Back in April 2020, Big Tech firms Apple and Google released their frameworks for contact tracing in an effort to help governments track the coronavirus. When the frameworks were released, both the firms vehemently promised that user data, including their location information and data of whom all they’ve come in contact with, would remain private.
But the recent findings by a privacy analysis firm revealed otherwise.
Both Google and Apple stated that the data users share through their frameworks would be anonymized and shared with public health agencies only. Here’s what Google CEO Sundar Pichai said about the tool last year. “Our goal is to empower with another tool to help combat the virus while protecting user privacy.”
Banking on the promises made by the Big Tech firms, several million users ended up downloading apps built on the frameworks developed by Apple and Google.
The UK’s National Health Service app, Canada’s Digital Service COVID Alert app, and Virginia’s Department of Health’s COVIDWISE app were all built on the frameworks provided by Apple and Google.
While the NHS app has more than 15 million users, Canada’s COVID Alert app had over six million downloads in January alone.
Based on what the researchers at AppCensus, a privacy analysis firm, state, there was a privacy flaw in the Android version of contact tracing tools. What’s more, the researchers at AppCensus even ended up informing Google about it, but to no avail.
The co-founder and forensics lead of AppCensus, Joel Reardon, talking about the privacy flaw, said: “This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn’t impact the program, it doesn’t change how it works.”
Furthermore, Reardon also states that it was an “obvious fix” and how Google couldn’t see it so.
According to Reardon, the primary issue was with the fact that pre-installed system apps such as Samsung Browser on Samsung’s Android devices or MotoCare on Motorola’s Android devices can access sensitive, private information stored in system logs by contact tracing apps.
Although Google dismissed AppCensus’s concerns initially, it did comment on the issue and stated that the problem was going to be fixed. “We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system-level applications for debugging purposes, and we immediately started rolling out a fix to address this,” said a Google spokesperson recently, as reported by The Markup.