Study finds gaps in GAEN contact tracing apps privacy protection

A study describes the data transmitted to backend servers by the Google/Apple based contact tracing (GAEN) apps in use in Germany, Italy, Switzerland, Austria, and Denmark and finds that the health authority client apps are generally well-behaved from a privacy point of view, although the Irish, Polish, Danish, and Latvian apps could be improved in this respect. However, the study also finds that the Google Play Services component of the apps contacts Google servers as often as every 20 minutes, potentially enabling fine-grained location tracking. Google Play Services, which users cannot turn off if they want to use the contact tracing app, also shares numerous details - serial numbers of SIM cards and hardware, phone IMEI, MAC address, and user email address with Google, along with fine-grained information about other apps running on the phone. While data protection impact assessments have been carried out for the health authority client app components, they have not been made public for the GAEN component.

Source: https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf

Writer: Douglas J. Leith and Stephen Farrell
Publication: SecureComm 2020
Publication date: 2020-0 (preprint)