In a recent security update, most Android and iOS phones received a new opt-in setting related to the COVID-19 Exposure Notification system. What is this? Is your phone being tracked? Let’s take a deeper look at what is going on.
We’ve seen a few social media posts over the last week or so claiming that Android and iPhones have been getting a COVID-19 tracking app installed without getting permission from the user first. People are worried that their privacy is at risk. Here is an example of one of the posts that have been making rounds across Facebook:
**VERY IMPORTANT ALERT!***
A COVID-19 sensor has been secretly installed into every phone.
Apparently, when everyone was having “phone disruption” over the weekend, they were adding COVID-19 Tracker [SIC] to our phones!
If you have an Android phone, go under settings, then look for google settings and you will find it installed there.
If you are using an iPhone, go under settings, privacy, then health. It is there but not yet functional.
The App can notify you if you’ve been near someone who has been reported having COVID-19.
There is a little bit of misinformation here. First of all, there really isn’t a way to sneak a “sensor” onto a device through a software update unless there is already some hardware in place that does the sensing. This immediately tells us that something about this is at least a little bogus, because from a technical standpoint, the sensationalist post misses the mark.
Here’s what really happened.
Google and Apple have been working together to build a framework that app developers can use for apps that notify users if they may have been exposed to COVID-19. They didn’t sneak a COVID-19 app onto your phone without your consent.
The two companies added a setting to enable the use of Google and Apple’s COVID-19 Exposure Notification system. This system is the groundwork that official COVID-19 notification apps can use. State and local governments are responsible for developing the apps, but they can use Google and Apple’s secure platform in order to get them to work.
If you follow the steps in the article and on Android, go to Settings and then Google Settings, you’ll see that the option to opt-in is disabled. The same with iPhone users; by going under Settings, then Privacy, then Health, you’ll have an option to opt in.
Even if you opt in, you still need to install one of the official apps, most of which aren’t even released yet. Again, this is just the groundwork.
Just to be perfectly clear, unless you manually installed something, your Android or iPhone isn’t just going to start tracking you and your friends and family to see if you have COVID-19. If you go into your settings as mentioned in the above Facebook post, you’ll see that you either need to install or finish setting up a participating app before the notifications can even be turned on.
Apple and Google even confirm this in a joint statement saying “What we’ve built is not an app - rather public agencies will incorporate the API into their own apps that people install.”
API stands for Application Programming Interface. Basically, Google and Apple have developed a standardized system to make it easier for states and local governments to build an effective app to notify users if they may have been exposed to COVID-19, but Google and Apple aren’t building the apps or pushing them out to users. .
It’s worth mentioning that the system won’t work effectively if users don’t adopt it - if half of all users decide they won’t use the COVID-19 notification system, it might not be reliable enough to do much good. We don’t want to sound pessimistic, maybe as states and local governments work to deploy their applications, people will come around.
The system is still in its infancy, and it’s really up to state and local governments to deploy the official apps themselves. Google and Apple just laid out a secure system that these apps can piggyback on.
It works like this; when you opt in and use one of these apps, a random ID is generated and exchanged between your phone and other nearby phones (that also opted in) within Bluetooth range. That’s about 30 feet, generally. These random, anonymous IDs are stored on your phone. Basically, your phone keeps track of other phones it has been near without collecting or sharing any personally identifiable information.
If someone is diagnosed with COVID-19 and manually shares that information with one of the official contact tracing apps, all of the random IDs your phone has collected over the past 14 days are uploaded (with your permission) and the users of those IDs are notified that they may have been exposed.
Most importantly, the system doesn’t track your location, or share other users’ identities within the app, or even with Google or Apple. According to Google, the apps are not allowed to use your phone’s location or track your location in the background.
In short, the technology is very secure and anonymous, which is good, because it has to fall under the strict rules that govern healthcare data.
Since this API isn’t actually an app, you can’t uninstall it. It’s built into Android and iOS’s operating systems and pushed through recent security updates. It’s simply a setting that lets you decide if you want to opt in or not.
If you search around the Internet and social media, you’ll run across instructions that might walk you through rolling back your phone or other risky procedures, but that only puts your phone at risk for other threats. There is nothing to uninstall, and rolling back your phone and preventing future security updates from ever getting installed is a very bad idea.
All you need to do is not opt in, if you don’t want to participate. If you are worried about it, both Apple and Google state that by simply not installing a COVID-19 Exposure Notification app, or uninstalling one if you did install one, is all it takes to not participate.
WE CAN’T STRESS THIS ENOUGH: DO NOT FOLLOW ANY INSTRUCTIONS ONLINE THAT WALK YOU THROUGH ROLLING BACK YOUR PHONE AND OPTING OUT OF SECURITY UPDATES.
Opting out of future security updates only puts your privacy and your data at even more risk.
Of course, the choice to opt in or out of the COVID-19 Exposure Notification system is yours to make, but Google and Apple appear to be doing all the right things to ensure that the system is safe and secure, without violating anyone’s privacy. If you have any questions or concerns about your privacy, or the security of your data, don’t hesitate to reach out to us at Walsh IT Group.