Users of the Dutch app CoronaMelder who become infected with the coronavirus will now temporarily not be able to send alerts in the coming days. This was decided by Dutch Minister Hugo de Jonge (Public Health) on Wednesday after a privacy issue with Android phones came to light. The same vulnerability likely also impacts other countries’ contact tracing apps, but no other action is known as of time of writing. Millions worldwide have downloaded contact tracing apps using Apple’s and Google’s framework, thought to be anonymous: The Dutch app was downloaded 4,8 million times, and the U.K.’s National Health Services’ app has at least 16 million users.
Contact tracing technology
Phones on which the contact tracing app is active exchange codes via bluetooth to register each other's proximity. If someone turns out to be infected with the coronavirus, they can send an alert to other smartphones that have been in the vicinity recently.
© Google & Apple
When Google and Apple introduced their COVID-19 contact tracing framework in April 2020, the companies assured the public that the data generated through the apps would be anonymized and would never be shared with anyone other than public health agencies. Now, it has come to light that it might have.
Pre-installed Android apps can read logs with contact tracing codes
The codes exchanged were promised to be stored securely on the smartphone, but, in fact, they also appear to end up in the Android device’s system log. Studies have found that more than 400 preinstalled apps have permission to read these system logs for crash reports and analytic purposes. The system logs included data on whether a person was in contact with someone who tested positive for COVID-19 and could contain other personal data such as device names, MAC addresses, and advertising IDs. In theory, that information could be swept up by preinstalled apps and sent back to their makers.
To be clear, it wasn’t found that any of these apps have actually gathered COVID-19 data, but there’s nothing preventing them from doing so. "It's not like companies can find out who you are, when you were infected and who you were in contact with just with [just] that code," according to the Dutch Ministry of Health. But someone could combine the codes with other data to identify the individual and "really create a serious data breach". The fact that the door is open at all for pre-installed apps to be able to do this weighs heavily enough for the ministry to temporarily halt the Dutch app’s usage.
What happened previously
Last year, the Dutch Personal Data Authority (AP) was positive about the development of the app in itself. It did warn the Dutch Government in August 2020 that they had no idea what exactly happens to users' sensitive data, requiring clear agreements with Google and Apple. "Unfortunately, our concerns now seem to have been justified," AP chairman Aleid Wolfsen told news agency ANP.
Apparently, the fix involved a “one-line thing where you remove a line that logs sensitive information to the system log, [and] doesn’t impact the program”. Although Google itself had known about the issue for weeks, it was only two days ago that the European Commission alerted the Dutch Ministry of Health to the vulnerability in the framework. "We hadn't heard any reports about it before".