Covid Tracker app throws spotlight on Google data harvesting

Data privacy campaigners raise concerns around Google Play Services

Google found itself back in the spotlight last week when research into a number of coronavirus contact-tracing apps conducted by researchers at Trinity College highlighted privacy concerns around the Android system.

While the apps themselves, including the Health Service Executive's Covid Tracker Ireland app, were broadly sticking to privacy guidelines, the researchers found a surprising amount of data was being communicated from Android systems in the background.

The issue, the researchers said, wasn’t the apps themselves, but rather highlighted the data that was gathered by the Android operating system.

But, given that governments are encouraging citizens to download and use the apps, they are calling for Google to take action to stop what one of the report’s authors described as “extremely troubling” activity from a privacy point of view.


So what exactly is going on?

What is Play Services?

If you have an Android phone, there’s a high chance you already use Google Play Services. It’s an integral part of the underlying Android platform, connecting everything together.

Google introduced Play Services to the Android system in 2012. Back then, it was only used for access to the Google+ programming interface and authorisation protocol OAuth 2.0. Since then, however, it has expanded to include a lot more, and now covers all Google Services – Maps, Gmail, health services built into your phone, Google Home for your smart home devices, Family Link for watching your child’s online activity on their Android device . . . the list is extensive.

It is intended to make everything on the Android system run a little smoother. But like most things in life, that convenience costs.

Google Play Services requires extensive permissions to access the sensors on your phone. From body sensors, location and physical activity data to call logs, your calendar and storage, Play Services needs access to them all to allow your smartphone to work as you expect.

If you want to download an app from the Play Store, you need Google Play Services to do so – and the most up to date version of the app at that.

The service usually updates itself in the background, so you never even know it is running – and that’s the point. It is designed to be an invisible part of your phone, keeping things ticking over.

What else does it do?

Play Services gathers data in the background and sends it to Google at regular intervals. The data includes the phone’s IP address, WiFi MAC address, IMEI number, SIM serial number, phone number and Gmail address.

It can also pick up other data from apps on your phone, such as banking, dating or health apps, generally around how you are using the apps.

Industry sources say that gathering such data is standard for ensuring users have the most up-to-date software on their devices. And Google says it anonymises data it takes from your phone, so users couldn’t be identified. For many people, this isn’t a problem; it’s just another one of the trade-offs we have decided to make to gain access to certain services.

Experts, however, take a different view.

“What we are looking at here is the data Google processes for all apps effectively, and what can be inferred from it,” Castlebridge’s Daragh O’Brien said. “What this is exposing is the way Google does business with the Android operating system, and the type of data they get.

“The key question is how transparent that is, and are people aware of the level of data that is exchanged with Google using Android.”

Can I disable it?

In a way, yes, but don’t expect your phone to behave as it usually would. You can deny Google Play Services access to the different permissions through the Settings>Apps and Notifications and scroll down to Google Play Services.

However, disabling Google Play Services means key parts of the operating system will not work. Maps no longer allows you access. Google Drive won’t even open. The Play Store can’t start. Your phone will keep popping up reminders to enable Google Play Services or else; it’s a mess of notifications.

The Trinity study also found that disabling Google Play Services didn’t necessarily stop the data from being gathered, but it does mean that Google cannot use the information for any purposes.

Why the focus on the Covid Tracker Ireland app?

The current pandemic has thrown our privacy and the role played by the big tech companies into focus. Until Google and Apple said they would develop the exposure notifications application programming interface (API) that would allow public health apps to use bluetooth beacons in the background, developers were facing a problem with accuracy, battery drain and getting the apps to work effectively.

It was a particular issue for iOS, which did not allow bluetooth to function as both a transmitter and receiver while the app was running in the background.

That meant keeping the app – and the phone's screen – active at all times, and as Nearform's Colm Harte previously told The Irish Times, that was causing issues.

Without the co-operation of the tech companies, the apps just didn’t work as well as they should. So the release of the Exposure Notifications API to developers helped the cause significantly.

However, that dependence has raised some alarm bells with privacy groups. The Irish Council for Civil Liberties said it had flagged concerns with the previous minister for health, Simon Harris. The organisation has also pushed for transparency from the big tech firms on how their Covid-tracking software works.

Both Google and Apple have pledged to protect user privacy for those using Exposure Notifications on their phone, barring the apps from accessing location data through the handsets’ GPS functions, and the companies themselves say they have no access to the app’s data.

Privacy commitments

“In keeping with our privacy commitments for the Exposure Notification API, Apple and Google do not receive information about the end user, location data, or information about any other devices the user has been in proximity of,” a spokesperson said.

So does that mean there is a problem? It depends on how you look at things.

Regardless of whether you were using the Covid Tracker Ireland app or not, Google Play Services would be gathering the same data in the background once it is enabled. It is not the app sending the data, but Google Play Services. If you delete the Covid Tracker Ireland app but continue to use the Google Play Store or Google Maps, that data flagged by the Trinity researchers will continue to be collected.

But if you have the app downloaded and just disable Google Play Services, it will fundamentally undermine the purpose of the app as contact tracing will not work in your case.

Data privacy experts have made clear that the issue is not the HSE app itself. The Covid Tracker Ireland app is probably one of the most scrutinised apps on your phone. There are few developers that make the source code available for examination to the development community at large, but the HSE has done so, giving researchers the chance to look at it in depth before it was released. The HSE also published the Data Protection Impact Assessment that was carried out on the app.

The bluetooth IDs that are randomly assigned to your phone and frequently swapped to protect your privacy are locked away from the Android operating system. That data only leaves your phone if you consent to it, and it is inaccessible to Google regardless.

What the Android system may be taking is information on how you use your phone, not just the Covid Tracker app. So it knows that the app is installed, because you downloaded it through the Play Store. But it cannot get access to that list of bluetooth IDs. If you are unlucky enough to get a positive test for coronavirus, that information is sent straight to the HSE servers.

In turn, the Covid Tracker app – and by extension, the public health authorities – cannot access the data that Google is harvesting through Play Services. That means you stay anonymous to the Covid Tracker Ireland app.

‘Pause’ button

But if you want to stop Google gathering that data, you need to turn off Play Services. And without Play Services, the exposure notification API that the Covid Tracker Ireland App depends on will not work.

The Trinity researchers behind the study aren’t trying to discourage people from using the Covid Tracker Ireland app. They are trying to highlight the data gathering that goes on outside the app, and in particular how frequently the data is sent back to Google’s servers.

"We agonised over this. We sat on this for three weeks and talked to Google and the HSE," said Prof Doug Leith, one of the authors of the report. He uses an Android phone himself, but leaves Play Services disabled. He was hopeful that Google could build in a "quiet" button, that would allow users to pause the data being communicated with Google's services. That would solve one issue for users, and allow them to use the Covid Tracker Ireland app without worrying about what data was being gathered by the phone.

“There’s an obvious risk of harm here, if the app does work. We were worried about that and didn’t lightly release the information,” he said.

It is also hard to know exactly what is being communicated with Google’s servers, as the information is encoded.

So what is the solution? Castlebridge’s Daragh O’Brien suggests that Google might take another look at what data it collects from different apps, and perhaps have different policies for apps that handle more sensitive data, such as health and dating apps. That ties in with the “quiet” button suggested by Prof Leith.

Transparency from the tech companies is key to alleviating any worries here.

"The HSE has been celebrated in Ireland and beyond for its transparent approach to developing the Covid-tracker app. However, Google Play Services represent a significant component of the app which is completely opaque – to users and the HSE themselves," Elizabeth Farries, director of the Information Rights programme at Irish Council for Civil Liberties , said.

“Most people, even app developers, are unaware of this level of invasiveness. Without the independent research of these TCD scientists, members of the public would not have known that Google is capturing via dragnet significant personal information of all Android app users – with or without the Covid Tracker app.”