This article is more than 1 year old
Koch-funded group sues US state agency for installing 'spyware' on 1m Android devices
Class-action lawsuit seeks $1 in nominal damages
The Massachusetts Department of Public Health conspired with Google to secretly install a COVID-19 tracing app onto more than 1 million Android users' devices without their knowledge and without obtaining warrants, according to a class-action lawsuit filed this week by the New Civil Liberties Alliance.
The New Civil Liberties Alliance claims to be a "nonpartisan, nonprofit civil rights group." Its biggest donors include right-wing backers such as the Charles G. Koch Foundation and the Charles Koch Institute. In September 2020, the group represented a Virginian landlord who sued the Centers for Disease Control to allow him to evict tenants during the pandemic.
The Massachusetts app, according to the legal complaint, gave the public health department, Google, application developers, and others access to the device owners' media access control addresses, wireless network IP addresses, phone numbers, contacts and emails, thus making these parties privy to the owners' personal information, location and movement. If Android users discovered and deleted the COVID-19 tracer, the state's health agency would reinstall it on their devices, the lawsuit alleges.
"In sum, DPH installed spyware that deliberately tracks and records movement and personal contacts onto over a million mobile devices without their owners' permission and awareness," the lawsuit claims [PDF]. "On knowledge and belief, that spyware still exists on the overwhelming majority of the devices on which it was installed."
At least two dozen other states also developed COVID-19 apps using Google APIs, but they used community outreach to encourage residents to voluntarily download the apps and opt-in for contact tracing, the court documents say.
Massachusetts, they allege "is the only state to surreptitiously embed the Contact Tracing App on mobile devices that DPH locates within its borders, without obtaining the owners' knowledge or consent."
This violates Android device owners' federal privacy and unreasonable search protections as well as the state's computer crime laws, according to the lawsuit, which also names the Massachusetts Department of Public Health Commissioner Margret Cooke as a defendant.
"The Massachusetts DPH, like any other government actor, is bound by state and federal constitutional and legal constraints on its conduct," Peggy Little, NCLA senior litigation counsel, said in a statement. "This 'android attack,' deliberately designed to override the constitutional and legal rights of citizens to be free from government intrusions upon their privacy without their consent, reads like dystopian science fiction — and must be swiftly invalidated by the court."
- Germany says nein to Qatari World Cup spyware, err, apps
- Apple sued for collecting user data despite opt-outs
- Google agrees to $391.5m settlement in privacy lawsuit
- COVID-19 contact tracing apps were suggested as saviors. They sometimes delivered
Per the legal challenge, the plaintiffs are asking the court to, among other things, stop secretly installing the contract tracing app without device owners' consent, and work with Google to uninstall the app in cases where the owner did not give permission and opt-in to downloading the tracer. They also want the court to declare that the "clandestine installations" of the tracing app violate state and federal protections.
The lawsuit seeks to make the health agency pay all costs and attorney fees related to the legal battle, and nominal damages of $1.
When asked about the lawsuit, a Massachusetts Department of Public Health spokesperson told The Register that the department hasn't received the lawsuit and doesn't comment on pending litigation.
Google did not respond to The Register's request for comment. ®