Google Play Services Sharing Sensitive Data Of COVID Tracking App Users

I’m going to start this article in a very important manner. The COVID tracking app developed by Near Form on behalf of the HSE is working as expected and not doing anything dodgy with your data. This one is on Google. Professor Douglas Leith and Dr Stephen Farrell of Trinity College Dublin have discovered that Google Play Services is sending personal data to Google servers every twenty minutes. Here’s what you need to know, but I also want to add, that you should absolutely keep the app on your phone if you wish to continue helping a society battling COVID.

What Data Is Google Harvesting?

It’s funny. Not so long ago, we didn’t really speak about Google Play Services. Now, it’s a regular feature following US restrictions leading to Huawei no longer having access to the Google Mobile Services ecosystem. Just a few days ago I wrote about how many are asking the question “should I delete TikTok?”, and here we are with Google at the middle of a very similar controversy to those TikTok has experienced.

Google is currently sending sensitive personal data including your IP address, your phone’s IMEI, your phone number, serial number and even your email address. According to the Trinity research paper, Google is polling this data every 20 minutes before sending this to their own servers. If these servers are outside of the European Union and possibly regardless of where they are, the Alphabet-owned tech giant could be in violation of Europe’s GDPR.

Despite these claims, a Google spokesperson has said to Newstalk’s Jess Kelly, that in keeping with Google’s “privacy commitments for the Exposure Notification API, Apple and Google do no receive information about the end-user, location data, or information about other devices the user has been in proximity of”.

Why Is The COVID App Sharing My Personal Data?

I cannot stress this point enough. As far as we can tell, the COVID tracking app is not sharing any data with anyone it’s not supposed to. This is a Google Play Services issue.

In fact, calling this out as a new issue is a bit unfair of me too. This has been a known issue for some time. Such an issue has privacy been that as early as May both Google and Apple pledged to protect user’s personal data.

The exact in’s and out’s of these findings remain somewhat unclear, but in a project which has called for impeccable privacy practice from day one, it’s remarkable that this issue has still come to light.

The COVID tracking app has genuinely potential to save lives and it should be considered a remarkable achievement. So successful is the app that “COVID Green” as it’s known has now been donated by the HSE to The Linux Foundation Public Health. This is why I was quite quick to say, and repeat, that the issue here isn’t the COVID tracking app. It’s Google Play Services and there is certainly a question to be answered here regarding how personal data is being handled by the tech giant.

What’s The Problem With Google Taking Personal Data?

You should look at personal data as being personal property. If you give it away, it’s very hard to get it back and it does have a value. With that in mind, Google taking your personal data without your permission or you fully understanding what’s happening with it is a massive deal. It could be outright illegal what Google is doing here.

The other thing to consider here is GDPR. From Google and Apple to the HSE, we’ve helped understand how the COVID tracking app works. By understanding how it works, we can also understand the data Google does not need to access in order to have an operational tracking app. It would appear that Google is taking excessive personal data and that’s a big no no under GDPR.

As you know, much to my social life’s detriment, I’m a big fan of GDPR and am using it to try and leave the catholic church. One key principle of GDPR is data minimisation. This means that a company should only take and process personal data which is required to achieve the agreed purpose for why the data was shared in the first place. Google would appear to be taking more data than is needed here and go also be storing this data outside of the EU.

We requested comment from Google, the HSE and the DPC. Google repeated “in keeping with our privacy commitments for the Exposure Notification API, Google does not receive information about the end user, location data, or information about any other devices the user has been in proximity of”.

The HSE stated that they “welcome any evidence based research and opportunities to improve the app and Science Foundation Ireland has conducted significant independent research into all aspects of the app. It is also very important not to conflate issues noted by researchers with how Google or Apple enable all their users’ apps through their stores, with the functionality of the HSE’s COVID Tracker app, which puts user’s privacy and security first and foremost”.

I’m still waiting to hear back from the DPC, however, the HSE did mention that they have “been guided by feedback from the Data Protection Commission on Data Protection throughout development of the app” to “ensure the app is compliant with European data protection legislation”.

The HSE also stated that “Google and Apple have provided assurances to governments and health services around the world that they do not have access to personal data through the Exposure Notification System that they co-developed. They have further committed to decommission this functionality once the pandemic is over”.

Updated to include response from Google and the HSE.