Android 10: GPS is required to be activated?

[beceha]

Contrary to the statement that GPS is not required for this app for data protection reasons: Why does the app now require that GPS be activated during initial setup in addition to Bluetooth?

Technical details

Samsung Galaxy Note 9 with Android 10

[sphrases]

Is the phone really asking for gps, or location service permission? Afaik, on some phones bluetooth falls under location services, and the user can only confirm both.

[niklasfyi]

Same here on my OnePlus 6 with LOS 17.1 (Android 10).

If I deactivate GPS I get a notification saying that I need to activate location to use exposure notifications. (BT was activated the whole time)

[markusmarkusz]

As far as I know Bluetooth Low Energy needs GPS (or at least a location related perm?) enabled for it to work. This was introduced with Android 6

[KaiRoesner]

Ditto on my Moto G6 (Adnroid 9). I also get this notification when I switch off GPS but the app still tells me that exposure notification is active.

[alexander-zierhut]

Same on the Samsung Galaxy A50

[niklasfyi]

As far as I know Bluetooth Low Energy needs GPS (or at least a location related perm?) enabled for it to work. This was introduced with Android 6

You are right. I just found an article online saying exactly what you just said

BLE GPS Issue

[SebastianWolf-SAP]

The correct answer was already posted, please also see the comment https://github.com/corona-warn-app/cwa-documentation/issues/250#issuecomment-644610298 and #262 for details.

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

[corneliusroemer]

this issue will be closed as duplicate https://github.com/corona-warn-app/cwa-app-android/issues/262

SAP doesn't care. They will just blame Google. Rather than explain what's going on

[corneliusroemer]

Haha, while I was writing this it got closed. Please reopen #262 !

[corneliusroemer]

The correct answer was already posted, please also see the comment corona-warn-app/cwa-documentation#250 (comment) and #262 for details.

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

@SebastianWolf-SAP What do you mean by "correct" answer. This is not a question of right or wrong. It's about explaining it to people who are not experts in tech...

[thestinger]

Location means location detection, not GPS specifically. That includes detecting it via nearby cellular towers, Wi-Fi networks or Bluetooth devices. Engaging in the contact tracing protocol requires sensitive access to Bluetooth devices. It is possible to use Bluetooth devices via pairing without requiring location to be enabled, but scanning them like this requires it to be enabled. Play Services is performing a form of location tracking to implement contact tracing. It turns it into a privacy preserving API (Exposure Notification API) which is what the app requests from the OS. The app is not requiring the Location permission, but rather is requesting that Location is enabled in the OS, so that the OS can do it. If this was implemented by the Android OS itself rather than Play Services, which is an app, it could be hidden from the user that it requires something considered to provide a form of location tracking. Perhaps it's a good thing that there is more transparency due to Play Services being an app.

[thestinger]

Consider what contact tracing provides. It's a (mostly) privacy preserving way to detect whether you came into proximity with other devices. Detecting whether you came into proximity with devices is a form of location tracking. If Play Services wasn't an app using the Location permission to get access to this functionality, this could be hidden from the user. It has the Location permission granted by default, so users don't have to grant that, but Location does need to be enabled. You're enabling this so that Play Services can use Bluetooth in a way that COULD be used for fine-grained, privacy invasive location tracking to implement the privacy preserving API for the app. The only way it could be hidden is if the OS inherently trusted Play Services to always have location access without the user knowing about it or having control over it.

When a user is using Android, they're placing their full trust in the vendor making the device, but they don't have to completely trust Google. They can disable Location for Play Services or disable the app as a whole. Google could have integrated this feature into the stock OS for Pixels, but they don't provide the OS for most Android devices (the phone's OEM does), so instead they implemented this via Play Services, which has to work within the permission model (it has assorted privileged permissions not available to regular apps - but it's far from having complete control of the OS).

[cannothing]

this issue will be closed as duplicate #262

SAP doesn't care. They will just blame Google. Rather than explain what's going on

I have written as a private person to SAP Corona Warn-App Open Source Team corona-warn-app.opensource@sap.com. I have got the same answer as in https://github.com/corona-warn-app/cwa-app-android/issues/476

Let me put in this way, such an answer to a private average user shows a big lack of understanding how to communicate to normal people.

[corneliusroemer]

this issue will be closed as duplicate #262 SAP doesn't care. They will just blame Google. Rather than explain what's going on

I have written as a private person to SAP Corona Warn-App Open Source Team corona-warn-app.opensource@sap.com. I have got the same answer as in #476

Let me put in this way, such an answer to a private average user shows a big lack of understanding how to communicate to normal people.

@cannothing Thanks for reporting your experience and trying another route. I suspect we just have to keep fighting here and on Twitter. Maybe eventually they will budge. It's worth the fight. I've reopened with slightly different emphasis here #519