Google Promised Its Contact Tracing App Was Completely Private—But It Wasn't:
When Google and Apple introduced their COVID-19 contact tracing framework in April 2020, the companies aimed to reassure people worried about sharing private health information with major corporations.
Google and Apple provided assurances that the data generated through the apps—people's movements, who they might have come in contact with, and whether they reported testing positive for COVID-19—would be anonymized and would never be shared with anyone other than public health agencies.
[...] California governor Gavin Newsom endorsed his state's version of the app, calling it "100% private & secure" in a tweet last December.
But The Markup has learned that not only does the Android version of the contact tracing tool contain a privacy flaw, but when researchers from the privacy analysis firm AppCensus alerted Google to the problem back in February of this year, Google failed to change it. AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company found no similar issues with the iPhone version of the framework.
"This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn't impact the program, it doesn't change how it works," said Joel Reardon, co-founder and forensics lead of AppCensus. "It's such an obvious fix, and I was flabbergasted that it wasn't seen as that."
[...] The signals that a phone's contact tracing data generates and receives are saved into an Android device's system logs. Studies have found that more than 400 preinstalled apps on phones built by Samsung, Motorola, Huawei, and other companies have permission to read system logs for crash reports and analytic purposes.
[...] Four days later, Reardon received an automated email from Google telling him it had confirmed that the flaw wasn't enough to warrant a payout, and that the security team would "decide whether they want to make a change or not."
[...] Reardon, however, said hundreds of preinstalled apps can still read those system logs. "They're actually collecting information that would be devastating to the privacy of people who use contact tracing," he said.
