Google’s coronavirus contact tracing framework, which alerts users if they have been near someone with COVID-19, has been making its data available to third-party apps.
The software giant had been informed of the privacy issue since February, a report from The Markup alleges, but said that the issue was not a “severe enough” flaw.
The contact-tracing framework is built into Android devices, but can communicate with iPhones. It works by monitoring the phone’s owner via Bluetooth, but the data should only be available to official apps of public health authorities such as the “NHS COVID-19” app, which is being used by 16 million people.
However, hundreds of preinstalled apps including Samsung Browser and Motorola’s MotoCare on Android devices have access to this potentially sensitive information. The signals that the contact tracing data generates are saved into its device system logs, which companies have permission to read for crash report and analytics.
The information includes data about whether a phone registered a person as being in contact with someone who had the coronavirus, the device’s name, MAC address, and advertising ID, security researchers said.
Google had pledged that “the list of people you’ve been in contact with doesn’t leave your phone unless you choose to share it”.
Researchers from the privacy analysis firm AppCensus raised the problem to Google in February 2020, as part of the US Department of Homeland Security’s testing. Google reportedly did not change it.
“This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn’t impact the program, it doesn’t change how it works, ” Joel Reardon, co-founder and forensics lead of AppCensus, told The Markup. “It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.”
Reardon apparently reached out to Google’s bug bounty program concerned about the issue on 19 February. Google said that the finding did not merit a serious enough flaw to merit a reward, but a panel would look through the findings in a subsequent meeting.
The Google security team eventually sent an automated email that they would “decide whether they want to make a change or not”, but Reardon received no communication from Google since.
“Exposure Notifications uses privacy preserving technology to help public health authorities manage the spread of COVID-19 and save lives. With the Exposure Notification system neither Google, Apple, nor other users can see your identity and all of the Exposure Notification matching happens on your device. We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes”, Google said in a statement to The Independent.
“Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code. These Bluetooth identifiers do not reveal a user’s location or provide any other identifying information and we have no indication that they were used in any way – nor that any app was even aware of this.”
However, Reardon had contacted Giles Hogben, Android’s director of privacy engineering, later in February. Hogben said that “[System logs] have not been readable by unprivileged apps (only with READ_LOGS privileged permission) since way before Android 11 (can check exactly when but I think back as far as 4),”
Google did not provide an answer as to why, if the company knew about these issues before Android 11, they were not fixed prior to the rollout of the contact tracing framework, nor why it did not provide Reardon with a response to his messages.