We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Concerns over Google Play Services reignited over Covid apps but HSE warns against conflating issues

The HSE has said it is important not to conflate issues with how Google enables apps through the store with the functionality of this particular app.

TRINITY RESEARCHERS HAVE issued a new report claiming user privacy is not protected adequately in Covid-19 tracking apps if used with Google Play Services.

However, following its publication, the HSE has said it is important not to conflate issues with how Google enables apps through the store with the functionality of this particular app. 

The report examined the data transmitted to back-end servers by the contact tracing apps deployed by health authorities in Germany, Italy, Switzerland, Austria, Denmark, Spain, Poland, Latvia and Ireland.

Researchers have described the Google Play Services component of these apps as “extremely troubling from a privacy viewpoint”.

Each of these apps consist of two separate components; a ‘client’ app which is managed by the national public health authority – in Ireland’s case the HSE – and the Google/Apple exposure notification service, which on Android devices is part of Google Play Services.

The researchers at Trinity found Google Play Services contacts Google servers roughly every 10-20 minutes, allowing fine-grained location tracking via IP address.

They have said Google Play also shares the phone international mobile equipment identity (IMEA), hardware serial number, SIM serial number, handset phone number and user email address with Google, together with fine-grained data on the apps running on the phone.

However, this issue has been known about apps using Google Play Services for many years, and is not unique to the Covid app trackers. 

Google, in a statement, said: ”In keeping with our privacy commitments for the Exposure Notification API, Apple and Google do not receive information about the end user, location data, or information about any other devices the user has been in proximity of.”

Today the HSE said it welcomes any evidence based research and opportunities to improve the app, noting that Science Foundation Ireland has conducted significant independent research into all aspects of the app. 

“It is also very important not to conflate issues noted by researchers with how Google or Apple enable all their users’ apps through their stores, with the functionality of the HSE’s Covid Tracker app, which puts user’s privacy and security first and foremost.

“It has been globally accepted that the Apple Google Exposure Notification API is the best, most privacy preserving and universally accessible solution to the immediate challenge we are faced with by Covid-19 to support contact tracing with digital technology.”

The HSE said it has been guided by feedback from the Data Protection Commission throughout the development of the app and Google and Apple have provided assurances that they do not have access to personal data through the exposure notification system they developed.

The companies have also committed to decommissioning this functionality once the pandemic is over.

‘Far from private’

Professor Doug Leith, chair of computer systems at Trinity College Dublin said the public health authority component of these apps – managed here by the HSE – “generally shares little data and is quite private”.

“However, on Android devices we found that the Google component of the apps is far from private and continuously shares a great deal of data with Google servers.

While there has been a great deal of public scrutiny of the public health authority component of these apps, including detailed Data Protection Impact Assessments and governance arrangements, there has been almost no public scrutiny of the Google/Apple component of the apps, and few governance measures put in place, despite the fact that it is the Google/Apple component which does most of the “heavy lifting” in the apps.

“We think that needs to change, and quickly, bearing in mind that these are public health apps sponsored by national governments and health authorities and have been installed by millions of people in good faith.”

Leith said researchers also found that the Irish app sets a type of “supercookie” that allows connections made by the same phone to be linked together over time. None of the other European apps do this and he said this should be removed.

The Irish Council for Civil Liberties this week also expressed concern about the technology underlying the app.

Elizabeth Farries, director of the information rights programme at ICCL said Google Play Services “represent a significant component of the app which is completely opaque – to users and the HSE themselves”.

“Most people, even app developers, are unaware of this level of invasiveness. Without the independent research of these TCD scientists members of the public would not have known that Google is capturing via dragnet significant personal information of all Android app users – with or without the Covid Tracker app.”

This article has been updated to include a statement from Google and to clarify the previous knowledge of the issues around Google Play Services on Android devices. 

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel