Despite very public messaging that the Bluetooth contact-tracing tools for COVID-19 developed by Google and Apple would not track users' locations, its implementation within Android operating systems still collects GPS data that Google could use to determine the user's location, The New York Times reports.
The issue is driven by the operating system's device location setting, which must be enabled for the system to scan for other devices using Bluetooth. This requirement has been in place since 2015, because some apps will use Bluetooth as a means of understanding the user's location, according to a Google representative who spoke to the Times.
Google is able to use the activated setting to identify a user's location through non-cellular communications, such as WiFi and Bluetooth beacons. The company's representative said that apps built with the contact-tracing tools do not have access to these data without user permission.
WHY IT MATTERS
Google and Apple's contact-tracing technology has been employed in contact-tracing apps released by several countries – Austria, Germany, Japan and Switzerland, to name a few – and is being used or considered for tools being developed by a handful of U.S. states. In some countries, these apps have been downloaded by the public millions of times.
Decisions to incorporate the technology or download those apps would have been heavily based on the companies' claim that a Bluetooth approach would require no location data to be logged. Numerous stakeholder groups, public health leaders and privacy experts have warned legislators of the unintended consequences of widespread location tracking, and in some cases questioned whether or not the tools would be effective to begin with.
National public health representatives from Switzerland and Latvia told the Times that they were aware of the setting and had pressed Google to make a change, while another from Denmark said that the country's health ministry was interested in speaking more with Google after learning of the active location-tracking capabilities.
THE LARGER TREND
Google and Apple's system-level tools were announced to much fanfare in early April and went live in mid-May operating system updates. Many public health bodies were fairly open about the reasons why they would incorporate the tools or develop their own approach in-house. Of particular note here is the U.K., which said in late April that it would opt for a more centralized digital contact-tracing system, but then backtracked last month and began work on an Apple-Google-based tool.
Still, homegrown COVID-19 contact-tracing apps have had their fair share of privacy hiccups as well.
Norway's contact-tracing app, called the Smittestopp, was temporarily banned due to privacy concerns from the Norwegian Data Protection Authority. Back in May, an Amnesty International investigation found Qatar’s mandatory COVID-19-tracing app had a weakness in its configuration that could have left it open to cyberattacks. And just today, another Times investigation described (now fixed) security flaws in South Korea's quarantine-enforcement app that would have allowed access to names, real-time locations and other personal information.