As the COVID-19 pandemic rages on across the globe, Ireland seems to have mostly gotten a handle on things. Ireland has managed to suppress transmission, and with the help of the COVID-19 contact tracing app for iOS and Android, 105 close contacts have been identified through its usage since its launch. We’ve only had 400 cases total since its launch, meaning that potentially up to 1 in 4 transmissions were caught through it. It is clearly a vital tool to be used, as if even one of these people escaped because the app wasn’t in use, it could potentially be the source of another flood of infections.
Rightly so, however, people were concerned about their privacy. The Irish government hasn’t necessarily been known for its technological competency. Remember the Public Services Card? The Data Protection Commissioner lambasted the state for how data was collected and stored. On top of that, the COVID-19 app itself had seen delay after delay before its release, with many worrying that it had potentially been rushed and could, therefore, leak data. However, on its release, it turned out that the company the Irish government contracted to create the app, NearForm, had created something very nearly perfect. The Irish state donated the app to the Linux Foundation, as we have had one of the most successful launches of a COVID-19 contact tracing app globally.
There is just one small problem with the COVID-19 contact tracing app, and it’s not really a problem with the app itself. On Android smartphones, it makes use of Google Mobile Services (GMS), that come pre-packaged on pretty much any Android smartphone. Pretty much every major application you use on your smartphone makes use of GMS in some way, and this is not unique to the COVID-19 contact tracing app. Sure if you buy any recent Huawei or Honor device they won’t have GMS, but anything with the Google Play Store comes pre-packaged with GMS. On top of that, it can’t really be disabled or removed without going to extraordinary lengths. The GMS is made by Google, and I’m sure you can see why that may be an issue for some.
However, because GMS is built into the Android system, it can run with special privileges. This is how Android smartphones can contact trace effectively – the API developed by Apple and Google has been implemented in iOS and Android devices across the world. In Apple’s case, iOS 13.5 came with support for contact tracing. On Android, a GMS update that can happen irrespective of the Android version added it. GMS looks just like an app on your device and can update through the Google Play Store.
A research paper by Trinity College Dublin students tore into the COVID-19 contact tracing app, going so far as to say that “this level of intrusiveness seems incompatible with a recommendation for population-wide usage”. While the paper would be technically correct if this were unique to the COVID-19 contact tracing app, it is not. These privacy concerns that were raised (and subsequently reported by The Journal, The Irish Times, The Irish Mirror, The Irish Independent, and so many others) are not unique to the COVID-19 contact tracing app and would exist without the app installed. Equating the COVID-19 application with infringement on the privacy of the user who has installed it is outright dangerous and can prevent people from installing it due to a lack of understanding on the technical side of how the application works. A regular app running in the background would technically be more secure from a privacy standpoint, but most Android smartphones will kill an app running in the background for too long. The app needs the level of access that the GMS provides in order to be effective.
This kind of careless reporting with shock headlines scares people away from installing an app that has already identified 105 potential close contacts of confirmed cases. Only just the other day in a press briefing the HSE said that there were roughly 200 active cases in Ireland, so to catch 105 close contacts of confirmed cases following this shows that the app is working well in the field and is an important tool in our battle against COVID-19. I’m not taking away from the findings of the paper in the sense that GMS is, for many, a monolithic privacy violation. What I am saying is that if you are concerned by the COVID-19 contact tracing application based on your reading of this paper or the sites that have reported on it, then you should throw your whole phone in the bin. Don’t just uninstall apps if you are concerned about the data that has been reported to be collected – it’s the whole phone that is tainted thanks to the pre-installed Google services that are running on your phone, regardless of a contact tracing application being installed or not.
Download and install the app.