When Google and Apple announced plans in April for free software to help alert people of their possible exposure to the coronavirus, the companies promoted it as “privacy preserving” and said it would not track users’ locations. Encouraged by those guarantees, Germany, Switzerland and other countries used the code to develop national virus alert apps that have been downloaded more than 20 million times.
But for the apps to work on smartphones with Google’s Android operating system — the most popular in the world — users must first turn on the device location setting, which enables GPS and may allow Google to determine their locations.
Some government officials seemed surprised that the company could detect Android users’ locations. After learning about it, Cecilie Lumbye Thorup, a spokeswoman for Denmark’s Health Ministry, said her agency intended to “start a dialogue with Google about how they in general use location data.”
Switzerland said it had pushed Google for weeks to alter the location setting requirement.
“Users should be able to use such proximity tracing apps without any bindings with other services,” said Dr. Sang-Il Kim, the department head for digital transformation at Switzerland’s Federal Office of Public Health, who oversees the country’s virus-alert app.
Latvia said it had pressed Google on the issue as it was developing its virus app. “We don’t like that the GPS must be on,” said Elina Dimina, head of the infectious-disease surveillance unit at Latvia’s Center for Disease Prevention and Control.
Google’s location requirement adds to the slew of privacy and security concerns with virus-tracing apps, many of which were developed by governments before the new Apple-Google software became available. Government officials and epidemiologists say the apps can be a helpful complement to public health efforts to stem the pandemic. But human rights groups and technologists have warned that aggressive data collection and security flaws in many apps put hundreds of millions of people at risk for stalking, scams, identity theft or oppressive government tracking.
Now the Android location issue could undermine the privacy promises that governments made to the public.
Pete Voss, a Google spokesman, said the virus alert apps that use the company’s software do not use device location. That’s including for people who test positive for the virus and use the apps to notify other users. The apps use Bluetooth scanning signals to detect smartphones that come into close contact with one another — without needing to know the devices’ locations at all.
Since 2015, Google’s Android system has required users to enable location on their phones to scan for other Bluetooth devices, Mr. Voss said, because some apps may use Bluetooth to infer user location. For instance, some apps use Bluetooth beacons in stores to help marketers understand which aisle a smartphone user may be in.
Once Android users turn on location, however, Google may determine their precise locations, using Wi-Fi, mobile networks and Bluetooth beacons, through a setting called Google Location Accuracy, and use the data to improve location services. Mr. Voss said apps that did not have user permission could not gain access to a person’s Android device location.
Apple, which does not require iPhone users of the virus apps to turn on location, declined to comment on Google’s location practices.
The Android location requirement underscores a troubling power imbalance between governments and two tech giants that dominate the mobile market, some security and privacy experts said. Countries using the software, they said, have little recourse against the new global standards that the companies are setting for public health technology.
Google and Apple, for instance, bar government virus apps using their technology from tracking users’ locations. But Google may determine and use the device locations of Android users of the apps, depending on their settings.
“We are giving too much control to two big companies,” said Alexandra Dmitrienko, a professor of secure software systems at the University of Würzburg in Germany. “They are monopolizing it.”
The companies’ Bluetooth proximity detection technology springs from ideas developed by Singapore and academics. It offers public health agencies an alternative to more invasive models that involve tracking users’ fine-grained locations and sending private data like their names to centralized government servers.
The Apple-Google software uses rotating ID codes to log close contact between app users “to help prevent tracking,” the companies say. It also processes people’s data on their phones — where governments cannot gain access to it.
“This is what we call ‘privacy by design,’” said Dr. Kim, the Swiss health official. “That means no personal data, that means no name, no phone number, even no technical identification of the hardware from email or smartphones” are collected by the apps.
The privacy-focused design has made the companies’ technology attractive to government leaders.
“This app deserves your trust. It protects your privacy,” Angela Merkel, the chancellor of Germany, said in a recent video address about her government’s Corona-Warn-App, which is based on the Apple-Google model. “No geodata is collected,” Ms. Merkel said.
But privacy and security experts said they were troubled that Google’s location practices might deter some people from using public health agency apps during the pandemic.
“The point of the Apple-Google exposure notification design is to protect privacy and mitigate barriers to adoption,” said Jonathan Mayer, an assistant professor of computer science and public affairs at Princeton.
Some Android users in Europe say they feel misled by their governments. Instructions on many of the apps direct Android users to turn on location, for instance, but make no mention of Google or that users can stop the company from determining their precise locations by turning off the accuracy feature within the location setting.
“With this app, you’re invited, by the government strongly appealing to your sense of responsibility and morality, to give away your live location to entities that are getting a profit out of it, in order to protect public health,” said Massimo Zannoni, an electronic engineer in Zurich.
Health officials in Denmark, Germany, Latvia and Switzerland said their governments had deliberately designed their national virus alert apps for maximum privacy.
“No government, no security agency has any chance to misuse the technology,” Gottfried Ludewig, director general for digitalization and innovation for Germany’s Ministry of Health, said of the Corona-Warn-App, which has been downloaded more than 15.5 million times. He said more than 500 people who tested positive for the virus had used the app to notify other users of possible virus exposure.
He added that if Google used location data for any other purpose than enabling the Bluetooth services in the app, it would need legal grounds to do so under European data protection law.
Others involved in the German app said it was Google’s issue, not theirs.
“You need to ask Google about the specs of their operating system,” Marcus Winkler, a spokesman for SAP, which helped develop Germany’s app, said in an email. “If you turn on location tracking you get a message from the operating system — this has nothing to do with the app.”
Professor Dmitrienko, the software security expert, said the solution was for governments to push Google to stop requiring Android users of the virus alert apps to turn on location.
“They have sufficient power, and they could put pressure even on such giants as Google and Apple to do something about it,” she said.
Aaron Krolik contributed reporting.
