Potentially confusing prompts when enabling Exposure Notifications

[kbobrowski]

Current Implementation

User may face unexpected / confusing questions about Location permissions when turning on Exposure Notification. Just a heads up - I was not able to test it with Corona Warn App yet but the same happens on both Latvian and Italian apps which are Exposure Notification-based, it seems to be triggered by Google Services and not by country-specific apps.

Suggested Enhancement

User may get a heads-up from Corona Warn App that he has to agree to turn on Location service, and can disagree with "Improving location accuracy". Not sure why the last prompt appears, perhaps it will be patched by Google since it is not necessary for the app to work properly. I was able to reproduce 3 prompts on Android 6 but on Android 10 only first 2 prompts appear.

French app gives following heads-up to the user (it has to get standard "Location" access though, but from user perspective it does not differ much from prompts above):

Important message: Attention, Android will ask you for access to this phone's location. StopCovid will only use Bluetooth detection of nearby phones, and never location data

Expected Benefits

May be possible to increase number of users agreeing to first two prompts (which is necessary for the app to work), and assure users that sharing location data with Google is not necessary and they can safely disagree without decreasing app functionality.

---

Internal Tracking ID: EXPOSUREAPP-2890

[egandro]

@kbobrowski

that's a really nice one :)

You also have to explain the user e.g. after pressing "no" how that can be fixed.

[kbobrowski]

Yes it's also important to guide user how to switch Bluetooth and Location back on if for some reason it is switched off (e.g. entering airplane mode). On Android 6 I get system notification that contact tracing is not working and that I should switch on either Bluetooth or Location (this notification can be dismissed though), but on Android 10 there is no notification.

Then we might have visual clues in the app - Italian app displays information on its main screen that action has to be taken to switch some service on, but Latvian app seem to have a bug and displays that contact tracing is on when in fact it does not emit any BLE frames (after switching either Bluetooth or Location off). Bose companion app for Bluetooth headphones displays it quite nicely, with explanation why it needs that.

[meisterlampe]

As far as I know Apps that are using Googles Exposure API are not allowed to have location access.. I know this is normal behaviour for apps that use bluetooth, but this is a special case and I would not expect to get such a dialog.

[kbobrowski]

@meisterlampe that's true, apps using EN API don't require "Location access", but they still need "Location" (global setting) to be turned on in order to operate. This is a subtle difference which might not be easy to understand for general public. User who has "Location" turned off and tries to use contact tracing app will get a dialog to enable "Device location" (and possibly also a dialog to enable anonymous location sharing).

[meisterlampe]

Lets hope, that google is able to patch this. I'm quite sure, that some people will complain about that otherwise. :)

[meisterlampe]

Anyway. You are right, some explanation is needed for this. :)

[MikeJayDee]

This prompt is presumably built into the operating system. As the API is deployed using Play Services it probably can't work around this limitation. (Just a guess though.) Would be good to not have these prompts, but this might only happen once the API is built into the OS (which I believe is still the plan).

I agree with the short term fix explaining to the user that there will be some prompts coming with regards to location. Can you check in advance whether location is turned off globally so only advise users that will actually receive the prompt?

[SebastianWolf-SAP]

Dear colleagues,

I'm sorry to tell you that it has been decided that we won't add additional information dialogues in the app right now. Some of you already mentioned that this is a special characteristic of the Android operating system that cannot and also must not be circumvented. Details about that are explained in the Android Bluetooth Developer Documentation.

However, we explain clearly in our FAQ and all related communication channels that we don't use geolocation, e.g. here: https://www.coronawarn.app/en/faq/

Thank you for your understanding!

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

[kbobrowski]

@SebastianWolf-SAP thanks for informing us about this decision.

I'll just state here for the record that new privacy features introduced in Android 10 notify user by notification that some app is using GPS. Just got a notification that Google Play Services is using GPS and when I clicked on it I got to a settings page where I can toggle "Location" setting. Turning it off seems to be the only way to deny Google Play Services GPS access (it cannot be done separately like for other apps), and I guess some people will be switching it off after getting similar notification. This will disable CWA and would be good to somehow gracefully explain this situation to a user and bring this user back online.

But I understand that it would be difficult to explain - CWA won't of course collect location data but in order to work it needs Location setting on which in turn allows Play Services to collect GPS location, and CWA is not in a position to know for what Play Services needs these GPS data.

[cannothing]

So jetzt habe ich mich als einfacher Nutzer,nachdem ich hierher verwiesen worden bin, weil ich wissen wollte, ob GPS an oder nein, durch diesen Schmarrn durchgewühlt und weiß immer noch nicht, ob ich das GPS abschalten kann.

Mir ist das zu blöd, App kommt runter.

[KaiRoesner]

@SebastianWolf-SAP , you can't squelch discussion about this topic like this if you want to gain acceptance for the app! People are not going to read the Android Bluetooth Developer Documentation, they are going to de-install the app if their doubts are not addressed. Also, it doesn't help to state that the app does not collect geolocation data if other apps are able to do that.

[corneliusroemer]

You CAN make a page that explains for each permission why it is needed and why Android labels it more broadly than you require.

The FAQs on Bundesregierung are not a good way to get this across. They are messy. Not good UX.

[chrjsorg]

Now that a number of (negative) reviews and issues have emerged this morning, the problem should perhaps be reassessed.

[SebastianWolf-SAP]

Well, we already knew that this will become a hot topic. ;) Anyway, you can control the location access of each app individually if you are concerned. Besides that: It has been Google's decision to implement it that way...

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

[Bombastisch]

Well why not cross post your answer from Reddit:

Bluetooth reicht, aber Standortfreigabe (ohne GPS) wird für BT gebraucht. Das Thema Standortfreigabe ist ein Android-spezifisches Thema. Wir hatten uns dazu auch schon mal auf GitHub geäußert: https://github.com/corona-warn-app/cwa-app-android/issues/262 Ist aus meiner Sicht von Google unglücklich gelöst, da können wir aber leider nichts machen. https://www.reddit.com/r/de/comments/h9x6ck/-/fuzkc01

Basically you need the GPS android permission to use bluetooth. This does not mean that the app saves your location, and in this case it does not.

It's an odd design decision by google which you cannot circumvent.

[KaiRoesner]

I can switch off GPS, get the notification that I should switch on GPS to activate exposure notification but the app still tells me "Risiko-Ermittlung aktiv" - now, does it work or not with GPS switched off??

[corneliusroemer]

@SebastianWolf-SAP

Well, we already knew that this will become a hot topic. ;) Anyway, you can control the location access of each app individually if you are concerned. Besides that: It has been Google's decision to implement it that way...

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

Why? You just need to try to explain it better. Otherwise there wouldn't be tens of new issues be opened on Github.

Leave it open, work on better messaging, improve FAQs. So that we can spread the message for you on social media, linking to an explanation in public view. Rather than somewhere hidden on Github. You're harming the app's success.

But since you're not paid per download you don't care? If you knew it would be a hot topic, you should have figured out a solution to the messaging. Stop blaming Google.

[thestinger]

Location means location tracking. GPS is only one way to do that. The global Location toggle and the per-app Location permission don't refer to GPS specifically. For an app to be able to detect location, it has to be granted the permission and the OS toggle needs to be enabled. This app doesn't request location access itself. Location refers to location detection in general, including via scanning cellular towers, Wi-Fi networks and Bluetooth devices alongside GPS. Location doesn't mean GPS specifically. User-facing permissions are about personal data rather than specific ways of getting it.

The app is requesting access to the privacy preserving API. Play Services already has the Location permission by default. Having the Location permission isn't enough to use that. Location also has to be toggled on for the OS, since this is seen as particularly sensitive, so there are 2 layers. Once you enable it for the OS, apps with the Location permission are able to access location. In current versions of the OS, the permission also has 3 states: disabled, foreground and always. This requires that Play Services is allowed to always have access.

They could try to explain to users that the OS needs Location enabled so that Play Services can scan nearby devices and implement the privacy preserving protocol used by the app. Seems difficult to avoid any confusion about this. The contact tracing implementation provides an API that preserves the user's privacy, but the same access to Bluetooth scanning Play Services is using could also be used for fine-grained, invasive location tracking. There's a reason it requires that Play Services has the permission and the OS toggle to be enabled. If the underlying OS implemented this rather than Play Services, it could hide the implementation details from users, but that's not necessarily a improvement since engaging in the protocol does have privacy implications. It's a nice privacy preserving design, but that doesn't mean it has absolutely no impact on privacy.

[thestinger]

Those prompts with explanations are not part of this app, but rather Play Services and the OS.

1) Asking for permission to use the Play Services contact tracing API (the only thing the app is requesting itself) 2) Since Play Services needs location access for that to work, it triggers an OS prompt asking to enable location if it wasn't already enabled. If Play Services didn't have the Location permission enabled, perhaps it'd also ask to enable that if it knows how to handle this case. 3) After enabling location, the OS asks if you want to improve location accuracy using network-based location services - this prompt is tied to enabling location for the first time ever. It's unfortunate that it's triggered for this workflow, and it's a consequence of them offering this option to people instead of requiring them to go into Settings to enable it.

The app could try to explain this first. They don't control the content of those prompts once they trigger enabling this API. It would defeat the purpose of permission prompts if apps could come up with their own explanation, which could be dishonest.

[thestinger]

Consider what an app like Play Services could choose to do with the ability to scan nearby devices and broadcast information to them. Play Services is going out of the way to implement a (mostly) privacy preserving protocol but it's still a form of location tracking, and the underlying OS doesn't know what it's going to do with the sensitive location identifying information. It's just a consequence of them implementing it in Play instead of the OS, which they can't do, since it's only their OS on Pixels and perhaps Android One devices. Elsewhere, it's the vendor's fork of AOSP. Play Services is limited by the permission model - it has special privileged permissions available only to built-in apps, but it doesn't have a way to secretly scan for Bluetooth devices which can be used for invasive location tracking. It's not the app's fault, or Google's fault. It's just how things are.

[kbobrowski]

@thestinger I agree with you about technical details (except one small detail about 3rd prompt - it appears multiple times, not only the first time location is enabled). The problem is that 99.9% of population don't know about these details and they will be misinterpreting it should they encounter these prompts. I was just wondering whether this can be alleviated by improving communication with the user about these details.

[thestinger]

except one small detail about 3rd prompt - it appears multiple times, not only the first time location is enabled

FWIW, that sounds like a bug in how Play Services implemented this.

The problem is that 99.9% of population don't know about these details and they will be misinterpreting it should they encounter these prompts. I was just wondering whether this can be alleviated by improving communication with the user about these details.

I agree that this app could try to explain it in advance before requesting contact tracing from Play Services. It's not in control of the explanations in those dialogs once it does, and clarifying those seems to be what needs to be improved. The 2nd prompt is being wrongly interpreted as a Location permission request, rather than enabling Location for the OS for Play Services. Ultimately though, contact tracing is a privacy preserving form of location tracking and it makes sense that Location has to be enabled. Google couldn't hide the implementation details since they had to do it via Play Services.

[kbobrowski]

except one small detail about 3rd prompt - it appears multiple times, not only the first time location is enabled

FWIW, that sounds like a bug in how Play Services implemented this.

this is also my feeling, it also does not appear every time, from my experience it happens roughly in 50% of attempts

It's not in control of the explanations in those dialogs once it does, and clarifying those seems to be what needs to be improved.

agree

[corneliusroemer]

Good points here, maybe valuable over here on a new issue corona-warn-app/cwa-app-android#519 that hasn't been closed yet to keep the momentum going. I think we should reopen if closed until resolved. SAP might want to take the 20mio and run, but they should fix all major issues first, and this is definitely one.

[SebastianWolf-SAP]

I posted an extensive statement about this topic in corona-warn-app/cwa-app-android#519, please see comment https://github.com/corona-warn-app/cwa-app-android/issues/519#issuecomment-644711997.

[corneliusroemer]

Here's an article by Spiegel summarising. I think that's very good to know and could be linked in the FAQs potentially to give an independent position and assuage concerns. https://www.spiegel.de/netzwelt/apps/corona-warn-app-wieso-muessen-android-nutzer-den-standortzugriff-aktivieren-a-7f372aea-25e9-49f7-9ae3-9568cf526c04

[btreut]

During my normal use Standort is off, but BlueTooth is on, but CWA notifies me: What does this mean, the Spiegel article does not help ...

Can I savely ignore that message and the app still works as expected?

[speedy-1702]

Here's an article by Spiegel summarising. I think that's very good to know and could be linked in the FAQs potentially to give an independent position and assuage concerns. https://www.spiegel.de/netzwelt/apps/corona-warn-app-wieso-muessen-android-nutzer-den-standortzugriff-aktivieren-a-7f372aea-25e9-49f7-9ae3-9568cf526c04

Disagreement! I am not sure, whether statements like

...Verkürzt lautet die Antwortet: Es ist kompliziert, aber kein Grund zur Panik...

are calling trolls and conspiracy theorists to action.

[corneliusroemer]

@btreut You need to switch on the "location" access, the "pin" at the top right.

This is exactly what this whole issue is about. The OS needs location enabled for the Exposure API to work.

[tkowark]

The team will now investigate how to better explain the Location usage in the application, hence we moved this issue to the cwa-backlog repository.

[gizmo21]

Here are newer articles on Google IS sending loction data every 20min to it's servers: https://github.com/corona-warn-app/cwa-app-android/issues/519#issuecomment-663916609 and the lack of german government requesting to unbundle loction and BLE beacon usage.

But I would also like to point out the situation with 3rd party app using location after our government requests to install CWA app and for that use Google API:

All other installed apps 3rd party that have the location data permission on, now can track the users permanently.

Before installing the CWA app (or using Google BLE-API tracing protocols generally) one could give LOC permission to all 3rd party apps, but deactivate GPS permanently in settingsmenu until one really needed the help of apps in certain locations. Then turn on the GPS in settingsmenu, use the one 3rd party app you need (and send all LOC data for that short amount of time to all other 3rd party apps) and after that turn GPS off for good again. Two finger slides, two buttons pushed - that's all.

Now with CWA on, if you are privacy aware, you have to manually deactivate LOC permission on ALL 3rd party apps (then GPS data is - as it seems "only" collected by google), but if like to use the location benefits of a 3rd party app in a certain situation, you have to again manually activate LOC permission on that 3rd party app deep in apps-menu and deactivate it manually afterwards in same menu. That is really annoying and will push the user to leave it activated for good and finally send all your LOC data permanetly to all 3rd party apps.

So CWA should mention that by using it you will send all loction data to all 3rd party apps until manually deactivate location permission on all other apps.

SAP should on top request our government to push google to change the need of location data on in the API as other governments already did.

[kbobrowski]

@gizmo21 thanks for linking these articles, NY Times is referring directly to CWA:

Some Android users in Europe say they feel misled by their governments. Instructions on many of the apps direct Android users to turn on location, for instance, but make no mention of Google or that users can stop the company from determining their precise locations by turning off the accuracy feature within the location setting.

Agree with NY Times reporters here that SAP should at least make best effort to minimize impact on the user's privacy (informing the user that "improved location accuracy" can be switched off safely and is not required for CWA to work). Informing user about what kind of location data is shared with Google if "Location setting" is switched on would also be the right thing to do, if it is possible to get this information.

I don't fully agree with this part though:

Professor Dmitrienko, the software security expert, said the solution was for governments to push Google to stop requiring Android users of the virus alert apps to turn on location.

“They have sufficient power, and they could put pressure even on such giants as Google and Apple to do something about it,” she said.

My view on this is that Google is free to do whatever it wants - it's not a public service company. They offered Exposure Notification framework for free and governments are free to use it or not. If Google practices are not up to the European standard or expectations then Europe should have been developing its own fork of Android, like China is doing via Huawei. That said - once governments decided to rely on Google then detailed explanation of privacy implications should be provided to the user.

[Ein-Tim]

Is the behavior of the App today with f.e. Android 10 and the newest App Version still the same? (Don't use Android 11, with Android 11 the Location does not have to be activated to use the ENF)

[MikeMcC399]

This issue is related to "Misleading / incorrect instruction to "Allow location access" during onboarding" https://github.com/corona-warn-app/cwa-app-android/issues/1541 where I brought up the topic that there are static texts stating that location must be enabled. If #1541 is resolved, then the information should become dynamic and correspond to the current settings and needs of the app, depending on Android version.

[MikeMcC399]

Hi Kamil @kbobrowski !

I'm not sure that the app can do much more than it is already doing in current versions like 1.14.3.

The app outputs the following informational texts during onboarding:

The pop-up "Turn on the device location setting" will be shown if the location setting is disabled in Android settings during onboarding and if the Android version is 10 or less. This message is output by the Google Exposure Notifications System, and the app doesn't have control of this message.

The pop-up "Improve location accuracy?" I'm seeing also on Android 8 (I don't have a physical Android 6 device available to test on.) This pop-up isn't shown by Android 10. That corresponds with your findings. In any case it is a function of the Android system, and again the app has no control of the message.

Do you think your enhancement request still needs to stay open? The location issue doesn't seem to be causing confusion these days. At least it is not coming up as new issues here on GitHib.

[MikeMcC399]

I suggest closing this issue. CWA 1.15.1 shows the following messages during onboarding, which are now much clearer.

The other messages are from the operating system and the CWA app has no control over them.

[dsarkar]

Hi @kbobrowski, see https://github.com/corona-warn-app/cwa-app-android/issues/1721#issuecomment-808451893. We suggest closing this issue. Best, wishes, DS

---

Corona-Warn-App Open Source Team