COVID-19 has changed almost everything on the Globe. Moreover, many top tech companies understood how useful they can be and took responsibility of being more helpful than before. Google was among them. It has launched a coronavirus contact tracing framework that informs users if they have been near someone with COVID-19. But this framework
like many other initially-useful programs became a source for data leak.
It turns out, Google’s coronavirus contact tracing framework has been open for some third-party apps. What’s more interesting, Google has been informed of the privacy issue since February. In a response, the tech giant said the issue was not a “severe enough” flaw.
Which Apps Access Users Data?
Google’s contact-tracing framework is built into Android devices. But it can also communicate with iPhones. All the job is done through Bluetooth. Actually, the collected data has been considered to be available to official apps of public health authorities such as the “NHS COVID-19” app. But as The Markup reported, a few apps, such as Samsung Browser and Motorola’s MotoCare, can access the data as well.
The framework stores the collected data into the device system logs. It turns out some apps have permission to read the logs as well for crash report and analytics.
As for the collected information, it includes data about the danger of being infected with COVID-19, the device’s name, MAC address, and advertising ID.
But Google proves that “the list of people you’ve been in contact with doesn’t leave your phone unless you choose to share it”.
So Is There Data Leak From Contact Tracing Framework?
Back in February 2020, researchers from the privacy analysis firm AppCensus informed Google about the problem. But Google did not make any changes in the framework. They were surprised because the fix is a one-line thing. Google just has to remove a line that logs sensitive information to the system log. This won’t have any impact on the framework.
They even reached out to Google’s bug bounty program. But Google was quite resolute. Google said that “the finding did not merit a serious enough flaw to merit a reward, but a panel would look through the findings in a subsequent meeting.”
“Exposure Notifications uses privacy preserving technology to help public health authorities manage the spread of COVID-19 and save lives. With the Exposure Notification system neither Google, Apple, nor other users can see your identity and all of the Exposure Notification matching happens on your device. We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes”, Google said in a statement to The Independent.
It turns out Google began investigating this immediately after being informed. But their research showed that “those Bluetooth identifiers do not reveal a user’s location or provide any other identifying information and we have no indication that they were used in any way – nor that any app was even aware of this.”