Google auto-installs Massachusetts COVID-19 contact tracing app, Android users outraged
Scores of Android users in the American state of Massachusetts were in for a rude shock when they discovered that the state's COVID-19 contact tracing app, called Exposure Notifications Settings Feature - MA, had been automatically installed on their devices without prior consent or notification. New "users" took to the app's Google Play Store listing to express their displeasure. Here are more details.
Google included a COVID-19 Exposure Notifications System in Android
Google bundled a COVID-19 Exposure Notifications System into Android that can be switched on manually. As a prerequisite, one would need to have the corresponding state's contact tracing app installed (in the US). The system claims to alert those you came in contact with if you test positive for COVID-19. It will also inform you if you came in contact with an infected person.
If Google could force-install an app, bad actors could too
Google's move was criticized on reputed forums such as YCombinator. This has left many Android users enraged, and rightfully so. If Google could install a contact tracing app without your consent, it (or bad actors) could also install any other app, even with malicious intent. Moreover, the application installed was a third-party app and not one of Google's own products that's essential for Android.
Package activates after installation, overrides Google Play Store's auto-update settings
A user on YCombinator elaborated that upon hearing about this app being auto-installed, the user turned off auto-updates on the Google Play Store and was still greeted by a notification that the app was installed overnight despite explicit instruction not to. The package activates immediately after installation and doesn't need an app to be opened for it to work.
Google's force-installation move violates its own policies mandating user consent
Google's support documentation for Android's COVID-19 Exposure Notifications System states that a contact tracing app has to be downloaded manually followed by a manual opt-in to Exposure Notifications before the service becomes operational. Alternatively, users in the US can reportedly enable Exposure Notifications in the Google app itself. The region-specific contact tracing app will then be downloaded automatically. Either way, user consent is mandatory.
Arizona contact tracking app also being force-installed on users' devices?
Some users in their Play Store reviews of the rogue app state that they didn't install the app manually, and neither did they have Exposure Notifications in the Google app enabled. An Android Police team member reported that while driving through Arizona, the state's contact tracing app was automatically installed despite having Exposure Notifications turned off, meaning that the issue isn't local to Massachusetts.
No app launch shortcut, tedious uninstallation procedure further enrage users
Interestingly, there seems to be no easy way to uninstall the app either. A distraught user reviewing the app on the Play Store said that it doesn't have a launch shortcut accessible via the app drawer. XDA-Developers noted that the only way to uninstall the app was to navigate to the Play Store, find the app using its package name, and then uninstall it.
Google claims automatic installation makes Exposure Notification setup process convenient
At this point, it's still open to debate whether this is an intentional overreach on Google's part or a mere accident. The search giant told Android Police that the Play Store automatically distributes the app for Massachusetts in the name of added convenience. However, Google claims that Exposure Notifications will remain switched off unless a user switches it on.
Google should've adhered to its own policies, sought user consent
That said, it's a cause of concern when Big Tech companies reach right into your device and add applications at will. We opine that even if Google acted with its users' best interests in mind, it should seek consent and adhere to its own policies. When customers trust businesses with their data, such actions (even if unintentional) can wipe out the brand's image.