Radar Covid, the app of contact tracing launched by the Government of Spain to stop the advance of the pandemic, includes in its Firebase code, a software from Google that is not mentioned in the privacy policy of the application. Under the European data protection regulation, the so-called GDPR, applications are required to declare the presence of external code. Even Google cautions this in their information on Firebase. More, if possible, in a app used in an area as sensitive as health. In an update last Wednesday Firebase has disappeared in the Apple environment, but at the time of closing this article it is still present on Android, where the application has not been updated since August 7.

From the Secretary of State for Artificial Intelligence, promoter of the app, admit that Firebase has been used in the testing phase “to speed up the launch process and identify points for improvement of the application.” After repeated questions from EL PAÍS for several days, they have not clarified exactly what this code does, more beyond an explanation that does not answer the bottom of the question. “It was used to be able to collect errors and improve the app, and in no case was any data used other than those bugs [fallos de software] detected ”, always according to government sources.

Firebase can be used for many things: it is a kind of Swiss army knife software for application developers. It is not just a tool to detect failures. Its use depends on the functions that each programmer activates. One of the most common is to collect information on the use of app: which mobile phone models download it, how long it is used, how often it is opened. Google also gives a random identifier for each download that in principle cannot lead to identifying users. But only in principle, and to avoid precisely these doubts, European legislation requires declaring the presence of this type of code in applications. Radar Covid does not.

The Secretary of State insists that Firebase only served for the testing phase and that it will disappear from Radar Covid on phones with Android operating system after an imminent update. EL PAÍS asked for the first time about Firebase on September 10, a day after the application code was made public. On GitHub, the repository where the Radar Covid code was posted, There is an unanswered open question about Firebase from the same day 9. Firebase could certainly make sense in a real test phase, but Radar Covid is already on four million Spanish mobiles and two months have passed since the end of the pilot. Why has the testing phase? The Government does not explain it.

“Contact tracing applications that use Firebase share data not only with health authorities but also with Google,” says Douglas Leith, Professor of Computer Systems at Trinity College Dublin and author of a report about the apps European contact tracing. “Google is a for-profit organization whose business is using data for personalized ads, which raises obvious concerns. In addition, on Android mobiles, the use of Firebase enables Google Play Services, which share information with Google (e-mail, phone number, SIM number) and makes a mobile send frequent messages to Google servers ”. Firebase has nothing to do with the specific system that Apple and Google have created to make it easier for these systems to work with Bluetooth. For all this, Leith believes that it should be removed: “Firebase is not the best practice for a contagion tracking application that the Government encourages the entire population to install and that seeks to protect their privacy.”

The Spanish Agency for Data Protection has not wanted to make any statement and has only recalled that it has had an open procedure on Radar Covid since May. EL PAÍS has asked developers from other nearby countries if they used Firebase in their apps. Neither Portugal, nor Italy, nor Germany, nor Switzerland do it. “In Europe, Latvia was using it initially but they stopped it immediately when we published the privacy report,” says Leith. “The Polish also uses it.” According to sources from the Italian developers of the Immuni application, “for privacy reasons no library has been installed that sends data to third parties, in this case Google.”

“SwissCovid [la aplicación suiza] have never used Firebase. The functionalities provided by an analytics library like this one are not necessary for its main operation ”, says Carmela Troncoso, the Spanish engineer from the Polytechnic University of Lausane (Switzerland) who promoted the DP-3T protocol, which is precisely the basis of the app Spanish. The raison d’être of DP-3T is to drive privacy by design, which means that the user does not need to trust the goodness of the authors of the applications because they are built from design to prevent data leakage. “Using Firebase would of course allow our developers to better detect bugs and problems, but at the cost of collecting usage data through Google’s servers. Collecting more data than is strictly necessary is against the privacy-by-design philosophy and principle. of minimization that led us to the current proposal. And it is even worse if this is done on third-party servers like Firebase, “explains Troncoso.

“It is a very important question,” says Gloria González Fuster, research professor at the Vrije Universiteit in Brussels. “The essential thing is that users should have been informed, since that is precisely the objective of the privacy policy: to inform about what data is being collected exactly and what is done with it,” she adds. Radar Covid’s privacy policy, according to the Internet Archive archive, has changed only once to remove the reference to the pilot test that was carried out in La Gomera. The only possible reference to Firebase is in this sentence: “The Owner of the Application may give access or transmit the data to third-party service providers, with whom it has signed data processing commission agreements, and who only access said information to provide a service in favor and on behalf of the person in charge “.

It is not enough, says González Fuster. “To comply with the transparency requirements imposed by the General Data Protection Regulation, it is not enough to offer this type of cryptic information, but it is necessary to be clearer and more precise,” he explains. Not only that, he continues: “In relation to Firebase, reading their own information it is possible to think that data transfers to the United States take place. If that were the case, users whose data would have been transferred to the United States” would have had to been clearly informed ”.

To increase the uncertainty, when on September 9 the Government decided to release the application code, the version that was posted on GitHub was not the same as the one that the Spanish had on their mobile. Still, a reference to Firebase had been left in the supposedly clean GitHub code that gave away its use. With an analysis of the application itself, it could also be seen that it was still sending information to Firebase.

None of this necessarily implies that Radar Covid spies on or analyzes the behavior of its users. But yes that the development of the app offers fewer guarantees than desirable. The problem with using Firebase in a app so sensitive it does not have to be only the intention of the authorities to know more than what the legislation allows them, but also that someone take advantage of a vulnerability to access data: the more code, the more holes.

The way open source has been published is also poor. When the new version of Apple’s mobile application appeared this Wednesday, external developers immediately saw that it did not work. The managers had uploaded a trial version, which was not linked to real servers, but fictitious: “It is a huge error in all aspects. I wouldn’t want to be in the place of the team that is managing this, ”says Jorge J. Ramos, independent developer. “We all work with a series of automatisms that allow us to avoid these problems. If we don’t have those tools, this happens, the versions are produced by hand; we are all human and we can get confused. Version 1.0.6 was released at 1 in the morning and I can imagine that the equipment is not working in the most suitable conditions. It is a human error, but not the fault of the team in any case and I would like to highlight it. We all know how this works and I imagine they will be working under enormous pressure. ” Several hours after the alert, it was fixed with a version 1.0.7.

“Nor is it that they pay much attention to the community [de desarrolladores] after opening the code, ”says Amador Navarro, iOS developer and Sfy consultant. “They do not answer us, they do not disinterestedly accept proposals for reforms with a code that they should only review. This is an application that should be used by the majority to help control the pandemic and we want to help contribute our grain, no matter how small. I still think that there is no bad faith, but a rush to want to be content, even if then they don’t let us be active with this, ”he explains.

It is not the only example of improvisation and mistakes that could have been corrected with another type of approach or more time. One of the two responsible for uploading the Radar Covid code to GitHub was a user named looming. It is therefore someone obviously with access to the development of the application. His account had been created on August 25. On the 26th it went to the repository of DP-3T, original authors of the code directed by the Spanish company Troncoso, to ask about a problem that generated dozens of bad reviews for Radar Covid in the Play Store: the errors that it gave to who had activated the battery optimization. Why is it necessary to disable battery optimization? It’s mostly curiosity, but there are lots of users complaining about this. ” There is nothing wrong with asking for GitHub. On the contrary, that’s what it’s for. But it is surprising that “more than anything curiosity” when there are other more direct channels available.

