The Dorsal View
A round-up of medical news and oddities from left field by Dr Doug Witherspoon
The issue of data privacy has become increasingly vexatious in recent years. As the sophistication of apps improves, so does their ability to harvest your personal data. On a couple of occasions in recent years, the question of how much of your personal information is collected, and how it is distributed, has been raised.
For example, in 2018 the New York Times reported how Facebook was allowing other companies’ products the ability to tap-into users’ data, such as the ability to read users’ private messages and to see the names, contact details and activities of their ‘friends’ on the platform.
To be clear, I’m not drawing a direct comparison between that scandal and the Covid-19 tracker app, but it should at least give us a heads-up in terms of the thirst that’s out there for our personal data. The data and information business is a billion-dollar industry worldwide; there are a lot of companies out there with deep pockets and a deep desire to target us with the appropriate pop-up advertisements.
The HSE/Department of Health have no doubt ploughed considerable resources into the design, roll-out and public awareness for the Covid-19 tracker app, so a recent study by the School of Computer Science and Statistics at Trinity College Dublin (TCD) probably did not make easy reading for Dr Ronan Glynn et al.
The TCD researchers – who collaborated with the HSE in the development of the Covid-19 tracker app – looked at whether the app is collecting only the data necessary to improve the safety of the general public and help prevent further spread of the virus, and whether there are sufficient data privacy protections for such an app to be rolled-out on a nationwide level.
What they found was that the Google Play services component of the app is, in their words, “extremely troubling from a privacy viewpoint”. It also became clear that Ireland is receiving particularly close attention when it comes to data collection. The study also examined the data transmitted to back-end servers by the contact-tracing apps deployed by health authorities in Germany, Italy, Switzerland, Austria, Denmark, Spain, Poland, and Latvia.
According to Prof Doug Leith, Chair of Computer Systems at TCD: “We found that the Irish HSE app sets a type of ‘supercookie’ that allows connections made by the same phone to be linked together over time. None of the other European apps do this, and we recommend it be removed.
“Unlike most other apps, the HSE app also encourages people to opt in to collection of metrics. That’s not necessarily a problem in itself, but these metrics include a mix of operational and health-related data and we recommend that these different types of data be kept securely separate from one another so that access can be separately controlled. When first installed, the HSE app uses Google’s SafetyNet service and so shares data with Google, including the phone hardware serial number. Most of the other European apps don’t do this (the Polish app is the exception) and we recommend the HSE app should avoid it too.”
The authors made it clear that they in fact delayed the release of these conclusions in order to give Google and the HSE time to respond to their concerns, which were made clear to the company and the Executive. To my knowledge, no response was received.
“We looked at the network traffic between Europe’s Google/Apple API contact sharing apps and their back-end servers,” Prof Leith pointed out. “This is the first study of its type on the privacy of contact-tracing apps actually deployed in the ‘wild’. We found that the public health authority component of these apps generally shares little data and is quite private. However, on Android devices, we found that the Google component of the apps is far from private and continuously shares a great deal of data with Google servers. This data includes the phone IMEI [International Mobile Equipment Identity], hardware serial number, SIM serial number, handset phone number, the WiFi MAC address, and approximate phone location. It’s hard to imagine a more intrusive data collection set-up and it’s obviously troubling.”
Dr Stephen Farrell, senior research fellow in the School of Computer Science and Statistics at TCD, added: “If there were a European league of Covid tracing apps, Ireland might be near the middle of the table at the moment. Google, however, deserve a yellow card for the privacy-invasive way in which they seem to have implemented their part of the overall tracing system.”
This is a whistle-stop look at the authors’ conclusions — if you want to scrutinise the report, it’s available at https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf.
Perhaps some of these conclusions are concerning to you; perhaps they’re not. In fairness, the HSE needed to get this app out there fast – the response to Covid-19 has required a level of speed and flexibility from the HSE that has surprised many people. But industry’s thirst for our personal information is real and the HSE and Google should ensure that this information is not misused.