Civics: Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t

Alfred Ng:

But The Markup has learned that not only does the Android version of the contact tracing tool contain a privacy flaw, but when researchers from the privacy analysis firm AppCensus alerted Google to the problem back in February of this year, Google failed to change it. AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company found no similar issues with the iPhone version of the framework.

It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.

Joel Reardon, AppCensus

“This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn’t impact the program, it doesn’t change how it works, ” said Joel Reardon, co-founder and forensics lead of AppCensus. “It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.”

“We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this,” Google spokesperson José Castañeda said in an emailed statement to The Markup.

Serge Egelman, AppCensus’s co-founder and chief technology officer, however, said that Google had repeatedly dismissed the firm’s concerns about the bug until The Markup contacted Google for comment on the issue late last week.

Asked if the vulnerability has been eliminated, Castañeda said the “roll out of this update to Android devices began several weeks ago and will be complete in the coming days.”

Many taxpayer supported K-12 school districts use Google services, including Madison.