Google installs apps without consent – archived source

Massachusetts ‘MassNotify’ Android app auto-installed, but COVID exposure alerts are not enabled [Updated]

Abner Li – Jun. 19th 2021 12:29 pm PT

According to many user reports over the past day, MassNotify — the Massachusetts exposure notifications app  — was automatically installed on Android phones without warning. It’s unclear if this was an intentional decision or a bug, but exposure notifications did not also get enabled with the install.

Update: Google provided the following comment to 9to5Google on Saturday. The company confirms the new “automatically distributed” nature but states that “COVID-19 Exposure Notifications are enabled only if a user proactively turns it on.”

“We have been working with the Massachusetts Department of Public Health to allow users to activate the Exposure Notifications System directly from their Android phone settings. This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don’t have to download a separate app. COVID-19 Exposure Notifications are enabled only if a user proactively turns it on. Users decide whether to enable this functionality and whether to share information through the system to help warn others of possible exposure.“

With the Massachusetts MassNotify app launch, the Exposure Notifications Express system was updated to leverage this automatic distribution so users can more quickly enable/disable alerts directly from the system Settings app. The Express approach previously leveraged a more traditional app instead of this new integrated service one.

There are some key qualifiers surrounding this either accidental or intended rollout. The state of Massachusetts just launched the MassNotify app on Tuesday, June 15. It is slightly different from the first round of Exposure Notification applications where the state (either directly or via an authorized contractor) built and released a traditional app to the Play Store.

Rather, Massachusetts is using the “Exposure Notifications Express” system that Google and Apple announced last September. This approach sees health agencies submit a configuration file to the two companies with information on how/when notifications should be triggered and next steps after getting an alert. The state also supplies assets like an agency logo and other text. It’s a faster way to get this form of contact tracing up and running.

You can tell Massachusetts is using Exposure Notifications Express, given the longer manual setup/download process. After selecting where you are in Settings > Google > COVID-19 Exposure Notifications > Add another region, states (like California) that built their own app have it directly surfaced to the user.

However, those in a state that uses the Express system are first told that exposure notifications are available. You “Continue” and are asked to select “Turn on,” as well as whether you want to “Share” analytics. Afterward, you’re finished, and alerts are enabled with the entire process taking place in the same settings workflow.

There is no separate app icon in your launcher or dedicated in-app experience. Rather, you deal with everything through settings, including sharing a COVID-19 diagnosis and to “see sharing history.”

With the fact that Massachusetts is using Exposure Notifications Express in mind, users over the past 24 hours have reported finding MassNotify installed on their device without any prior interaction. At least one user said they don’t even live in the state.

Most were made aware of its existence after being prompted to update the app in the Play Store. (Here is the Google Play listing.) They then proceeded to find it installed from the settings app list — again, it does not have an icon in the launcher or in-app experience by design. That said, others say they received a notification about it being available as well.

However, even if the app was installed on your device without that explicit permission, Exposure Notifications do not look to be active and still require manual user setup. That said, some still take offense to it downloading without their consent, even though it isn’t yet active.

The question today is how it got installed on end user devices. It’s possible that Google accidentally pushed out the application to phones due to a bug in the system. However, if it was intentional, that raises questions on who authorized that action. We’ve reached out to Google for comment.