In June of 2021, people in Massachusetts noticed a new application (app) installed on their Android cell phones, that they didn’t initiate. What an unwelcome surprise! Where did that come from? Is someone messing with my phone? Even people driving through the state received this new app. So, it wasn’t just about the local residents, but also anyone passing through. The app is called MassNotify. It might seem late for me to be writing about a June 2021 event, but it recently became more public in November of 2022 when a class action lawsuit was filed against the Massachusetts Department of Public Health (DPH).
Google (and Apple) provide the ability for enterprise customers to push data, settings changes and Apps to the phones that a company owns. This is nothing new, and completely acceptable. The phones are owned by the company, or agreed to be under company control through Bring Your Own Device (BYOD) policies. So, of course a person’s employer needs to have the ability to monitor and access the devices, that may contain intellectual property (IP) and trade secrets. This is the method that was used to “Automatically install apps and [browser] extensions” on the Android phones.
Someone working for the state of Massachusetts had the bright idea of tracking everyone’s COVID-19 exposure, and perform contact tracing automatically. Well, that does sound like a good idea, but wouldn’t you need each individual’s permission first? Aren’t their HIPAA “Privacy Rule” laws that regulate the use of people’s health information? And, don’t I have the right to regulate the apps and data that are sent to my phone. I own that, not a company and not the state of Massachusetts.
The state contacted Apple and Google, to help them implement this idea. Apple has the ability to do this, but declined. Apple is known for strong security and privacy policies, while Google is known for winging it and flying by the seat of their pants. An Apple iOS phone encrypts all information coming and going, and they screen apps for any bad actions before they can be added to their App Store.
On the other hand, a Google Android phone uses the Google Play Store, which is notorious for not filtering new apps very well. Even back in the early Apple vs PC days, Apple strongly limited internal access and applications on their computers, while PC/Windows computers were like living in the Wild Wild West. This is a big reason why virus scanners are popular, and badly needed, on Windows PCs, while Apple users typically don’t see the need. When is the last time you heard of an Apple virus in the news?
Some witnesses claim that the app was installed, and activated, without their knowledge. It collected their location, movements and personal contacts. Normally, the app was intended to be installed when a user clicks on the link to share COVID-19 information, when prompted by an outbreak notice from the state. The state claimed that they were instead installing the app proactively, and in the deactivated state.
I have coined the term Dark App, as a way to describe how the state of Massachusetts installed this Spyware software on the Android phones. As with any spyware, it collects data about you (in the dark) before it transmits the data to someone without your permission. That’s the collection of Dark Data. If a US state government is planting spyware on our phones, does that mean that we are getting closer to George Orwell’s Big Brother in the “1984” book? I’ve expected this to be an eventuality, but I hadn’t thought of a pandemic as being the excuse for it. I’ve expected something more like terrorism.