To combat the rampant spread of COVID-19, tech giants Google and Apple worked together to develop an exposure notification system. The system is used not only in the U.S. but in several other countries. Tap or click here for a map that predicts the next COVID hotspot.
The app’s purpose is to alert you when you have come into close contact with someone who recently tested positive for the virus. Data is sent through various systems anonymously, as each user gets a unique ID. The system also uses Bluetooth to check in with other devices around you.
There’s just one major problem. The app has been caught leaking private information of its users. Keep reading to find out if your data has been exposed.
Here’s the backstory
Security researchers found a rather troublesome bug in the exposure notification system. It didn’t falsely notify users about exposures to the virus, but it potentially exposed user data to other apps not related to the system.
In a blog post, AppCensus detailed how the Google-Apple Exposure Notification (GAEN) system leaked data through system log files.
“We found that Google’s implementation of GAEN logs crucial pieces of information to the system log, which can be read by hundreds of third-party apps and used for the privacy attacks that we previously warned about,” explained AppCensus’s Joel Reardon.
The data that it logs
The data sets that the GAEN system logs are rather complex and have to do with the rolling proximity identifiers (RPIs) that are broadcast through Bluetooth radios in a user’s phone. The system essentially pings other phones in a radius and exchanges anonymous technical information.
While the data doesn’t include personal information like your address or telephone number, apps can accurately guess several things about you. It’s also worth explaining that only Google-approved pre-installed apps with elevated privileges can access the data through the leaked system logs.
The pre-installed apps from network operators or mobile manufacturers can:
- Infer your COVID-19 status
- Build a social graph from your contacts
- Accurately guess where you have been and create location trails
- Potentially put you in a social class
The pre-installed apps on your phone can build a better profile of your habits, locations and behavior through these data points. The flaw appears only to affect Android devices.
What can you do about it?
AppCensus said it alerted Google about the flaw in February, and Google is currently working on a fix. The company decided to make their findings known for the sake of public interest after no response from Google. The issues are “implementation errors in the system, not an inherent design flaw of distributed contact tracing.”
The data leakage can, in theory, be used in conjunction with other malware infections. This would strengthen an online attack, but researchers say the chances are low of that happening.
This does leave users at a crossroads: keep the exposure notification app installed and potentially have data leaked, or remove the app and have no way of being notified about COVID-19 exposures.