How Apple and Google are tackling their covid privacy problem
In just a matter of weeks, the two most important mobile operating systems in the world are going to get an unprecedented update: Google and Apple are working together to add coronavirus tracing to Android and iOS.
Contact tracing—tracking who has a disease and who they’ve been near in order to limit the spread of an outbreak—is a crucial tool in fighting diseases, including covid-19. But it’s traditionally a very human job that involves talking to people, detailing their movements, and making a lot of phone calls. Now the question is whether technology can do the job even faster, and without violating people’s privacy, security, and liberty. More on coronavirus The basic system uses your phone’s Bluetooth to anonymously track who you have been in close proximity to (you can read more detail in our previous report). If you opt in to the system, your phone will spot when you’ve been near other people who get diagnosed with covid-19, as long as they also use the system. You won’t know their identity and they won’t know yours, but your phone will flash a notification letting you know you’ve been at risk of exposure. It will be mid-May before the first true rollouts begin, but the information so far suggests that the Apple-Google system is clever and scalable. But it’s a system very much in the process of being built, with lots of questions unanswered. One of the biggest is the issue of privacy and trust. Will people download the apps built through Apple and Google’s collaborations with public health agencies? Will people trust that the apps are accurate? Will they believe that their data will be protected? Are they going to be concerned that this surveillance system—after all, contact tracing is ultimately a form of surveillance—will come back to haunt them? Elsewhere around the world, governments have already been building and using surveillance technology to fight the pandemic, including contact tracing apps. But they have often come with trade-offs. These systems may work, but they are also profoundly invasive. China, an authoritarian regime with a long history of maximalist surveillance, required citizens use an app that dictated whether they would be quarantined or allowed to move freely; its data is shared with police. In South Korea, a democracy that was the scene of early outbreaks, a pandemic surveillance system allowed the government to access smartphone location, credit card histories, immigration records, and CCTV footage from around the country. Taiwan has built “electronic fences” that track location to make sure that people are staying in place during quarantine. These systems may work, but they are also profoundly invasive. “These systems also can’t be effective if people don’t trust them,” the ACLU’s Jennifer Granick says. “People will only trust these systems if they protect privacy, remain voluntary, and store data on an individual's device, not a centralized repository.” Built-in benefits The Apple-Google system has some advantages over these other approaches. Because the companies control the operating systems and the phones people own, they can actually build a more private and more usable coronavirus tracing technology. For example, Singapore’s TraceTogether app is technically similar to the Apple-Google version, using Bluetooth to monitor any contact made by people diagnosed with coronavirus. But because it is a third-party app, it has enormous disadvantages: for example, iPhone TraceTogether users must keep their phone unlocked at all times as they move in order for the system to work. That’s something Apple can easily build around and then, with Google, scale to make accessible to virtually every government on earth. But that scale is part of the problem. If the benefit is that the two companies can use the data of 3 billion people, the drawback is that they can use the data of 3 billion people. Building contact tracing and surveillance without being creepy is not easy. The answer to this is that the Apple-Google system will not be a monolith: its implementation will vary from country to country. The companies say they are helping government public health agencies in North America, Europe, and Asia build their own apps that utilize the same underlying technology. Those governments will have their own rules, but the app will require explicit user consent to start tracking, and the user can always turn it off—either permanently or temporarily. And the companies are in part responsible for the outcomes, including potential abuses as well as medical successes. Related StoryWe need mass surveillance to fight covid-19—but it doesn’t have to be creepyThis is a chance to reinvent the way we collect and share personal data while protecting individual privacy.Importantly, the new system doesn’t collect any true location data: it’s all proximity data gathered by Bluetooth using randomly generated, regularly rotated identifiers that makes it harder to tie you to any of the other data your phone may carry about you. This means the system will know that you and another person at one point crossed paths for some amount of time, but that information won’t leave your phone until you choose to share it—and when you do, neither Google, Apple, nor other users will learn their identities or medical status. And the matching is only done on-device, the companies say. There is no single centralized server, though health organizations will be part of a decentralized infrastructure running the system. The aim of decentralization is to make malicious surveillance immensely difficult. In addition, the service will only be available to government public health agencies directly involved in coronavirus tracking, a group that Apple and Google say will be small and closely monitored. The technology will not be available to the general public, companies, non-government organizations, or even academics, in an attempt to avoid a potentially devastating and global privacy scandal. And while each country’s public health authority will build its own app using the Google-Apple system, the two tech giants say they will shut it down on a region-by-region basis when the pandemic is over. So far it doesn’t just seem that it’s smart and scalable: it’s pretty private too. Of course there are risks ranging from technical to political. Phones are hackable, and governments are susceptible to surveillance creep. What we have so far is a blueprint for something promising, but the actual implementation will make the difference. And the world will be watching to see what that means. “To their credit, Apple and Google have announced an approach that appears to mitigate the worst privacy and centralization risks, but there is still room for improvement,” says Granick, the ACLU’s surveillance and cybersecurity counsel. “We will remain vigilant moving forward to make sure any tracing app remains voluntary and decentralized, and used only for public health purposes and only for the duration of this pandemic.”