back to article Koch-funded group sues US state agency for installing 'spyware' on 1m Android devices

The Massachusetts Department of Public Health conspired with Google to secretly install a COVID-19 tracing app onto more than 1 million Android users' devices without their knowledge and without obtaining warrants, according to a class-action lawsuit filed this week by the New Civil Liberties Alliance. The New Civil Liberties …

  1. Geoff Campbell Silver badge

    New Civil Liberties Alliance

    Not to be confused with the Civil Liberties New Alliance, nor with the Civil Liberties Alliance (New), I suppose? Splitters!


    1. LionelB Silver badge

      Re: New Civil Liberties Alliance

      Dirty forkers!

    2. Velv

      Re: New Civil Liberties Alliance

      I mean, what have the CDC ever done for us

  2. Anonymous Coward
    Anonymous Coward

    This isn't really all that news worthy, especially with the amount of $1.

    They will just say "I'm sorry" and continue on as normal.

    Lemme know when these data collectors are being with a $10,000,000,000 minimum. Maybe they will either stop collecting the data they don't need or actual secure things properly.

    1. John Brown (no body) Silver badge

      I think you are wrong in your assessment. Only asking for $1 in damages is a signal to all parties that they are taking this all the way to court and through any appeals if required and will not settle out of court.

      Now, on the whole, the right are more likely to be COVID deniers but in this instance I don't care about that. The State did wrong and it needs to be on recorded at court that they did wrong, and that's the entire reason for the case. It's not about compensation for "victims". And with only token "damages", even the lawyers aren't going to get rich off this one other than their usual fees.

      1. doublelayer Silver badge

        "Now, on the whole, the right are more likely to be COVID deniers but in this instance I don't care about that. The State did wrong and it needs to be on recorded at court that they did wrong,"

        This is an excellent summary and deserves repeating. Possibly some of the people doing this have other objections to COVID policy which aren't justified, but the pandemic did not justify any action like the one alleged by the state government. Unless the state can prove that the allegations are simply false, it was unjustifiable and needs to be punished harshly so the next person who thinks up the idea, whatever purposes they envision for their spyware, knows it will not be allowed.

        1. usbac Silver badge

          That's the real problem here. I don't see any real consequences for the people that approved this. If you or I installed malware on millions of people's phones without their permission, we would be going to jail for it. I want to see state officials going to jail!

          I know that will never happen, but this kind of thing will continue until someone does go to jail.

          1. drankinatty

            That does bring up an interesting legal point. If what was done, was done in violation of state and federal law, those that approved and participated in the tracker scheme can't claim governmental immunity from prosecution or suit because there acts, as a matter of law, fall outside their official duties.

      2. LazLong


        "Now, on the whole, the right are more likely to be COVID deniers but in this instance I don't care about that. The State did wrong and it needs to be on recorded at court that they did wrong, and that's the entire reason for the case."

        Tsk, tsk. You're assuming the statements in the case are factual. This is funded by a Cock brother, and you should be more sceptical.

        1. Steve Graham

          Re: ASSuming

          Yes, exactly HOW was tracking software installed? By carrier updates? By Android updates? How would you restrict it to one State? Technical details or shut up.

          1. doublelayer Silver badge

            Re: ASSuming

            A search seems to indicate that an app was certainly installed automatically using the Google Play updates. Some reports also indicate that it would be reinstalled if removed. What is less clear is whether the app that was installed was given access to the user data claimed by the lawyers or what it did without the users opting in. A Google statement from the time says that the app, while installed, was not activated, but that could mean anything from not running at all to not presenting warnings but doing everything else. The lawyers will have to prove what the app did and when it did so, but that it was installed doesn't seem easy to disprove.

        2. Sam Adams the Dog

          Re: ASSuming

          Well of course. Why did your comment even need to be made? Nobody said "It must be true;" many (including myself) have agreed that "If it's true, it's bad."

      3. Kimo

        Just a quick reminder that the right to privacy was thrown out along with Rowe v. Wade. There are a lot of court decisions that relied on the same legal theory that the Supreme Court invalidated.

        1. Sam Adams the Dog

          Not exactly. The question has always been how far the "unlawful search and seizure" clause in the Bill of RIghts extends to anything and everything that a person may do privately. The upshot was that the decision about making abortion legal was thrown to the states. In the four situations in which that proposal was voted upon in the most recent election, all four states (including Kentucky, a very conservative state) voted to make it legal.

          Ruth Bader Ginsburg, a liberal of liberals and a feminist, joined the court after Roe v. Wade was originally decided. She stated publicly that she felt the case was incorrectly decided, and that it should have been left to the states, which is, in facts, what just happened.

          1. jilocasin


            Without the SCOTUS decision, it was thrown to the states, in the *absence* of a federal law. A sizable portion of the Republican party wants to pass a federal law outlawing abortion which would override any state laws to the contrary. Some in the Democratic party want to pass a federal law making it legal, which would also override any state laws to the contrary. Unfortunately, a not inconsequential portion of the Democratic party doesn't want to pass such a law, preferring to retain the threat as a means to mobilize a significant portion of their base.

  3. Sven Coenye

    Omitted tidbit

    The tracer was not enabled on installation. Users had to turn it on and for that, a trip through the settings was needed.

    Massachusetts should indeed not have done it, but it is not quite as ugly as Koch, Inc. makes it out to be.

    1. Anonymous Coward
      Anonymous Coward

      Good obervation

      And as the other posters pointed out, I seems they intend to get this into court where we would see much more detail about what happened. While your point is valid, this is a case I'd rather see play out long enough to see the light of day. A big question will be what data was transferred or discoverable from the base install, as compared to if a user opted in. In the same regard there was an Apple built system that I believe was also part of the OS, and opt in, so structurally similar, though around here I am not sure it was ever working even if you opted in.

      These are things that we should have transparency about in the public sphere. If it has to come out in court so be it.

  4. Jim Mitchell

    This violates Android device owners' federal privacy and unreasonable search protections as well as the state's computer crime laws, according to the lawsuit

    Conveniently, the US Supreme Court has ruled that privacy isn't a federal right in the US Constitution.

    1. SundogUK Silver badge

      The fourth amendment applies though.

      1. Sierpinski

        I'd push for an argument that the third forbids this as well. The government is forbidden from quartering soldiers in times of peace, storing other government property in times of peace, without the consent of the Owner in the Owner's property, should likewise be forbidden. Eminent domain language in the fifth amendment further support the idea that compensation is owed by the government prior to occupation of private property, not after, which should definitely include storage on private devices.

  5. Henry Wertz 1 Gold badge


    I have zero sympathy for the anti-maskers, anti-vaxers, and such that are basically responsible for there still being Covid in the wild.

    BUT, states must not be permitted to surreptitiously install applications on a users phones. Good on them for suing over this, and good on them for the $1 damage (since, after all, public health in the US is not properly funded, and asking for even $100,000 damages probably means a health clinic or something in the state would be shut down.)

    1. SundogUK Silver badge

      Re: Agreed

      "...the anti-maskers, anti-vaxers, and such that are basically responsible for there still being Covid in the wild."

      The masks almost everyone wore do not stop transmission. The manufacturers have admitted outright that the vaccines do not stop transmission. This is complete rubbish.

      1. LionelB Silver badge

        Re: Agreed

        <Sigh> here we go again... seat belts do not "stop" death and injury in car crashes, etc. etc. Do we really need to rehash this nonsense?

    2. Spazturtle Silver badge

      Re: Agreed

      "and such that are basically responsible for there still being Covid in the wild."

      Would you care to explain how you came to that opinion as it doesn't match what the evidence shows.

      Vaccines don't stop the virus entering your body, they prime your immune system to produce anti-bodies to fight the virus once it is detected by your body.

      Whilst with many viruses you are not infectious for a while after you catch them (and thus with a vaccine your body can fight them off before they reach that point) with covid this is not the case, you are infectious almost as soon as you catch it and can spread it before your body can clear the infection up.

      1. LionelB Silver badge

        Re: Agreed

        All true - but the vaccines nonetheless do reduce risk of transmission over the course of an infection by reducing the viral load, and may also reduce the duration of the contagious phase of infection.

        The OP's implication that vaccines, masks, etc. can eliminate (the spread of) Covid is just silly - but to assert they are useless, as others have implied, is equally silly. The reality is that the measures have an impact, albeit difficult to quantify, on infection rates.

        As per usual, stupidly polarised opinions lead to fractious nonsense.

        1. Anonymous Coward
          Anonymous Coward

          @LionelB - Re: Agreed

          According to manufacturer's testimony in front of members of the EP, the reduction of the risk of transmission has not been tested.

          Under these circumstances "Reducing the risk" is more of a PR statement than a scientific one.

          Besides all this, why FDA was/is so shy in making public the documents submitted by manufacturers (i.e. testing protocols and their results) that were used to approve the vaccines ? They've asked the court to allow them 50 years (stop laughing all you in the back) to disclose them. How can you inspire confidence with this behaviour ? Real science is all about being transparent, open discussions of arguments and not about governments backing one side and silencing the others. This government-backed science is what makes me suspicious.

          And please stop calling me stupid just because I have my doubts.

          1. LionelB Silver badge

            Re: @LionelB - Agreed

            Firstly, as AC I don't know who you are that I'm supposed to have called "stupid", secondly I called some opinions "silly" (they are) rather than "stupid", and referred to some opinions as "stupidly polarised" (they are).

            By all means have doubts -- in which case, express them as such -- but be aware that on a public forum your opinions (like mine) are not above criticism.

  6. Waryofbigbro

    What about the mandatory installation of Facebook?

    My last two Galaxy phones have had Facebook preinstalled and it can't be uninstalled. Is this any different from what is alleged to have happened in MA?

    1. M.V. Lipvig Silver badge

      Re: What about the mandatory installation of Facebook?

      You can at least force stop it and in theory it's off. The Motorola Moto-G I replaced my last Samsung phone with allowed me to delete it. The Motorola isn't quite as polished as the Samsung was, and there are a few things I don't like about it, but it's a decent phone that doesn't have Bixby or Faecesbook hard coded in. The only slurp machine on this one is the Googler.

    2. T. F. M. Reader

      Re: What about the mandatory installation of Facebook?

      FWIW, my Samsung does not object to me deleting the preinstalled FB and quite a few other apps I don't use. I noticed that after a system upgrade FB sneakily appeared again, just to be deleted - again. Otherwise, no problem at all.

      The contact-tracing Google Play service[*], however (the Google-Apple one, I believe, supposedly privacy-protecting - hah!), cannot be deleted. It can only be disabled, and only if you enable "Developer Options", and it starts and must be disabled again after every restart. And I am not even in Massachusetts...

      [*] IIRC it's called ExposureMatchingService or some such - can't be a..sed to reboot the phone to check. How sneaky of Google to hide it behind both GooglePlay and Developer Options! To be fair, I think the service cannot do much by itself without a health authority-approved application. It sounds to me like MA's DHP sneaked one of the latter onto people's phones without permission (with Google's help?) and that is what this lawsuit is about. But I may well be wrong.

      1. Woodnag

        Re: What about the mandatory installation of Facebook?

        Since all apps are always running, I wonder if FB uploaded your contacts between the OS upgrade and you deleting it?

    3. iron Silver badge

      Re: What about the mandatory installation of Facebook?

      My last several Galaxys have had FB pre-installed but you can uninstall it, and I have.

    4. doublelayer Silver badge

      Re: What about the mandatory installation of Facebook?

      Not that different, but the reason they won't be sued is that you could have checked whether Facebook was on it before purchase, whereas this was added to devices that previously didn't have it. I'd really like for preinstallation of that kind to be illegal, but we don't have a law that does that. I'd also like for root access so such things could be removed to be mandatory, but I won't count on getting that either.

    5. Michael Wojcik Silver badge

      Re: What about the mandatory installation of Facebook?

      Yes, it's quite different.

      Apps pre-installed by the manufacturer are part of what you elected to purchase. You may find them undesirable, and may object to the manufacturer's failure to notify you about them; but they are the actions of a private party, and as such are a matter that falls under the statutes that govern purchased products.

      The state (in the broad technical sense of "whatever organized governments hold sway in a particular jurisdiction") installing an application on your device without your consent is a government intrusion into your personal property. Those have a very different status under US law, as they should, given the overwhelming power of the state. Doing so without your knowledge is even worse.

      Others have noted that the app is (apparently) not active until enabled by the user, which is good; but it's not nearly sufficient to excuse what the plaintiffs allege in this case.

  7. NapTime ForTruth

    Installed how and by whom?

    I'm missing who actually performed the surreptitious installation, and by what means.

    Did the state use hacking tools to access citizen devices? How did they know the devices they breached belonged exclusively to citizens of that state? Were all the devices attached to one compromised network or were multiple mobile operators compromised?

    Or did the state require Google to install the tracking tools at the state's request? If so, why would Google cooperate with such an obviously invasive and almost certainly illegal request?

    1. ChoHag Silver badge

      Re: Installed how and by whom?

      > did the state require Google to install the tracking tools at the state's request?

      There was no compromise, no invasion. This is how mobile phones work. The only reason a dumb phone doesn't get stuff installed on it by all and sundry is that there's nothing to install. Control over the device by the network has been baked into phones from the beginning. Did you think that phone was yours?

      1. ds11

        This is a tech site

        The previous comment was valid. This is a tech site and should explain exactly how the "software" got on the phone.

        1. Snake Silver badge

          Re: how the software got on the phone

          I agree, we need more info.

          IFAIK standard Android Play Store installations always ask for permission prior to installation. The only way I personally have experienced otherwise is the auto-install systems linked to the carrier's preinstalled carrier-specific maintenance app. Sprint / TMO have their carrier apps with installation permissions given...which is why I both remove the permission and disable the app outright. Because I'm no fool.

          But most smartphone users are indeed oblivious to the factoid and have no idea that their phones are capable of this, thanks to their carrier. Is this the process that MA used? Inquiring minds want to know.

          1. doublelayer Silver badge

            Re: how the software got on the phone

            The Play Store app does not have to ask permission to perform an installation, and that was the mechanism used according to reports from the time (I didn't know about it then and just looked them up now). The ones I've read don't say who asked for the installation or how it got to that stage, but it was sourced from and installed by the Play Store app. If that's installed as a system app, so basically any device with Google Play Services installed as part of the image that hasn't been replaced, then it can bypass the need for notifying the user about installations, something a user-installed installer can't do.

        2. ChoHag Silver badge

          Re: This is a tech site

          A network operator clicked on their "install on all devices" button. Control over the phone by the network and not its user has been a feature of mobile phones since before Google were still promising they'd never make one.

          I question whether this really is a tech site.

          1. Snake Silver badge

            Re: This is a tech site

            Thanks, but still wouldn't work in my instance...i disable the Play Store as well :p heehee Plus I never keep my Google login activated on my phone, removing the account after I finish using said Play Store.

            So suck it up Google, not all of us play lemming for you ':-p

    2. Anonymous Coward
      Anonymous Coward

      Re: Installed how and by whom?

      For the UK, Google pushed out the 'Covid-19 Exposure Notifications' toolkit as part of the normal PlayStore updates.

      If you go to Settings > Google it should say 'Covid-19 Exposure Notifications - off' unless you installed one of the official Covid apps

  8. TheInstigator

    I do not see anything wrong with this (!)

    Surely it's in the interest of the greater good - and therefore we should submit willing and indeed welcome to initiatives such as this?

    Right? ... right? I mean the Americans are doing it - the land of the free and the home of the brave - it's gotta be the right thing to do!

  9. FrankAlphaXII

    Fuck the Koch drones but

    Fuck the Commonwealth of Massachusetts too.

    Big question is what else were they doing with the data and who else had access to it? I'm quite sure DPH were willing to hand over any data that was requested to the Staties, Boston or Springfield Police because thats how it works there. Same with UMass. And the joint Commonwealth-DHS Fusion Centers. And DSS or whatever they call it now.

    Massachusetts has never seen an invasion of privacy that it didn't like and as much as I abhor conservative SIGs I really don't trust the Commonwealth with anything like this because they use whatever they can get to fuck with people.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like