Follow

Researchers from Dublin reviewed the Google Play Services that are mandatory for Covid Tracing Apps on Android. Every 20 min they transfer:
- IP adress
- phone #
- email
- IMEI
- SIM #
scss.tcd.ie/Doug.Leith/pubs/co
➡️ So it's illegal, intrusive and affects large parts of the population

OCR Output (chars: 758) 

@gwenn
Some may consider that the kind of data gathering by Google
described here is nothing new or unexpected and that mobile

phone users have already factored in the risks of these kinds
of corporate surveillance. We believe there are at least three
reasons why this is an unsatisfactory response: a) governments
and public health authorities are strongly encouraging their
entire population to use these apps, and hence are (wittingly
or not) pressurising their entire populations to take part in this
corporate surveillance, b) it is highly likely that many users
and even app developers are unaware of the detail and the
level of intrusiveness described here and c) the lack of an opt
out from this data collection seems in conflict with GDPR.

@retha @rufposten
Die app alleine gibt es nicht, es braucht eine API und die ist nicht offen.

@rufposten
Surely, the fact that the data is held on US servers makes it illegal considering the recent EU ruling

@rufposten
Trifft das auch auf die Deutsche Spahn APP zu? Die wurde doch von zahlreichen IT-Experten gelobt, vor allem wegen des dezentralen Speicherns.

@fredysilver Die App ist sehr gut und sendet keine Daten. Die Forscher belegen nur, dass das zu Grunde liegende Google-Android ein Problem hat. Und argumentieren, dass Regierungen bei einer so breiten Empfehlung zur Nutzung der datensparsamen App nicht ignorieren können, dass das System, auf dem es läuft, bekannte, aber doch massive Datenschutzverstöße hat.

Mit anderen Worten: Das Problem hatten Google-Android-Nutzer auch schon vorher.

@rufposten Google helps create a protocol capable of supporting contact tracing with near-perfect privacy.

Google's implementation of the protocol stalks its users via a completely different mechanism, for no apparent reason.

Yay.

@rufposten

They are "wrong" about c). GDPR compliance doesn't require an opt-out option. it requires
1. Opt-in for data collection (except for some exceptions)
2. Sufficient legal basis for data collection and processing

So contrary to what they think/imply, just offering an opt-out option from this specific data collection wouldn't make all this shit GDPR-compliant. It would still remain illegal.

@devnull @rufposten ok, let's class action this. ;)

btw, there is a way to dump the data, to see what they got?

@rufposten sweet. I picked the right time to switch to LineageOS.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!