Massachusetts’ Department of Public Health Installed Spyware on Millions of Android Phones Without Users’ Consent

The U.S. Founding Fathers may not have foreseen the danger of lockdowns being imposed on irrational public health grounds, but they did at least ensure that while dolorously confined in one’s own house, no soldiers could be quartered there without consent, and in the Fourth Amendment to the U.S. Constitution they also prohibited “unreasonable searches and seizures” of persons and property. In recent years, the courts have unambiguously held that this fundamental anti-snooping right extends to the bits and bytes stored on computers and mobile phones, so it’s therefore rather surprising to see the plucky little Commonwealth of Massachusetts pull off something so blatantly unconstitutional that even the NSA hasn’t attempted it: the warrantless installation of spyware apps on all the Android phones in the state, granting them access to a wealth of data such as who those residents have been in physical proximity to, as well as phone numbers and email addresses. Because of Covid, you see.

The problems don’t end there. Our Massachusetts-based readers (and anyone who has been to Massachusetts since around June 15th 2021 up to the present) will still have this app on their Android phone – even if they uninstalled it, because it sneakily installs, and if necessary reinstalls itself, without user interaction and without displaying an app icon – long after Massachusetts ended its contacting-tracing programme. The number of affected devices is anywhere from one to five million.

Of course, no normal Android app could have done this, and anyone trying to create such an app would be in serious violation of Google’s Terms of Service, banned from their developer programme and then later arrested at gunpoint by a SWAT team in a no-knock dawn raid, while having one leg chewed off by a Belgian Malinois. The police bodycam footage would then end up on YouTube, where Google would demonetise it for graphic content.

But nothing is impossible when Google allows it, which apparently it did.

When this first came to light back in June 2021 – and you can be forgiven for not hearing about it, since it was only reported by industry websites such as Ars Technica – Google released a statement which seemed to imply that the app only became active if the user opted in (with a notifications opt-in screen displayed on first install). However, a class-action lawsuit recently filed by the New Civil Liberties Alliance (NCLA) against the Massachusetts Department of Public Health (DPH) claims this is not the case. The filing does get rather technical, but this excerpt is worth quoting at length:

Even if a user does not opt into the notification system, DPH’s Contact Tracing App still causes the mobile device to broadcast and receive Bluetooth signals. This results in nearby devices exchanging Rolling Proximity Identifiers (RPI), which are randomly generated by the App and can be traced to each device owner with a ‘Key’ generated by the App and held by DPH. The exchange of data also includes device identifiers known as media access control addresses (MAC addresses), which can be associated with specific device owners or locations. The exchanged data, both random and non-random, are time-stamped and stored in each device alongside other personal identifiers, including the device owner’s MAC address, wireless network IP addresses, phone numbers, and personal emails. When this stored data is written onto mobile devices’ system logs, it becomes available to DPH, Google, application developers, device manufacturers, network providers, and other third parties with access to the logs. DPH and third parties can use the MAC address of a device owner and other personal identifiers to trace the logged data back to determine the individual identity of the owners. Those with access to the system logs can also use timestamped data regarding MAC addresses of other devices and locations with which the device connected to determine the owner’s past contacts, locations, and movement. In sum, DPH installed spyware that deliberately tracks and records movement and personal contacts onto over a million mobile devices without their owners’ permission and awareness. On knowledge and belief, that spyware still exists on the overwhelming majority of the devices on which it was installed. [Emphasis mine]

I suspect any Android developers reading this might have a couple of questions at this point, so let me clarify. Firstly, yes it is true that Covid tracing data, including third-party MAC addresses (which can be used to identify location), are or at least were being written to the system log. This is a bad idea, but for some reason it was and perhaps still is part of Google’s implementation of the Google-Apple Exposure Notification API and not specifically DPH’s fault. Google settled a class-action lawsuit about this in May 2022 (Diaz v. Google LLC).

Secondly, yes it does appear (according to para. 47 of the filing) that the DPH app has the READ_LOGS permission. For the uninitiated, this highly sensitive permission has not been available to ordinary third-party apps (only “pre-installed” apps) since Android 4.1 was released back in 2012, because as Google says, “Log entries can contain the user’s private information.” It’s not clear whether this was intentional on the part of DPH or whether it was something Google did on their own, but either way it’s clearly wrong. None of the other Covid-tracing apps that various governments created around the world for people to voluntarily install would have (much less need) this permission: only the sneaky Massachusetts one.

Besides making available a wealth of private data for the Massachusetts government, it’s also quite possible that the sort of proxy location data being logged by the DPH app without users’ knowledge or consent was being hoovered up by device manufacturers. For users with a Chinese smartphone, it’s very possible that this sort of data ended up in Beijing. And of course Google itself has been in trouble for “collect[ing] behavioural data en masse, including data pertaining to user location” in State of Arizona v. Google LLC, which it settled last month for $85m. There is also another big privacy lawsuit pending against the company.

Readers with good memories will recall back in 2020 – the year before Massachusetts’ spyware started appearing – that the likes of Full Fact was telling us that our phones weren’t being secretly loaded with spyware like this. And to be completely fair to FullFact, it had every reason to believe that, because at the time Google and Apple had only created an API (i.e., a framework or interface) for developers to build contact-tracing apps around, which seemed perfectly above board. Both companies assured us of the “strong privacy protections” baked into this API, and Google specifically stated in the relevant Android settings screen that users would have to voluntarily “install or finish setting up a participating app” for this API to actually do anything. But in turns out these weren’t the full facts, at least from Google.

I want to be clear that I’m not criticising anything Apple has done. As far as I know, its implementation of this API is perfectly fine, and I’m not aware of any spyware it has let governments install. In fact, Apple prides itself on protecting user data and has a creditable record in that area and with security generally, which is why I use an iPhone. Their only mistake has been to associate itself with Google in designing this contact-tracing API.

So, what next? Firstly, the outgoing Governor of Massachusetts Charlie Baker should instruct his Attorney General to settle this lawsuit by agreeing to work with Google to uninstall this app from every device whose owner didn’t consent to the installation, and guarantee there will be no further unwanted installations. As for Google, maybe this will give rise to yet another privacy lawsuit against it, but I suspect it views the cost of these lawsuits as merely the price of doing business.

The NCLA deserves a great deal of credit for their work on this, and also for its exposure of some equally blatant First Amendment violations in another case we’ve previously reported on, as well as for all the other work it has been doing around COVID-19. It has been pretty busy. And finally, those who suspect their phone might be infected can check on this Play Store page and see if it tells you the app is “Installed”. But rather like all the government legislative overreach and economic damage, you might find it tricky to reverse.