• Login
  • Register
The Daily Sceptic
No Result
View All Result
  • Articles
  • About
  • Archive
    • ARCHIVE
    • NEWS ROUND-UPS
  • Podcasts
  • Newsletter
  • Premium
  • Donate
  • Log In
The Daily Sceptic
No Result
View All Result

Massachusetts’ Department of Public Health Installed Spyware on Millions of Android Phones Without Users’ Consent

by Ian Rons
19 November 2022 4:14 PM

The U.S. Founding Fathers may not have foreseen the danger of lockdowns being imposed on irrational public health grounds, but they did at least ensure that while dolorously confined in one’s own house, no soldiers could be quartered there without consent, and in the Fourth Amendment to the U.S. Constitution they also prohibited “unreasonable searches and seizures” of persons and property. In recent years, the courts have unambiguously held that this fundamental anti-snooping right extends to the bits and bytes stored on computers and mobile phones, so it’s therefore rather surprising to see the plucky little Commonwealth of Massachusetts pull off something so blatantly unconstitutional that even the NSA hasn’t attempted it: the warrantless installation of spyware apps on all the Android phones in the state, granting them access to a wealth of data such as who those residents have been in physical proximity to, as well as phone numbers and email addresses. Because of Covid, you see.

The problems don’t end there. Our Massachusetts-based readers (and anyone who has been to Massachusetts since around June 15th 2021 up to the present) will still have this app on their Android phone – even if they uninstalled it, because it sneakily installs, and if necessary reinstalls itself, without user interaction and without displaying an app icon – long after Massachusetts ended its contacting-tracing programme. The number of affected devices is anywhere from one to five million.

Of course, no normal Android app could have done this, and anyone trying to create such an app would be in serious violation of Google’s Terms of Service, banned from their developer programme and then later arrested at gunpoint by a SWAT team in a no-knock dawn raid, while having one leg chewed off by a Belgian Malinois. The police bodycam footage would then end up on YouTube, where Google would demonetise it for graphic content.

But nothing is impossible when Google allows it, which apparently it did.

When this first came to light back in June 2021 – and you can be forgiven for not hearing about it, since it was only reported by industry websites such as Ars Technica – Google released a statement which seemed to imply that the app only became active if the user opted in (with a notifications opt-in screen displayed on first install). However, a class-action lawsuit recently filed by the New Civil Liberties Alliance (NCLA) against the Massachusetts Department of Public Health (DPH) claims this is not the case. The filing does get rather technical, but this excerpt is worth quoting at length:

Even if a user does not opt into the notification system, DPH’s Contact Tracing App still causes the mobile device to broadcast and receive Bluetooth signals. This results in nearby devices exchanging Rolling Proximity Identifiers (RPI), which are randomly generated by the App and can be traced to each device owner with a ‘Key’ generated by the App and held by DPH. The exchange of data also includes device identifiers known as media access control addresses (MAC addresses), which can be associated with specific device owners or locations. The exchanged data, both random and non-random, are time-stamped and stored in each device alongside other personal identifiers, including the device owner’s MAC address, wireless network IP addresses, phone numbers, and personal emails. When this stored data is written onto mobile devices’ system logs, it becomes available to DPH, Google, application developers, device manufacturers, network providers, and other third parties with access to the logs. DPH and third parties can use the MAC address of a device owner and other personal identifiers to trace the logged data back to determine the individual identity of the owners. Those with access to the system logs can also use timestamped data regarding MAC addresses of other devices and locations with which the device connected to determine the owner’s past contacts, locations, and movement. In sum, DPH installed spyware that deliberately tracks and records movement and personal contacts onto over a million mobile devices without their owners’ permission and awareness. On knowledge and belief, that spyware still exists on the overwhelming majority of the devices on which it was installed. [Emphasis mine]

I suspect any Android developers reading this might have a couple of questions at this point, so let me clarify. Firstly, yes it is true that Covid tracing data, including third-party MAC addresses (which can be used to identify location), are or at least were being written to the system log. This is a bad idea, but for some reason it was and perhaps still is part of Google’s implementation of the Google-Apple Exposure Notification API and not specifically DPH’s fault. Google settled a class-action lawsuit about this in May 2022 (Diaz v. Google LLC).

Secondly, yes it does appear (according to para. 47 of the filing) that the DPH app has the READ_LOGS permission. For the uninitiated, this highly sensitive permission has not been available to ordinary third-party apps (only “pre-installed” apps) since Android 4.1 was released back in 2012, because as Google says, “Log entries can contain the user’s private information.” It’s not clear whether this was intentional on the part of DPH or whether it was something Google did on their own, but either way it’s clearly wrong. None of the other Covid-tracing apps that various governments created around the world for people to voluntarily install would have (much less need) this permission: only the sneaky Massachusetts one.

Besides making available a wealth of private data for the Massachusetts government, it’s also quite possible that the sort of proxy location data being logged by the DPH app without users’ knowledge or consent was being hoovered up by device manufacturers. For users with a Chinese smartphone, it’s very possible that this sort of data ended up in Beijing. And of course Google itself has been in trouble for “collect[ing] behavioural data en masse, including data pertaining to user location” in State of Arizona v. Google LLC, which it settled last month for $85m. There is also another big privacy lawsuit pending against the company.

Readers with good memories will recall back in 2020 – the year before Massachusetts’ spyware started appearing – that the likes of Full Fact was telling us that our phones weren’t being secretly loaded with spyware like this. And to be completely fair to FullFact, it had every reason to believe that, because at the time Google and Apple had only created an API (i.e., a framework or interface) for developers to build contact-tracing apps around, which seemed perfectly above board. Both companies assured us of the “strong privacy protections” baked into this API, and Google specifically stated in the relevant Android settings screen that users would have to voluntarily “install or finish setting up a participating app” for this API to actually do anything. But in turns out these weren’t the full facts, at least from Google.

I want to be clear that I’m not criticising anything Apple has done. As far as I know, its implementation of this API is perfectly fine, and I’m not aware of any spyware it has let governments install. In fact, Apple prides itself on protecting user data and has a creditable record in that area and with security generally, which is why I use an iPhone. Their only mistake has been to associate itself with Google in designing this contact-tracing API.

So, what next? Firstly, the outgoing Governor of Massachusetts Charlie Baker should instruct his Attorney General to settle this lawsuit by agreeing to work with Google to uninstall this app from every device whose owner didn’t consent to the installation, and guarantee there will be no further unwanted installations. As for Google, maybe this will give rise to yet another privacy lawsuit against it, but I suspect it views the cost of these lawsuits as merely the price of doing business.

The NCLA deserves a great deal of credit for their work on this, and also for its exposure of some equally blatant First Amendment violations in another case we’ve previously reported on, as well as for all the other work it has been doing around COVID-19. It has been pretty busy. And finally, those who suspect their phone might be infected can check on this Play Store page and see if it tells you the app is “Installed”. But rather like all the government legislative overreach and economic damage, you might find it tricky to reverse.

Tags: AndroidGoogleMassachusetts Department of Public HealthSpyware

Donate

We depend on your donations to keep this site going. Please give what you can.

Donate Today

Comment on this Article

You’ll need to set up an account to comment if you don’t already have one. We ask for a minimum donation of £5 if you'd like to make a comment or post in our Forums.

Sign Up
Previous Post

It Was the Bank of England Wot Done It

Next Post

Ban on Choral Singing During Lockdowns Based on Flawed Evidence

Subscribe
Login
Notify of
Please log in to comment

To join in with the discussion please make a donation to The Daily Sceptic.

Profanity and abuse will be removed and may lead to a permanent ban.

6 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Marcus Aurelius knew
Marcus Aurelius knew
2 years ago

Good article, Mr Rons. Thanks.

It is interesting that – while this app has been downloaded over 1 million times – it has zero reviews… Something tells me someone was taken to one side and “asked” to remove them.

38
0
Ian Rons
Author
Ian Rons
2 years ago
Reply to  Marcus Aurelius knew

Yes, they were removed, but the NCLA screenshotted a bunch of the angry one-star reviews and included them as Exhibit 1 in their filing.

19
0
YouDontSay
YouDontSay
2 years ago
Reply to  Marcus Aurelius knew

The reviews are still very much online – attached screenshot was taken just now from a desktop browser

reviews.png
10
0
Ian Rons
Author
Ian Rons
2 years ago
Reply to  YouDontSay

I can see them now too.

3
0
NeilParkin
NeilParkin
2 years ago

‘Blatant and Shameless Liars’ seem to sum up our governments. When we we give them the permission to do what the hell they wanted, without the need for any form of democratic mandate..?

Last edited 2 years ago by NeilParkin
38
0
JeremyP99
JeremyP99
2 years ago

Smartphones eh?

No thanks.

This below’l do I thanks.

Nokia2600.PNG
40
0

NEWSLETTER

View today’s newsletter

To receive our latest news in the form of a daily email, enter your details here:

DONATE

PODCAST

The Sceptic EP.37: David Frost on Starmer’s EU Surrender, James Price on Broken Britain and David Shipley on Lucy Connolly’s Failed Appeal

by Richard Eldred
23 May 2025
6

LISTED ARTICLES

  • Most Read
  • Most Commented
  • Editor’s Picks

Doctor Who Star Ncuti Gatwa “Axed” and BBC Show to be “Put on Pause” Amid Falling Ratings and Woke Storylines

23 May 2025
by Will Jones

We Were Too Polite to Stop the Woke Takeover

23 May 2025
by Mary Gilleece

News Round-Up

24 May 2025
by Toby Young

Spanish Scientists “Were Experimenting with How Far They Could Push Renewable Energy” Before Countrywide Blackout

23 May 2025
by Will Jones

Trump Slaps 50% Tariffs on EU – as He Tells Starmer to Get Drilling for Oil

23 May 2025
by Will Jones

News Round-Up

27

We Were Too Polite to Stop the Woke Takeover

29

Trump Slaps 50% Tariffs on EU – as He Tells Starmer to Get Drilling for Oil

41

Trump in Nuclear Power Push Dubbed “Manhattan Project 2”

18

Starmer’s EU Reset Tethers the UK to the EU’s Green Dystopia

17

Follow the Silenced is the Untold Story of the Covid Vaccine Trial Victims

24 May 2025
by Antony Brush

Do Researchers’ Views on Immigration Affect the Results of Their Studies?

24 May 2025
by Noah Carl

Starmer’s EU Reset Tethers the UK to the EU’s Green Dystopia

24 May 2025
by Tilak Doshi

We Were Too Polite to Stop the Woke Takeover

23 May 2025
by Mary Gilleece

The Tweets Cited by the Judge to ‘Prove’ Lucy Connolly is “Racist” Do Nothing of the Sort

23 May 2025
by Laurie Wastell

POSTS BY DATE

November 2022
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
282930  
« Oct   Dec »

SOCIAL LINKS

Free Speech Union

NEWSLETTER

View today’s newsletter

To receive our latest news in the form of a daily email, enter your details here:

POSTS BY DATE

November 2022
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
282930  
« Oct   Dec »

DONATE

LISTED ARTICLES

  • Most Read
  • Most Commented
  • Editor’s Picks

Doctor Who Star Ncuti Gatwa “Axed” and BBC Show to be “Put on Pause” Amid Falling Ratings and Woke Storylines

23 May 2025
by Will Jones

We Were Too Polite to Stop the Woke Takeover

23 May 2025
by Mary Gilleece

News Round-Up

24 May 2025
by Toby Young

Spanish Scientists “Were Experimenting with How Far They Could Push Renewable Energy” Before Countrywide Blackout

23 May 2025
by Will Jones

Trump Slaps 50% Tariffs on EU – as He Tells Starmer to Get Drilling for Oil

23 May 2025
by Will Jones

News Round-Up

27

We Were Too Polite to Stop the Woke Takeover

29

Trump Slaps 50% Tariffs on EU – as He Tells Starmer to Get Drilling for Oil

41

Trump in Nuclear Power Push Dubbed “Manhattan Project 2”

18

Starmer’s EU Reset Tethers the UK to the EU’s Green Dystopia

17

Follow the Silenced is the Untold Story of the Covid Vaccine Trial Victims

24 May 2025
by Antony Brush

Do Researchers’ Views on Immigration Affect the Results of Their Studies?

24 May 2025
by Noah Carl

Starmer’s EU Reset Tethers the UK to the EU’s Green Dystopia

24 May 2025
by Tilak Doshi

We Were Too Polite to Stop the Woke Takeover

23 May 2025
by Mary Gilleece

The Tweets Cited by the Judge to ‘Prove’ Lucy Connolly is “Racist” Do Nothing of the Sort

23 May 2025
by Laurie Wastell

SOCIAL LINKS

Free Speech Union
  • Home
  • About us
  • Donate
  • Privacy Policy

Facebook

  • X

Instagram

RSS

Subscribe to our newsletter

© Skeptics Ltd.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Articles
  • About
  • Archive
    • ARCHIVE
    • NEWS ROUND-UPS
  • Podcasts
  • Newsletter
  • Premium
  • Donate
  • Log In

© Skeptics Ltd.

wpDiscuz
You are going to send email to

Move Comment
Perfecty
Do you wish to receive notifications of new articles?
Notifications preferences