Covid-19 tracking app sharing possible location data with Google
Irelandâs Covid Tracker smartphone application is sharing information which could lead to location tracking with Google at least every 20 minutes, the Irish Examiner can reveal.
A new research paper released by the school of computer science and statistics at Trinity College Dublin details the information that is shared - which includes IP address, the handsetâs IMEI (its unique identifier which can be used to block its usage), serial number, phone number, and email address - and describes the revelation as being âextremely troubling from a privacy viewpointâ.
There had been much discussion regarding the appâs potential impact on usersâ privacy in advance of its launch on July 7 - however the HSE had insisted that the app is completely anonymous and does not track location data.
However, the HSE only controls the public health side of the app, with the exposure notification segment being administered by both Google and Apple via their Google/Apple Exposure Notification (GAEN) service.
It has also emerged that the HSEâs side of the app is collating information via the metrics it receives from users which could be used to link all requests sent from the same phone together, akin to a âcookieâ footprint left by a computer as it surfs the internet.
In its DPIA for the app the HSE had insisted that âIP addresses of users are never transmitted from the networking layer to the backend serversâ.
The HSE said it welcomes âany research that will enable us to improveâ the app. A spokesperson said it would work with code review groups âto ensure the integrity and security of the app through new releases as necessaryâ.
Google had not responded to a request for comment at the time of publication.
The Irish Council for Civil Liberties meanwhile described the newly-revealed data transfers as being âcompletely opaque - to users and the HSE themselvesâ.
âThe HSE has been celebrated in Ireland and beyond for their transparent approach to developing the Covid Tracker app,â said Elizabeth Farries, director of information rights with the ICCL.
âHowever, Google Play Services represent a significant component of the app. Most people, even app developers, are unaware of this level of invasiveness,â she added.
Authors of the paper - entitled âWhat Data Is Shared By Europeâs GAEN Contact Tracing Appsâ - Douglas Leith and Stephen Farrell had previously demonstrated that the efficacy of the bluetooth technology used by the Irish app for contact tracing is at best unreliable Professor Leith said that the revelation âgoes way beyond the HSE contact-tracing appâ.
âGiven that governments and public health authorities are strongly encouraging their entire populations to use these apps, and hence are pressurising their entire populations to take part in this corporate surveillance, we think they should be telling Google to immediately fix this problem,â he said, further describing that âlevel of intrusivenessâ as âsimply incompatible with a recommendation for population-wide usageâ.
On Android devices, which are used by roughly 40% of the Irish smartphone-owning population, the exposure notification protocol is housed within Google Play Services, a background app which administers all applications on those handsets.
Google Play Services automatically mandates the aforementioned data transfer as soon as it is enabled. Even if it were turned off for all other applications, the HSEâs Covid Tracker cannot function without it, thus rendering it âunavoidable for users of GAEN-based contact tracing apps on Androidâ, according to the research paper.
âThis is not within the HSEâs control to fix however,â Dr Farrell said.
Google meanwhile told the researchers that the sharing of data using Google Play Services is an âindustry practiceâ which can be turned off via a diagnostics setting - however doing so disables the contact tracing function.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
