As the global coronavirus pandemic continues to spread and testing remains criminally limited, Apple and Google have announced a partnership to roll out contact-tracing technology to track the spread of covid-19. And Apple is promising that privacy is baked in from the start. Forgive our skepticism, but we’ll believe it when we see it.
Apple said in an announcement on its website that the effort will require a two-pronged joint initiative between the companies that will allow for Android and iOS devices to contact-trace across their two operating systems. First, beginning in May, the companies will roll out APIs that can be used in both Android and iOS contact-tracing apps from public health authorities, which people can download if they so choose. The companies will then work on broadening the effort by baking Bluetooth-based contact-tracing into iOS and Android. Apple says this will also be opt-in.
“Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders,” Apple said. “We will openly publish information about our work for others to analyze.”
Both companies appear to be willing to lay out the terms of the technology, which is good. And Bluetooth may be a better option than GPS tracking, as far as privacy and usefulness are concerned—but there can still be problems, such as short-range attacks on local data transmission. But such risks are relatively low, and threats to privacy can be mitigated by proper implementation.
Using Bluetooth rather than more-invasive location-tracking technology is rising as a central idea in the fight against the coronavirus. Earlier this week, a group of researchers in Europe released a white paper detailing a Bluetooth-based protocol known as Decentralized Privacy-Preserving Proximity Tracing, or DP-PPT. Using this method, data is processed locally on a user’s phone and only transmitted with permission. It is possible Apple and Google will use something similar.
There’s reason to be hopeful about this effort based on what we know so far. Dan Calacci, a PhD student at MIT whose research focuses on the impacts of data and surveillance, told Gizmodo in an email that the companies’ plan “shows that location data is absolutely not needed to make systems that help accelerate contact tracing and that privacy can be a high priority for these systems.”
However, Calacci—who has previously written about the privacy risks of contact tracing for Gizmodo—warns that the truth will be in the details. (Emphasis his.)
“[A]s we know from the NSA’s dragnet work, metadata about your social networks are often just as valuable. Just the structure of your network connections can say a lot about you, and these systems might introduce a risk of that information being leaked,” said Calacci. “It’s also worth being cautious about implementing an operating system level surveillance infrastructure. It might be cautious of privacy now, but all that’s needed for that to change is a shift in their protocol. We need to introduce strong governance and legal mechanisms to limit how a system like this could be altered in the future, and what it can be used for.”
Another factor, said Calacci, is “where this data goes.” Sending it to hospitals “makes sense” because “we have health data restrictions and existing norms that cover this. Government? [N]ot so great, since it can invite bad actors and alternate uses. If it’s hosted on a central server, it can also be a big attack surface for bad actors.”
Right now, we just don’t know much about how Apple and Google plan to implement the coronavirus-tracking tech, so we will have to wait and see what security and privacy experts find once it’s implemented. Further, while the companies say that the effort is opt-in, it’s difficult to know how the program might influence policy. Critics of contact-tracing have raised concerns, for example, about cruel enforcement tactics such as fines or jail time. But again, the effort appears to put the control in the hands of its users as to whether they wish to participate. And people are so desperate to avoid contracting covid-19 right now that privacy risks are—understandably but worryingly—falling to the wayside.
Apple has traditionally played its cards extremely close to the chest, but the smartest and most ethical approach to this effort will be to lay everything on the table and allow privacy experts to guide the effort—which it says it plans to do. Let’s hope Apple and Google make good on that promise.