Just how safe is YOUR data with the government’s new Covid app?
Top experts raise fears on software downloaded by 700,000
SCOTLAND’S Covid-19 contact tracing app could be monitoring every aspect of Scots’ lives, according to experts who have issued a privacy warning.
The Protect Scotland app, which has been downloaded around 700,000 times since its launch on Thursday, relies on Google software which engages in ‘extremely troubling’ data harvesting.
The information it collates could paint a startlingly detailed image of where we go, who with, our political views – and even our sexuality. Once the tech giant has the data, it is not known where it could be stored or what it could be used for.
Last night, a computer scientist from Trinity College Dublin warned that Scots could be handing over private details as soon as they enable the new app.
Professor Douglas Leith, chair of computing systems at the university, added: ‘This level of intrusiveness seems incompatible with a recommendation for populationwide usage. It is hard to imagine a more intrusive data collection setup.’ The academic has said that
Google Play Services software, which is pre-installed on most Android phones, leads to significant data collection.
The software can be disabled by users but must be enabled in order to use the Protect Scotland app.
The type of information that could be ‘scraped’ from the app includes data from other apps stored on the phone, personal phone numbers, personal email addresses, SIM card serial numbers and IP addresses – or internet location identifiers.
It is feared that together, these details may confirm someone’s interests, age, sex and country and could allow the tech giant to work out the real-world identities of those using software.
Last night Liberty director Martha Spurrier said: ‘Control over our personal information is critical to our autonomy. Our privacy protects us, whether that be from an overbearing State, abusive and dangerous personal relationships, or unaccountable corporations.
‘Governments promoting contacttracing apps or any data-driven strategies in the current crisis need to be absolutely transparent with us, and prioritise our privacy.’
The warnings come as Professor Leith and his team carried out research which examined the data transmitted to servers by the contact tracing apps deployed by health authorities in Germany, Italy, Switzerland, Austria, Denmark, Spain, Poland, Latvia and Ireland to evaluate user privacy.
Their report examined the privacy of the Google/Apple Exposure Notification (GAEN) service, the technology which allows the Protect
Scotland app to operate across both Android phones and iPhones.
For Android users, the academic has said that as soon as people enable the app with Google Play Services, it is programmed to regularly collect personal information from devices. That is then sent to Google servers and is in its possession.
That is despite reassurances by NHS Scotland and the Scottish Government that such personal data will be kept secret. Professor Leith said: ‘Google and Apple can, and do, silently update their part of the app. Currently there is no public oversight of this Google and Apple component – and proper oversight seems well overdue.’
Meanwhile, health services can track how often your app is active.
On the Irish Covid tracker there is an option to ‘opt out’ of such ‘statistics’ collection, but there is no such option on the Scottish app.
So far, the researchers have only looked at the issue on Android phones and have yet to study what Apple devices might share.
Although the findings are critical, Professor Leith and his team insisted they understood that governments were doing their best.
In his research paper, he wrote: ‘All this development has taken place under severe time-pressure, with many decisions having to be made speedily in the face of significant uncertainty. We believe that all of the actors involved are attempting to do their best in a challenging situation.
‘That said, given that many governments are encouraging entire populations to use these apps, it is necessary that the detail of their operation be visible to enable properly informed choices by users.’
Yesterday, another Trinity College Dublin expert warned the contact tracing technology is so flawed that it may prove useless. Stephen Farrell, a computer scientist, said he had found Bluetooth technology which the app uses is often unable
to accurately assess distances between two smartphones.
It resulted in warnings some people could needlessly be ordered to self-isolate for two weeks, while others at risk may be missed. He also said factors such as whether a phone was kept in a bag had a significant impact on readings.
Last night, the Scottish Government did not comment on the possibility that Google Play Services could extract data independent of the app, but confirmed that the app as a whole was watertight. A spokesman said: ‘The app has undergone a full system security audit, with advice from the National Cyber Security Centre.
‘No one can see an individual’s data. The Scottish Government has chosen to build the Protect Scotland app on the Google Apple Exposure Notification System as it does not collect information on the user’s identity or location data.’
A Google spokesman said it was industry standard practice to collect certain forms of information via Google Play Services to ensure devices are working as expected. They insist Google will not receive information collected from the Covid app directly.