Google, in a rare turn of events, joined hands with fellow big tech firm Apple to bring forth a privacy focused Covid-19 contact tracing effort at the height of the pandemic’s breakout in 2020. Back then, Google had guaranteed to users that one thing that its API would do is enable governments and health authority bodies to track down users who may have come in contact with the virus – all without infringing on user privacy, revealing key health data to private parties and so on. Given the mass surveillance implications, this was a big move – for a company that has been littered with lawsuits alleging anti-competitive conduct, privacy killing practices and so on. Now, a new report claims that even after such tall claims, a silly bug and a refusal to acknowledge it could have allowed the leak of the very private data that Google sought to protect against arbitrary and unthoughtful contact tracing efforts.
The report, coming from The Markup in partnership with the founders of mobile privacy analysis firm AppCensus, states a one-line flaw in the Google Covid-19 contact tracing API that caused apps based on this API to log sensitive and private user data into a device’s system log. The key vulnerability here is that this system log can also be accessed by a whole bunch of preinstalled system apps – the report claims that over 400 system apps have access to the data logs, which in turn can read data from here and relay to company servers for analytics and diagnostics.
Joel Reardon, co-founder and head of forensics at AppCensus, told The Markup that types of private data included in Android device system logs as a result of this flaw included “data on whether a person was in contact with someone who tested positive for Covid-19 and could contain identifying information such as a device’s name, MAC address, and advertising ID from other apps.” This, though, is a flaw in theory, albeit a serious one – while no preinstalled system app has picked up this data and relayed to company servers in known cases, the researchers claim that there’s nothing that actually stops them from doing so.
What’s also alarming is how Google dealt with the situation. According to Serge Egelman, founder of AppCensus, after the firm informed Google about the flaw they had found, the company apparently chose to do nothing about it. However, a Google spokesperson claimed that a patch fixing this vulnerability has been rolling out in phases to Android devices around the world, and will be completed “in the coming days”.
The researchers further confirmed that they could find no such flaw in Apple’s contact tracing API for its iPhones, which too were put in use by various governing bodies around the world. Given that Covid-19 contact tracing already had serious implications of privacy to begin with, it is a bit surprising that Google still chose to deal with the issue in such a lackadaisical manner – and not with the kind of urgency that one would expect from a company already facing serious enough privacy allegations.