As an unfathomably large and powerful international corporation, it makes sense that people are generally wary of Google, in the same way that space truckers are wary of any boss that tells them to land on an alien planet and inspect unknown life signs. Some Massachusetts residents are feeling that way right now, after noticing that the state's official COVID contract tracing app was installed on their phones, allegedly without any alert or permission.
The accusations come in the form of user reviews in the Exposure Notifications Settings Feature - MA app on the Play Store, invariably leaving one star. Ycombinator posted the story soon after. While a lot of the reviews follow the accusation with the kind of conspiracy theories that have become a mainstay of any topic close to the coronavirus, users complaining of third-party apps being downloaded to their hardware without consent certainly do have a legitimate grievance. As the saying goes: if they can do it for a good reason, they can do it for a bad one.
According to Google's support documentation, a COVID tracing app has to be downloaded manually, after which the user must once again manually opt-in to contact tracing exposure notifications. A secondary method is to manually enable Exposure Notifications in the Google App itself, then have the app for your area (or any apps for areas you've traveled through) automatically downloaded. Apps are not available in all countries or states.
But some users are reporting that, not only did they not manually install the Massachusetts contact tracing app, they had the Exposure Notifications option in the Google app disabled. That being the case, it's not clear how an app could have been installed in the background, presumably selected for users that Google determined were currently or formerly within Massachusetts. Other users who did opt in to the system via the Google app found that the relevant state apps were automatically installed, the expected and desired behavior.
At least one member of the Android Police team saw similar problems, driving from California to Arizona with the Google notification option manually disabled, but finding the Arizona contact tracing app installed anyway. So this issue may go beyond Massachusetts.
It seems more likely that this is a case of incompetence rather than malfeasance or Big Brother overreach, the good old Hanlon's Razor in action. But frankly, people are right to be upset no matter the cause of the issue. We've reached out to Google for comment, and will update this story if we hear back from the company.
Google sent us a reply to our inquiry, with the prepared statement, emphasis ours:
We have been working with the Massachusetts Department of Public Health to allow users to activate the Exposure Notifications System directly from their Android phone settings. This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don't have to download a separate app. COVID-19 Exposure Notifications are enabled only if a user proactively turns it on. Users decide whether to enable this functionality and whether to share information through the system to help warn others of possible exposure.
If you don't want to parse the legalese: while Google says that it is indeed automatically downloading contact tracing applications, they're not actually enabled unless the user opts-in, via either the app itself or the Settings menu seen above. The idea is to get as many people using them without the need to actually track them down in the Play Store, though Google makes it clear that they aren't actually tracking any data without permission. Take that for what it's worth.