[guardian-dev] suit against MA for google auto-installing contact tracing app

Greg Troxel gdt at lexort.com
Wed Jul 12 20:15:45 EDT 2023 

Given Guardian Project's privacy/android focus, this news seems
relevant.  There is a suit in Federal court alleging that Massachusetts
(MA) caused Google to push a contact-tracing app to Android phones in
the state, without the user asking to install it, consenting or even
knowing.  In the complaint, people say it turned bluetooth on, and some
seem to say it turned on location and cell data.

So much for people thinking they don't need to worry about state-level
adversaries!

I am pretty sure this didn't happen to me since I was running lineageos
or calyxos, both of which lack google play services :-)

https://nclalegal.org/robert-wright-and-johnny-kula-v-massachusetts-department-of-public-health-et-al/
https://nclalegal.org/wp-content/uploads/2023/05/Wright_First-Amended-Complaint-3.20.2023.pdf

The MA web page seems to corroborate the idea that the app was pushed to
people's phones, saying "but it didn't fully do contact tracing if you
didn't enable it", more or less.  (The text is more interesting after
you read the detailed allegations.)

  https://www.mass.gov/info-details/about-massnotify

They say, amazingly enough:

  If you have an Android phone and wish to uninstall the Exposure
  Notification functionality distributed to your phone by the Google
  Play Store, you can do so at any time by taking the following steps:

    [snip]

    Tap on “Exposure Notifications Settings Feature – MA” and click
    Uninstall

  It is important to note that the presence of the Exposure Notification
  functionality on Android phones did not automatically activate
  Exposure Notifications on users’ devices, and users’ device settings
  were not changed



To try to return to topic, I wonder about an app that basically keeps a
census of installed apps and reports to the user comings and goings,
with an ability to download (over tor of course) a list of apps
suspected to be installed than than at user request, for higher
warnings.  I would expect the list to be manually curated with
out-of-band reporting.  It could perhaps contain the vendor-installed
more-or-less malware apps that seem to be common on non-Pixel phones
with the vendor OS.  (So I hear; I have never tried to use such a
phone.)  Maybe this is already written and out there?

More information about the guardian-dev mailing list