Ireland’s new Covid-19 contact tracing app has been dealt a blow after researchers criticised its “intrusive data collection”, describing it as “troubling”.
Privacy experts have raised concerns over the app, which has been downloaded more than 1.4 million times since it was launched a number of weeks ago.
Now, researchers at Trinity College Dublin have said that user privacy is not adequately protected.
They examined the data transmitted to backend servers by contact tracing apps deployed by health authorities in a number of countries, including Ireland.
Their report described the Google Play Services component of these apps as “extremely troubling from a privacy viewpoint”.
We found that the Google component of the apps is far from private and continuously shares a great deal of data with Google servers... It’s hard to imagine a more intrusive data collection set-up and its obviously troublingProfessor Doug Leith, Trinity College Dublin
Professor Doug Leith and Dr Stephen Farrell, at the School of Computer Science and Statistics at Trinity College Dublin, found that Google Play Services contacts Google servers roughly every 10-20 minutes, allowing fine-grained location tracking via IP address.
In addition, Google Play also shares the phone’s IMEI (International Mobile Equipment Identity), hardware serial number, SIM serial number, handset phone number and user email address with Google.
The researchers said this level of intrusiveness is “incompatible with a recommendation for population-wide usage”.
Their report recommends that extending public governance to the full contact tracing ecosystem is urgently needed.
The researchers said they made the Health Service Executive (HSE) aware of their findings and delayed publication to allow it time to respond.
Prof Leith said: “We found that the public health authority component of these apps generally shares little data and is quite private.
“However, on Android devices we found that the Google component of the apps is far from private and continuously shares a great deal of data with Google servers.
“This data includes the phone IMEI, hardware serial number, SIM serial number, handset phone number, the WiFi MAC address and approximate phone location.
“It’s hard to imagine a more intrusive data collection set-up and its obviously troubling.
Google, deserve a yellow card for the privacy-invasive way in which they seem to have implemented their part of the overall tracing systemDr Stephen Farrell, Trinity College Dublin
“While there has been a great deal of public scrutiny of the public health authority component of these apps, including detailed data protection impact assessments and governance arrangements, there has been almost no public scrutiny of the Google/Apple component of the apps, and few governance measures put in place, despite the fact that it is the Google/Apple component which does most of the heavy lifting in the apps.
“We think that needs to change, and quickly, bearing in mind that these are public health apps sponsored by national governments and health authorities and have been installed by millions of people in good faith.”
Dr Farrell said: “If there were a European league of Covid tracing apps, Ireland might be near the middle of the table at the moment.
“Google, however, deserve a yellow card for the privacy-invasive way in which they seem to have implemented their part of the overall tracing system.”