An anonymous reader quotes a report from The New York Times:
When Google and Apple announced plans in April for free software to help alert people of their possible exposure to the coronavirus, the companies promoted it as “privacy preserving” and said it would not track users’ locations. Encouraged by those guarantees, Germany, Switzerland and other countries used the code to develop national virus alert apps that have been downloaded more than 20 million times. But for the apps to work on smartphones with Google’s Android operating system – the most popular in the world – users must first turn on the device location setting, which enables GPS and may allow Google to determine their locations.
Some government officials seemed surprised that the company could detect Android users’ locations. After learning about it, Cecilie Lumbye Thorup, a spokeswoman for Denmark’s Health Ministry, said her agency intended to “start a dialogue with Google about how they in general use location data.” Switzerland said it had pushed Google for weeks to alter the location setting requirement. “Users should be able to use such proximity tracing apps without any bindings with other services,” said Dr. Sang-Il Kim, the department head for digital transformation at Switzerland’s Federal Office of Public Health, who oversees the country’s virus-alert app. Latvia said it had pressed Google on the issue as it was developing its virus app. “We don’t like that the GPS must be on,” said Elina Dimina, head of the infectious-disease surveillance unit at Latvia’s Center for Disease Prevention and Control. Google’s location requirement adds to the slew of privacy and security concerns with virus-tracing apps, many of which were developed by governments before the new Apple-Google software became available. Now the Android location issue could undermine the privacy promises that governments made to the public. Pete Voss, a Google spokesman, claims the virus alert apps that use the company’s software do not use device location. “The apps use Bluetooth scanning signals to detect smartphones that come into close contact with one another â” without needing to know the devices’ locations at all," reports The New York Times. “Since 2015, Google’s Android system has required users to enable location on their phones to scan for other Bluetooth devices, Mr. Voss said, because some apps may use Bluetooth to infer user location. For instance, some apps use Bluetooth beacons in stores to help marketers understand which aisle a smartphone user may be in.”
“Once Android users turn on location, however, Google may determine their precise locations, using Wi-Fi, mobile networks and Bluetooth beacons, through a setting called Google Location Accuracy, and use the data to improve location services. Mr. Voss said apps that did not have user permission could not gain access to a person’s Android device location.”