May 14, 2020
Apple-Google virus-tracking rules put apps in a privacy bind
From France to Australia to North Dakota, government apps designed to help authorities track and slow the spread of COVID-19 are struggling to accomplish their goals because of restrictions on data collection built into smartphones by Apple Inc. and Google.
That's leaving public health officials with few options but to use a system designed by Apple and Google themselves. The tech companies say their tools preserve privacy and work seamlessly on devices used by some 3 billion people.
Here's the rub: Those same privacy features lock authorities out of collecting information they can use to track the broader spread of virus, spot larger patterns and plan reopenings.
"The exposure app gives you an indication that you've been in contact with someone that was positive, but it doesn't do anything for the health department and its contact-tracing efforts," said Vern Dosch, a former technologist who is helping run contact tracing efforts for the state of North Dakota.
Apple and Google even renamed their framework Exposure Notification, signaling that it doesn't do true contact tracing, the process of tracking a virus from person to person. Instead, it lets individual smartphones keep track of which other handsets they've come close to by using Bluetooth wireless signals. If a person notifies the network they have tested positive for COVID-19, everyone they could have infected is issued a warning, if they've opted in.
The system does this matching anonymously on each device, rather than in a central database that governments could use to track the disease more broadly—a feature the companies say is more secure and helps quell user concerns about who sees their sensitive health data.
At the same time, the companies are refusing to ease restrictions in their mobile software that are blocking governments from building their own centralized, less private apps for contact tracing. That could blow back on the tech giants, who are already under scrutiny for antitrust violations and other business practices that critics say give them too much power.
"Apple could have helped us make it work even better," Cedric O, France's digital minister, said in a television interview last week, referring to the country's COVID-19 tracking app, set to launch in June. "A company that has never been in a better economic shape is not helping the government to fight the crisis. We will remember that."
Some countries have tried to find technical workarounds, but few governments have had success in building a working app without following Apple and Google's rules. Places that already have an app that uses location or sends data to a central server will not be allowed to update it with the tech giants' tools. That's forced North Dakota to build a second app on top of the one it already has.
"We pleaded our case with them, both Apple and Google," Dosch said—but the answer was no.
In most places, not enough people have downloaded the apps to make them effective in the first place, despite pleas from officials to do so. Apple and Google say their built-in system will eventually allow anonymous notifications to people who haven't downloaded a government app.
Contact tracing traditionally involves human investigators manually tracking a disease from person to person so they can isolate those who may have been exposed and help inform authorities where and when to put lockdowns in place. Using technology like Bluetooth or GPS helps this process by providing even more data about where an infected person traveled. Apple and Google's system only serves to notify individuals, rather than giving that information to governments and other the contact tracers trying to stop outbreaks.
Privacy advocates have generally praised the companies' approach, saying it preserves anonymity and security while still building a useful tool that can help fight the disease. But the situation illustrates the power of the tech giants when it comes to deciding the role of technology in people's lives.
The debate is similar to the one that emerged when the U.S. government demanded Apple build a software back door into iPhones to give authorities access for the purported reason of fighting crime and terrorism. Apple has resisted, saying the precedent would damage civil rights and privacy for the millions of people who use its devices.
Many users may well prefer a system with parameters set by Apple and Google. Preliminary results from a survey conducted by the University of Washington in Seattle suggest just that. Asked before Apple and Google announced their plans, more than half of the respondents said they'd be comfortable with Apple and Google map applications using location data to help stop the virus.
The main technological barrier that governments face is that Apple phones don't let apps send out Bluetooth "pings" when the phone is locked or the app is running in the background. That means people would have to walk around with their public-health app constantly open and their phones unlocked if they wanted nearby phones to pick up their signal—something people aren't likely to do. Another problem is that Apple and Google phones don't generally communicate well with one another, an issue the companies fixed for their own system by designing it together.A spokesperson for Apple declined to comment. Representatives for Google didn't respond to a request for comment.
In the U.K., the National Health Service opted to design its own system so officials could have a centralized database of COVID cases across the country. Data from the app would help human contact tracers figure out whom to call and let administrators make decisions based on patterns that emerged from the information, like where to ramp up testing and when to ease lockdowns.
But just days before the app trial started, the U.K. government published a contract issued to a Swiss engineering firm, asking it to look into adding Apple and Google's system to its own. The U.K. government said it continues to pursue its centralized model but is keeping all options under review.
France and the U.K. have become outliers in Europe with their decisions to opt for their own centralized approach, raising questions about how the region's systems will work with contact-tracing apps based on Google and Apple's tool. Experts say decentralized and centralized apps are incompatible, a prospect that could make cross-border travel in Europe more difficult given that authorities won't be able to easily exchange information about infections.
The European Union, which is pressuring member states to align on the issue, is set to issue minimum requirements for the interoperability of apps on Wednesday.
Singapore, which was the first country to roll out a Bluetooth contact-tracing app back in March, said explicitly that a shortcoming of its app is that iPhone users must have it running at all times "due to the design of Apple's iOS." The Canadian province of Alberta, which is using a version of Singapore's app, has run into the same problem.
The Dutch government has opted for using Google and Apple's approach after privacy experts criticized several independent tracing apps developed for the country. Australia's digital agency has said Bluetooth is "highly variable" on iPhones using the country's contact-tracing app, which launched well before the Apple and Google tools were available. The North Dakota app that uses location has struggled with accuracy problems because of restrictions put in place by the tech companies about how such data can be used when an app is running in the background.
Back in France, officials say they have found a way to make their app work without Apple and Google's help. It is set to go live on June 2, but the government hasn't released technical details about how it will work.
The persistent obstacles to a tech fix for contact tracing underscore that there isn't a clear-cut way to stop the virus while keeping privacy intact, said Ryan Calo, a law professor at the University of Washington in Seattle who specializes in privacy and technology."There's a role for technology to help with manual contact tracing, but there's no way to do that that I've seen without privacy trade-offs," Calo said. "You can't get out of a pandemic with a clever app."
©2020 Bloomberg News
Distributed by Tribune Content Agency, LLC.