Over the past week, a growing number of Android users in the state of Massachusetts have accused Google of stealth-installing “spyware” on their devices under the guise of a state government-supported Covid contact-tracing app.
Launched by the state on June 15, MassNotify enables users who have turned on the voluntary ‘Covid-19 Exposure Notifications’ feature on their devices’ settings to be alerted via Bluetooth if they have potentially been exposed to the virus.
After enabling the feature, users can choose the state from which they want to receive alerts, and the respective state’s app will be installed on the device. However, dozens of people have claimed that they received the application despite not opting into the feature.
“Automatically installed without consent. It has no icon, no way to open this and see what it even does, which is a huge red flag… I think it’s spyware, phishing as the DPH (Department of Public Health),” user Callie M. noted in a review on the app’s Google Play store page.
Terming it an “unethical breach of privacy and a forceful misappropriation of personal property,” user Frank L. said, “The degree to which my data is collected or distributed through it has not been disclosed neither in active nor inactive form… I can only conclude and caution others that it is disclosing your whereabouts and social contacts without permission.”
The app’s page describes it as being “privacy-focused.” It notes that the DPH takes user “privacy and confidentiality very seriously” and stated that “no GPS or location information” shared from devices will “ever be collected or used” by the app.
In a statement to the 9to5Google news outlet, Google confirmed that the exposure notification system is “built into” device settings and is “automatically distributed” by the Google Play Store so “users don’t have to download a separate app.”
However, the statement noted that the notification functionality was only enabled if a user “proactively turns it on” after deciding to share their health information through the system to warn other people of possible exposure.
Meanwhile, a Hacker News reader was reportedly told by the app’s help desk that the “confusion” was due to an “update made by Google that resulted in some users seeing MassNotify appear in their app list in the Google Play Store.”
Noting that the “appearance of MassNotify in the app list” did not mean that the app was enabled on the reader’s phone, the help desk response claimed that it “merely means that MassNotify has been made available as an option in your phone’s settings if you wish to enable it.”
According to 9to5Google, however, questions remain as to how the app was installed on user devices irrespective of whether Google “accidentally pushed out the application to phones due to a bug in the system.”
If it was an intentional rollout, however, that “raises questions on who authorized that action,” the outlet noted.
In a deluge of one-star reviews on the app’s page, several affected users pointed fingers at the state government since it is supported by the Massachusetts DPH as well as Google, which, together with Apple, developed the technology powering the app.
“Force-installed with no authorization or approval. App is hidden on the device to prevent uninstallation. Government overreach and corporate complicity should never be tolerated,” user Jeramiah added.
The Android version of Google and Apple’s jointly-created “Exposure Notifications System” had previously been in the news for a privacy flaw that allowed other apps installed earlier to potentially see sensitive data.
If you like this story, share it with a friend!