Google surreptitiously installs COVID-19 exposure notification app in Android phones without telling users
Google appears to have automatically installed the coronavirus (COVID-19) exposure notification app
for Massachusetts on some Android phones.
"We have been working with the Massachusetts Department of Public Health
to allow users to activate the Exposure Notifications System directly from their Android phone settings," the tech giant said in a statement.
The app, called MassNotify, was launched in Massachusetts on June 15. Since then, a number of Android phone users in the state reported that the app had been automatically installed on their phones without warning or consent.
But Google noted that the notifications are enabled only if a user proactively turns on the app.
"This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don't have to download a separate app. COVID-19 Exposure Notifications are enabled only if a user proactively turns it on. Users decide whether to enable this functionality and whether to share information through the system to help warn others of possible exposure," Google said.
Users claim app was "installed without any notification"
Android users in Massachusetts claimed on Reddit, Hacker News, and in Google's app reviews that the service was installed without them knowing.
In a 1-star review on Google Play Store, one user wrote: "Absolutely did not install this on my phone" and added that it was "silently installed without any notification."
According to the user, the Exposure Notifications System "doesn't have an app icon … you have to go through settings and view all apps. This is a huge privacy and security overstep by [Massachusetts Gov. Charlie Baker] & Google."
"Ghost installed on my phone without my consent. While I believe in what this app was meant to do, installing it without so much as a notification is extremely alarming," another user wrote in a Google Play Store review.
One woman described the program as "spyware," alleging that it "seems to want to track my location," and noted that it uses Bluetooth. (Related: Google continues to track users even after location tracking is turned off.
"It's pure madness that Play Services comes with this sort of backdoor. This is clearly what I would consider a deliberate … vulnerability," wrote one user on Hacker News.
MassNotify uses Google and Apple's Bluetooth-based system to let users who test positive for COVID-19 alert strangers whose phones have been nearby that they may have been exposed to SARS-CoV-2
, the virus that causes disease. It was built using the Exposure Notifications Express program, which allows states to sidestep the laborious process of building their own app. Instead, their health departments can specify how and when someone should receive an alert about possible exposure, and the companies generate the software.
On Android phones, that express process automatically creates a custom app for a state. It's supposed to then alert Android users in the state that an application is available that they can download and install. In this case, users said that it was downloaded automatically without getting that notice.
According to reports, the Exposure Notifications System resides in Android's Settings menu. Users can access it by going to Settings, then Google, then COVID-19 Exposure Notifications – where one can turn on tracking or report having COVID-19.
Apple and Google introduced exposure notification tool in 2020
Massachusetts is the 29th state to debut an app using the Google and Apple exposure notification tool. Around 500,000 residents signed up in the first two days after its release.
In May last year, Apple and Google rolled out a system to help trace who has COVID-19
. As such, local health agencies no longer have to create individual apps and just rely on Apple and Google to do most of the technical work. (Related: Google, Apple APPROVE Saudi app that tracks women as slaves owned by their husbands, but bans independent media apps for being "offensive."
When two people are in close range, their phones will exchange and record anonymous Bluetooth identifiers as part of the exposure notification system. If an individual gets diagnosed with COVID-19, they can have their device transmit a list of everybody they've been in contact with.
To help boost usage, Google and Apple later introduced the Exposure Notifications System. The goal was to quickly and easily create a system by having health agencies submit a configuration file to the two companies. This file contained basic information on how and when notifications should be triggered and the next steps after getting an alert. Other requested information includes an agency logo and text that appears to a user.
As part of this, Google created an Android app on behalf of health agencies. It starts with the Google Play Store alerting users that a local application is available. After that, users could install the app through a process similar to how it's done today, but you they would have to agree to additional permissions. The system is fully compatible with existing apps. Washington D.C., Maryland, Nevada and Virginia were the first states to adopt the system.
In Massachusetts, however, Google apparently forgot the first step – which is alerting users that a local application is available.
for more news and information related to the coronavirus pandemic.