Ireland’s Covid Tracker smartphone application is sharing information which could lead to location tracking with Google at least every 20 minutes, the Irish Examiner can reveal.
A new research paper released by the school of computer science and statistics at Trinity College Dublin details the information that is shared - which includes IP address, the handset’s IMEI (its unique identifier which can be used to block its usage), serial number, phone number, and email address - and describes the revelation as being “extremely troubling from a privacy viewpoint”.
There had been much discussion regarding the app’s potential impact on users’ privacy in advance of its launch on July 7 - however the HSE had insisted that the app is completely anonymous and does not track location data.
However, the HSE only controls the public health side of the app, with the exposure notification segment being administered by both Google and Apple via their Google/Apple Exposure Notification (GAEN) service.
It has also emerged that the HSE’s side of the app is collating information via the metrics it receives from users which could be used to link all requests sent from the same phone together, akin to a ‘cookie’ footprint left by a computer as it surfs the internet.
In its DPIA for the app the HSE had insisted that “IP addresses of users are never transmitted from the networking layer to the backend servers”.
The HSE said it welcomes “any research that will enable us to improve” the app. A spokesperson said it would work with code review groups “to ensure the integrity and security of the app through new releases as necessary”.
Google had not responded to a request for comment at the time of publication.
The Irish Council for Civil Liberties meanwhile described the newly-revealed data transfers as being “completely opaque - to users and the HSE themselves”.
“The HSE has been celebrated in Ireland and beyond for their transparent approach to developing the Covid Tracker app,” said Elizabeth Farries, director of information rights with the ICCL.
“However, Google Play Services represent a significant component of the app. Most people, even app developers, are unaware of this level of invasiveness,” she added.
Authors of the paper - entitled ‘What Data Is Shared By Europe’s GAEN Contact Tracing Apps’ - Douglas Leith and Stephen Farrell had previously demonstrated that the efficacy of the bluetooth technology used by the Irish app for contact tracing is at best unreliable Professor Leith said that the revelation “goes way beyond the HSE contact-tracing app”.
“Given that governments and public health authorities are strongly encouraging their entire populations to use these apps, and hence are pressurising their entire populations to take part in this corporate surveillance, we think they should be telling Google to immediately fix this problem,” he said, further describing that “level of intrusiveness” as “simply incompatible with a recommendation for population-wide usage”.
On Android devices, which are used by roughly 40% of the Irish smartphone-owning population, the exposure notification protocol is housed within Google Play Services, a background app which administers all applications on those handsets.
Google Play Services automatically mandates the aforementioned data transfer as soon as it is enabled. Even if it were turned off for all other applications, the HSE’s Covid Tracker cannot function without it, thus rendering it “unavoidable for users of GAEN-based contact tracing apps on Android”, according to the research paper.
“This is not within the HSE’s control to fix however,” Dr Farrell said.
Google meanwhile told the researchers that the sharing of data using Google Play Services is an “industry practice” which can be turned off via a diagnostics setting - however doing so disables the contact tracing function.