https://themarkup.org/privacy/2021/04/27/google-promised-its-contact-tracing-app-was-completely-private-but-it-wasnt * Ask The Markup * Citizen Browser * Banned Bounty * Google the Giant * Blacklight * Locked Out Search term [ ] * About Us * Donate * Events * Have a Tip? * Jobs * Newsletter * Team * Facebook * Twitter * Instagram * RSS Feed Skip navigation Menu The Markup Donate * About Us * Donate Big Tech Is Watching You. We're Watching Big Tech. Privacy Google Promised Its Contact Tracing App Was Completely Private--But It Wasn't Researchers say hundreds of preinstalled apps can access a log found on Android devices where sensitive contact tracing information is stored By Alfred Ng April 27, 2021 08:00 ET An illustration of a "red string" investigation" board but with the string making up the shape of an unlocked padlock Google's contact tracing app may have left the door unlocked to a privacy breach. Sam Morris/Getty Images Share This Article Copy Link Republish When Google and Apple introduced their COVID-19 contact tracing framework in April 2020, the companies aimed to reassure people worried about sharing private health information with major corporations. Google and Apple provided assurances that the data generated through the apps--people's movements, who they might have come in contact with, and whether they reported testing positive for COVID-19--would be anonymized and would never be shared with anyone other than public health agencies. "Our goal is to empower [public health agencies] with another tool to help combat the virus while protecting user privacy," Google CEO Sundar Pichai wrote in a tweet last May, when the framework became publicly available. Apple CEO Tim Cook provided similar assurances. Since then, millions of people have downloaded contact tracing apps developed through Apple's and Google's framework: The U.K.'s National Health Services' app has at least 16 million users, while Canada's Digital Service COVID Alert app boasted more than six million downloads in January, and Virginia's Department of Health noted more than two million residents were using its COVIDWISE app. California governor Gavin Newsom endorsed his state's version of the app, calling it "100% private & secure" in a tweet last December. But The Markup has learned that not only does the Android version of the contact tracing tool contain a privacy flaw, but when researchers from the privacy analysis firm AppCensus alerted Google to the problem back in February of this year, Google failed to change it. AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company found no similar issues with the iPhone version of the framework. It's such an obvious fix, and I was flabbergasted that it wasn't seen as that. Joel Reardon, AppCensus "This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn't impact the program, it doesn't change how it works, " said Joel Reardon, co-founder and forensics lead of AppCensus. "It's such an obvious fix, and I was flabbergasted that it wasn't seen as that." "We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this," Google spokesperson Jose Castaneda said in an emailed statement to The Markup. Serge Egelman, AppCensus's co-founder and chief technology officer, however, said that Google had repeatedly dismissed the firm's concerns about the bug until The Markup contacted Google for comment on the issue late last week. Asked if the vulnerability has been eliminated, Castaneda said the "roll out of this update to Android devices began several weeks ago and will be complete in the coming days." The issue, Reardon said, is that hundreds of preinstalled apps like Samsung Browser and Motorola's MotoCare on Android devices have access to potentially sensitive information that the contact tracing apps store in system logs--a byproduct of how the preinstalled apps receive information about user analytics and crash reports. The contact tracing tool works by exchanging anonymized Bluetooth signals with other phones that have the contact tracing app. Those signals are changed every 15 minutes to make it harder to identify someone and are created from a key that changes every 24 hours. Google and Apple Screenshot of Google and Apple's overview of their contact tracing proposal Google and Apple explained how "rolling proximity identifiers" are exchanged. The signals that a phone's contact tracing data generates and receives are saved into an Android device's system logs. Studies have found that more than 400 preinstalled apps on phones built by Samsung, Motorola, Huawei, and other companies have permission to read system logs for crash reports and analytic purposes. In the case of contact tracing apps, Reardon found that the system logs included data on whether a person was in contact with someone who tested positive for COVID-19 and could contain identifying information such as a device's name, MAC address, and advertising ID from other apps. In theory, that information could be swept up by preinstalled apps and sent back to their company's servers. He has not found that any apps have actually gathered that data, but there's nothing preventing them from doing so. "What Google is saying is that these logs never leave the device," Reardon said. "They can't make that claim--they don't know if any of these apps are collecting the system logs." Investigate Power, Instigate Change Your gift helps us hold Big Tech to account. Donate Today "These Bluetooth identifiers do not reveal a user's location or provide any other identifying information and we have no indication that they were used in any way--nor that any app was even aware of this," Castaneda, the Google spokesperson, said in the email to The Markup. Google has made several public promises that all contact tracing data would be processed on a user's phone and not sent to any servers. While the apps are exchanging anonymized Bluetooth signals, the only time any data would be sent to an outside entity would be if a user identified themself as testing positive for COVID-19 and chose to share that information with public health authorities. When Google and Apple first released the tool, they promised "the list of people you've been in contact with doesn't leave your phone unless you choose to share it" during a press briefing. At the International Association of Privacy Professionals' keynote event last July, Google's and Apple's chief privacy officers highlighted that storing and processing the data only on devices instead of servers protected their users' privacy. "We felt strongly that all this exposure notification information being done on [the] device and that processing being done under the strict controls of the user was an essential design feature to optimize for the privacy of the system," Keith Enright, Google's chief privacy officer, said at the panel. Connecticut's privacy policy for the state's contact tracing app also notes that data is stored only on a user's device and isn't shared unless a person has a positive COVID-19 diagnosis and chooses to share that information. The state's app is based on Google's and Apple's exposure notification framework. "These data are stored only on the user's device and are never shared unless and until the user has a positive COVID-19 diagnosis and elects to share this information within the system," the policy states. The antidote to disinformation ... ... is hard-hitting, independent investigativejournalism. Give Now Reardon first reached out to Google about the issue on Feb. 19, filing a report to Google's bug bounty program. Google has a program in which it pays researchers for finding security issues with its services but only if the company considers it a serious enough flaw. The team didn't believe Reardon's findings met its standards, according to emails provided to The Markup by AppCensus. On March 12, Reardon received an email from "Enzo, Google Security Team" that said, "This might not be severe enough to qualify for a reward, though the panel will take a look at the next meeting and we'll update you once we've got more information. All you need to do now is wait. If you don't hear back from us in 2-3 weeks or have additional information about the vulnerability, let us know." Four days later, Reardon received an automated email from Google telling him it had confirmed that the flaw wasn't enough to warrant a payout, and that the security team would "decide whether they want to make a change or not." He said he hasn't heard from the company since. Reardon also reached out to Giles Hogben, Android's director of privacy engineering, on Feb. 19. In an email, Hogben noted, in response to Reardon's concerns, that the system logs could only be accessed by certain apps. "[System logs] have not been readable by unprivileged apps (only with READ_LOGS privileged permission) since way before Android 11 (can check exactly when but I think back as far as 4)," Hogben said in his Feb. 25 reply. Reardon, however, said hundreds of preinstalled apps can still read those system logs. "They're actually collecting information that would be devastating to the privacy of people who use contact tracing," he said. Real quick ... As technology extends its reach into all corners of culture and blackbox algorithms reshape our lives in untold ways, The Markup is working to bring it all into focus. We're a nonprofit newsroom that brings tech expertise to tech reporting. We pursue hard-hitting, data-driven analyses and hold powerful institutions to account. Independent journalism is essential to a healthy society, and your support is essential to independent journalism. Support The Markup Now You just read Google Promised Its Contact Tracing App Was Completely Private--But It Wasn't From the series -- Privacy Share This Article Copy Link Republish Credits * [Markup-Alf] Alfred Ng Reporter Close Republish Google Promised Its Contact Tracing App Was Completely Private--But It Wasn't We're happy to make this story free and available to republish for free under an Attribution-NonCommercial-NoDerivatives Creative Commons license. This allows you to republish the article, but does not include the images or graphics other than the credit image. You must credit The Markup. If The Markup credit image is incompatible with your CMS, please let us know if you remove it. To republish, simply copy the HTML that we have provided and publish it as-is on your website. The provided HTML snippet includes all paragraph styles and hyperlinks, the author byline and credit to The Markup. Please drop us a line to let us know if you've republished the story at president@themarkup.org. [Some placeholder tex] Copy HTML The Latest Screengrabs from a TikTok by Tinuade Oyelowo that reads "After months of trying to figure out how I fit into TikTok. I've stopped and decided to just do what makes me happy and brings joy" Working for an Algorithm Shadow Bans, Dopamine Hits, and Viral Videos, All in the Life of TikTok Creators A secretive algorithm that's constantly being tweaked can turn influencers' accounts, and their prospects, upside down April 22, 2021 08:00 ET An illustration of a YouTube Video with static and YouTube's 404 icon Google the Giant In Response to The Markup's Reporting, Some YouTubers Are Ditching the Platform They said Google's decision to block advertisers from seeing "Black Lives Matter" and other social justice YouTube videos was the last straw April 20, 2021 08:00 ET An illustration of a cartoon bill covered in big tech company badges, fist bumping the Facebook hand Privacy Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious The Markup found industry fingerprints on at least five bills around the country--weak laws, experts say, that are designed to preempt strongerprotections April 15, 2021 08:00 ET Return to The Markup's homepage Your contributions help us investigate how technology influences our society. Donate * About Us * Our Donors * Ethics Policy * Events * Board of Directors * Jobs * Team * Have a Tip? * Newsletter * A Letter from the Editor * Privacy Policy * A Letter from the President * Terms of Use * Facebook * Twitter * Instagram * RSS Feed Sign up to get The Markup newsletter in your inbox every Saturday. Enter your email address to signup to our newsletter [ ] Subscribe