Usage of Google Play Services potentially discloses user identity to overseas private entities

[lmasellis]

Android version of Immuni app will depend on Google Play Services, which contains the implementation of Exposure Notification service.

As a consequence:

1. An up-to-date version of Google Play Services package is required; the only officially supported method for updating this package is through Google Play Store, which in turn requires the user to connect its phone to a Google account, which is related to user identity.

2. Generation of temporary IDs, advertisement, recording of contacts, exposure detection and notification is managed by closed source code in the Google Play Services executable, which is aware of the user's Google account and maintains network connections to overseas servers.

3. There is no verifiable segregation between code implementing the Exposure Notification service and code implementing other untelated services provided by Google Play Services.

4. The user has no practical way to restrict unnecessary permissions to the code managing the Exposure Notication service, as this service is provided by Google Play Services, which requires ample permissions above those required by the majority of apps and restricting them will almost always result in limited/erratic phone operation, which discourages the user from limiting them.

Therefore:

a. having a Google account is a precondition in order to install and use the app, as well as to keep it up-to-date;

b. the executable providing the Exposure Notification is aware of real user identify (through his/her account), temporary IDs advertised by the user, contacts recorded and exposures;

c. the same executable is closed-source and maintains encrypted network connections to overseas servers which cannot be audited, so that it cannot be ruled out that data described in item b could potentially be disclosed to one or more overseas centralised entities, which could record and correlate massively data from users.

In addition to the above privacy and security concerns, it must be also noted that obliging the user of a government-supported app to subscribe for a Google account (which means establishing a contractual agreement with a private entity) in order to install and use the app could be a well founded subject for anti-trust claims.

Personal thought: it seems that we are putting more trust in private overseas corporations than in legitimate governments; the fact that the app will actually be actually privacy-friendly and decentralized as advertised relies only on blindly trusting these corporations to behave rightfully.

[grausof]

Already discussed in #20

[lmasellis]

Already discussed in #20

None of the issues above have been discussed in #20. Please take some time to read before commenting.

[LorenzoS92]

Google Play Services of Covid-19 API are privacy-based.
Please read again all Covid-19 API that Google and Apple worked together to make sure privacy will be respected.

[lmasellis]

Google Play Services of Covid-19 API are privacy-based.
Please read again all Covid-19 API that Google and Apple worked together to make sure privacy will be respected.

So, if I understand correctly your reasoning:

1. we ask our legitimate government to publish the source code of the app because we cannot trust them;
2. at the same time, we should blindly trust Google and Apple (which are private entities operating under a foreign jurisdiction) just because they promise that they will respect privacy.

This just doesn't make any sense.

[LorenzoS92]

I'm really sorry to say but doesn't make any sense to implement new API's that aren't provide by the OS.
They will probably be buggy, unsafe and unsecure.
Here Immuni it's using a propers API provided by two big companies, and if you know something about software development, you will understand that developing a new API without bugs or security issues or major bugs, it's a complicated task and will probably requires years.
Indeed, without those API's, the application will probably can't give sufficient permissions to do this kind of tracking.
You should read more about software permission in Android and iOS, and also in Covid19-API provided by Google and Apple.

[matteobucci]

I hope this could be a starting point for discussing how the OS has become more and more dependant on the Google ecosystem over the years.

[mirh]

Depend on their ecosystem? At this time of year? At this time of day with nobody else having made the slightest alternative? In this part of the only system component with the right permissions to access location data in the background? Localized entirely separately from the main OS because for best results in other occasions it's complex enough to rely on some external aid? Crazy stuff.

Meanwhile, just because something is technically possible in theory, it doesn't mean that it happens.. And these posts just indirectly insinuate this.

[echeoquehaii]

Just to point out, France has released their app which doesn't use the Exposure Notification API.

Funnily enough this is not going to be compatible with apps using the Exposure Notification API (see: issue 34).

All this situation in complete contrast with the European Commission guidelines, see the Common EU Toolbox for Member States, specifically chapter 3: cross-border interoperability, cybersecurity, safeguards.