Even devices using parental controls to prevent app downloads had the app forced on them.
Massachusetts recently launched a contact tracing app for COVID-19, called MassNotifyApp, to track the spread of the virus in the state. But there is one big problem with the app; it is installing itself on Android devices without users’ consent, and even on devices with parental-lock.
“Thank you MA/Google for silently installing #MassNotify on my phone without consent. But I have a request: Can you also silently install an app that makes my phone explode and kill me?” someone wrote on Twitter.
The story is perhaps one of the most egregious violations of an app during the pandemic. It also contradicts what Gov. Charlie Baker, a Republican, said about the app; that it would be voluntary.
While launching the app last week, the governor said: “As we embrace our new normal, MassNotify is a voluntary, free tool to provide additional peace of mind to residents as they return to do the things they love.”
The app, which Google and Apple helped develop, also claims contact tracing is “completely anonymous, with no location tracking or exchange of personal information.” It further claims that it does not share location data or any other personal information with Apple, Google, the Commonwealth of Massachusetts, or any other entity.
But the claims directly contradict the reality. The app had over 300 reviews on Saturday, most of them one-star ratings because of its intrusive nature.
One of the reviews reads: “App automatically installed without consent. Weirdly it has no icon and I can’t find any way to open it and see if it could be useful. Bizarre that the state did something like this the very day the state of emergency ended, when over half of adults, myself included, are vaccinated. What info could possibly be necessary with this egregious level of invasiveness NOW? A year ago it would have made sense.”
Another Android user Lex Neva, noted that the app installed itself even on parental-locked devices:
“This installed silently on my daughter’s phone without consent or notification. She cannot have installed it herself since we use Family Link and we have to approve all app installs. I have no idea how they pulled this off, but it had to involve either Google, or Samsung, or both. Normal apps can’t just install themselves. I’m not sure what’s going on here, but this doesn’t count as ‘voluntary.’ We need information, and we need it now, folks.”
“Ghost installed without my permission, and keeps sending me push notifications. I removed it and reinstalled itself,” wrote user Beth Sivlaggio. “This isn’t something I want in my phone, it’s not something that has permission to be on my phone nor should the commonwealth or any other place/company be allowed to put something on my phone without my permission.”
In a statement to Reclaim The Net, a Google spokesperson suggested that even though the app was present, it wasn’t functional until users activate it, saying:
“We have been working with the Massachusetts Department of Public Health to allow users to activate the Exposure Notifications System directly from their Android phone settings. This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don’t have to download a separate app. COVID-19 Exposure Notifications are enabled only if a user proactively turns it on. Users decide whether to enable this functionality and whether to share information through the system to help warn others of possible exposure.”
By Ken Macon