As more states and cities explore reopening amid the coronavirus pandemic, Apple and Google have struggled to keep up with the flood of third-party contact-tracing apps in their respective app stores. Now, New York Attorney General Letitia James is urging both companies to impose stricter protections for consumers.
James has sent letters to each company urging them to restrict existing and future third-party contact-tracing apps from collecting and storing a user’s personal health information. She also called on the companies to clarify the difference between apps developed by public health authorities and those made by developers, who may not have consumers’ best interests in mind.
“As businesses open back up and Americans venture outdoors, technology can be an invaluable tool in helping us battle the coronavirus,” James said in a statement. “But some companies may seek to take advantage of consumers and use personal information to advertise, mine data, and unethically profit off this pandemic. Both Apple and Google can be invaluable partners in weeding out these bad actors and ensuring consumers are not taken advantage of by those seeking to capitalize on the fear around this public health crisis.”
The letter also emphasizes that the average consumer may not understand the difference between the contact-tracing technology jointly developed by Apple and Google and independently created contact-tracing apps that may use a different standard. Last month, both companies laid out specifics about how the jointly developed API ought to be used. In a nutshell, Apple and Google only plan to permit federal and state health agencies to use its API, and the related apps wouldn’t be able to access a smartphone’s geolocation data. Targeted ads are also explicitly prohibited.
That’s not necessarily true for third-party contact-tracing apps. Last week, a Wall Street Journal report revealed that several third-party apps currently available for iOS and Android not only allow advertising, but also share location data with third-parties. With no uniform standards in place, Apple and Google have become de-facto regulators of these covid-19 apps. Despite efforts by both companies to keep shady apps out of their stores, some are still available for download.
As for how Apple and Google should crack down on these dubious contact tracing apps, James offered four suggestions: 1) limiting the collection of personal health data to apps affiliated with federal or state public health agencies; 2) banning the use of consumer data for targeted ads; 3) banning third-party apps from using data to identify anonymous users; and 4) requiring all third-party apps to delete user data on a rolling 14-day basis, as well as provide users an easy way to manually delete their own data.
James’s letter is yet another reminder of the privacy risks contact-tracing apps pose. While these apps do eliminate the tedium of manual contract tracing, how they collect data to notify users is a major point of contention between governments and security experts. There’s already been friction between Apple, Google, and countries advocating for a “centralized” approach to contact tracing—basically, a method that would funnel data through an official server. France and the UK have both rejected the decentralized approach advocated by Apple, Google, and over 300 scientists and researchers from 25 countries. Singapore recently said it is now exploring developing a contact-tracing wearable as it could not come to an agreement with Apple over iOS Bluetooth restrictions.
Meanwhile, in the U.S., legislators recently introduced a bill that would impose several restrictions on how consumer health data is collected and shared on contact-tracing apps. That said, a recent joint poll between the University of Maryland and the Washington Post revealed that the majority of Americans are either unable or unwilling to use a contact-tracing app—citing privacy as a major reason.