCL, firstname.lastname@example.org
Dr Stephen Farrell, Research Fellow, School of Computer Science and Statistics, Trinity College Dublin, email@example.com
For media queries: Sinéad Nolan: firstname.lastname@example.org 087 4157162