Over the weekend, Google and the state of Massachusetts managed to make creepy COVID tracking apps even scarier by automatically installing them on people’s Android phones. Numerous reports on Reddit, Hacker News and in-app reviews claim that Massachusetts’ COVID tracking app ‘MassNotify’ has been silently installed on their Android device without user consent.
Google issued the following statement to 9to5Google, and the company does not tacitly deny installing an app.
We’re working with the Massachusetts Department of Public Health to allow users to activate the exposure notification system directly from their Android phone settings. This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don’t have to download a separate app. Exposure notifications for COVID-19 are only enabled if a user proactively enables them. Users decide whether to enable this functionality and whether to share information through the system to warn others of potential exposure.
Google’s statement doesn’t really address the issue of automatically installing an app without asking. The “functionality” of COVID exposure tracking apps is built into Google Play Services as an API that government apps can use for their tracking initiatives and can be “automatically distributed by the Google Play Store”.
That’s still not the “MassNotify” app, though. Like any other state and national COVID app, MassNotify provides users with an interface to report COVID exposure and view health statistics for their local population. If all of these users accidentally signed up for COVID tracking and forgot about it, we expect a statement from Google to completely reject an automatic app rollout. However, Google’s statement doesn’t deny the silent installation, instead just saying that COVID tracking isn’t enabled unless users enable it.
COVID tracking apps were Big Tech’s answer to the pandemic, with Google and Apple both building a contact-tracking platform into their mobile operating systems. The idea is that if you sign in, your phone’s Bluetooth can scan for other signed-in devices and keep a list of who you’ve been in contact with. If one of those people gets COVID and notifies the app, the tracking system will alert everyone who has signed it up lately so they know they may have been exposed. Instead of using a global tracking system of their own, Google and Apple have just created a system API and app templates for use by government health organizations. In the US, that means every state needs to build a COVID app.
The rollout of the app by Google and Massachusetts certainly seems shoddy. There are two versions of the “MassNotify” app in the Play Store. One version doesn’t seem to be installed silently, has only 1,000+ installs and is rated 4.1 stars (out of 5). A second version, labeled “v3” in the package name, received negative reviews (1.1 stars at time of publication) with users claiming it was installed automatically on devices; some users even wondered if the app was malware. Both apps are listed under the “MA Department of Public Health” developer account, which – er – doesn’t exist? The link for the developer is just 404s, which really doesn’t inspire confidence in the app’s legitimacy.
Two apps are confusing
Update 4:20 p.m. EDT: A little more about the two apps. Thanks to Abner Li from 9to5Google to point out that the screenshots in the Play Store are wrong and that the automatically installed version of MassNotify doesn’t actually have an app icon or user interface for public health statistics. It only lives in Settings -> Google -> COVID-19 exposure notifications, where you can enable tracking and report that you have COVID. (How will a normal person find this if it’s buried in the system settings?) This means that Google’s statement now makes a little more sense when it comes to “functionality built into the settings” and if you define an “individual app” as ” something with an app icon.”
Without an app icon, the easiest way to see if MassNotify has automatically installed itself on your device is to click this Play Store link and see if the install button is in the past (“Installed” vs. “Install”) . Without an app icon, the automatically installed version of MassNotify will only show up in the app info system settings, and even then, if you want to remove it, it won’t be called “MassNotify”. Instead, it’s vaguely referred to as “Massachusetts Department of Heath.”
The version of MassNotify that doesn’t install automatically is a full COVID app, with a statistics user interface and an app icon. This certainly increases the chance that someone with COVID can actually find the app and report that he or she has COVID. The only problem is that Massachusetts doesn’t actually link to this version on its website.
Has Google rolled this out to every device in Massachusetts?
Original story resume: It took forever for Massachusetts to launch its COVID app while MassNotify launched on its own last week, months behind other states and at a time when most responsible people are being vaccinated. Despite this, unbelievably, the “v3” MassNotify app has over a million installs! The Play Store only shows install numbers in levels, so the label “1,000,000+” on MassNotify means “More than 1 million and less than 5 million”, which is the next level. Massachusetts has only 6.8 million inhabitants. The US smartphone installer base would bring Android to about 50 percent of users. Smartphone penetration is not 100 percent of the population. If you have MassNotify installed automatically on every Android device in Massachusetts, you won’t hit five million devices, so the label “1,000,000+” is practically the limit. Have they rolled this out to every device in Massachusetts?
With COVID vaccines readily available and mask mandates in the state lifted last month, it’s hard to imagine Massachusetts residents being so excited about the new COVID tracking app that all those people willfully installed the app. MassNotify is now the most popular COVID tracking app on the Play Store. The COVID apps for California and New York, both of which are at least six months ahead of MassNotify, have only 500,000+ installs each.
If you’re wondering, “Can Google really install apps on an Android device without user input?” the answer is “Can they ever!” Push installs are really the only way Google Play installs apps. When you open the Play Store and hit the install button, you’re essentially asking Google for an app installation via Firebase Cloud Messaging. Users can see this in action for themselves by remotely installing an app from the Google Play website on a desktop computer. No one needs to be in front of your Android phone to grant administrative privileges: the app just installs because Google has 24/7 access to your device. The really “nice” part is that Google can also remotely uninstall apps from your phone without interaction, allowing the company to remotely destroy malware if it ever gets really bad.
Last year, when this whole COVID tracking app idea was kicked around, a poll showed that half of Americans don’t trust these COVID tracking apps with their privacy. These kinds of decisions don’t help.