The Irish Council for Civil Liberties says that there are “serious concerns” about the underlying technology on Android phones for the HSE’s Covid-19 contact tracing app, according to privacy campaigners.
The app, which has been downloaded by almost 1.4 million people, was broadly welcomed by privacy experts for its approach to contact tracing. The source code has been made available for public viewing and the app relies on bluetooth rather than the more invasive location services.
However, for the app to run on Android phones, users must have another app, Google Play Services, running in the background which two Trinity College researchers say sends sensitive personal data to Google and allows for location tracking of users.
This app is turned on by default on Android phones. While it can be disabled, the Irish Council for Civil Liberties says Google still collects data which might be a breach of GDPR. Disabling the app also means the HSE app will not function.
A spokesperson for Google insisted the privacy of app users was fully protected.
“In keeping with our privacy commitments for the [Covid] Exposure Notification API, Google does not receive information about the end user, location data, or information about any other devices the user has been in proximity of,” the spokesperson said.
Prof Douglas Leith and Dr Stephen Farrell of Trinity College Dublin found that Google Play Services sends data to the technology giant every 20 minutes.
Google states in its Android help centre pages that phones' periodically send data to Google to ensure the smooth functioning of the phone. This is understood to be a long-term practice on Android phones and has nothing to do with the development or launnch of the Covid Ireland Tracker app.
The ICCL said the information includes identifying data points and says the phones also send “fine-grained data” from other apps, including banking and dating apps, the ICCL said.
“This is data which, when considered together, has the potential to draw a very detailed map of our lives and activities.”
Prof Leith said the discovery was “extremely troubling from a privacy viewpoint.” He said governments and public health authorities “should be telling Google to immediately fix this problem. This level of intrusiveness is simply incompatible with a recommendation for population-wide usage.”?
Google Play Services "represent a significant component of the [HSE] app which is completely opaque – to users and the HSE themselves," said the ICCL"s Elizabeth Farries.
“Most people, even app developers, are unaware of this level of invasiveness. Without the independent research of these TCD scientists, members of the public would not have known that Google is capturing, via dragnet, significant personal information of all Android app users – with or without the Covid Tracker app,” she said.
On Monday, Ireland donated the code for its contact tracing app to the Linux Foundation Public Health initiative as part of an attempt to suppress the coronavirus pandemic globally. Under the name Covid Green, the app will allow other countries around the world to build their own apps quickly using Irish code as a base.