Netherlands deactivates COVID tracking app after discovering it helps Google collect private data
The private data of app users has been collected by other programs that Google installs by default on an Android phone
- The app uses the Google Apple Exposure Notification Framework (GAEN)
- Third-party apps are not supposed to have access to app codes
- CoronaMelder app will not send warnings about potential infections for two days
The Dutch Ministry of Health, Welfare and Sports has announced the deactivation of its COVID-19 mobile contact tracing application after discovering that users’ private data has been collected by other programs that Google installs by default on Android phones.
The CoronaMelder app will not send a warning about potential infections for two days, the health ministry said, after the data breach was discovered.
The application uses the Google Apple Exposure Notification Framework (GAEN) – just like many other similar apps in use across the EU. It works by using constantly changing randomly generated codes exchanged between phones that are close to each other – and sends warnings to those who were in contact with someone who then tested positive for COVID-19.
Third party applications are not supposed to have access to these codes. However, it turned out that this was not the case on Android phones, and the apps installed by default were very capable of reading data.
In a statement, the government said it was a “ violation of the temporary law on requests for notification [for] COVID-19[FEMININE’failurewasdiscoveredforthefirsttimebyanEU-widehealthnetworkandsignalingtheNetherlandsonApril22aninvestigationwasopenedknottimeafterpromptingtheMinisterofHealthHugodeJongetosuspendtemporarilytheproblemthatthe“problematic”problemoccurred[FEMININE’Lafailleaétédécouvertepourlapremièrefoisparunréseaudesantéenligneàl’échelledel’UEetsignaléeauxPays-Basle22avrilUneenquêteaétéouvertepeudetempsaprèsincitantleministredelaSantéHugodeJongeàsuspendretemporairementl’applicationmêmesiGooglea“indiqué”qu’elleavaitcorrigéleproblème
The government is taking no chances, however, by choosing to make sure the problem is fixed before allowing the app to start working again. He will use the two days to “determine if Google has really corrected the leak,” the ministry statement said.
According to Google, the problem lay in the “random Bluetooth identifiers used by the exposure notification framework” which were “temporarily accessible to a limited number of preinstalled applications.” He also said that the data provided by the credentials “ on their own is of no practical value to bad actors, ” adding that third-party app developers were likely unaware that the data was available.
Google also promised that the fix would be “available to all Android users in the coming days.” The Dutch app had been downloaded by 4,810,591 people as of April 27, according to its website.