Last week, Apple and Google announced a joint effort to release a decentralized Bluetooth-based contact tracing system for smartphones that could be used to alert people if they’ve been exposed to someone who has tested positive for COVID-19.
The opt-in system will work by logging when users come into contact with other people who have the system enabled. If one of those people later tests positive for the virus, they would be able to notify those who they have come into contact with, without revealing their identity or location.
This technology comes at a time when governments around the world are looking into contact tracing technology, which they consider critical in order to ease lockdowns and social distancing restrictions.
The large number of cases means that conventional methods of contact tracing – usually personally interviewing the infected – need to be supplemented with technology such as the one Apple and Google are proposing.
“Through close cooperation and collaboration with developers, governments and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life,” the two companies said in a statement.
However, despite the companies insisting that “privacy, transparency, and consent are of utmost importance,” many are concerned by the privacy implications surrounding the technology.
How it will work
The phones of Android and iOS users who have opted in will periodically transmit unique, anonymous pieces of code via Bluetooth. Phones in proximity to these users will then receive these codes and keep a log of them, as well as the time they were received.
When a person who has opted in is later diagnosed with the coronavirus, they can choose to submit their last 14 days worth of codes (essentially a list of all those they’ve been in contact with over that time) to a central database. The phones of users who have opted in will connect to the database on a daily basis to see if any of the codes in their phones’ logs match with one belonging to someone with the virus. If there is a match, users will then receive an alert that they were exposed to someone who has tested positive for COVID-19.
Apple and Google plan to release the technology in two phases.
The first phase is an application programming interface (API) that will be built into public health apps. These apps will be available for download from the Apple App Store and the Google Play Store with this interface built in starting in May.
The second phase is a Bluetooth-based contact tracing system that will be built directly into the iOS and Android operating systems, to be released at some point in the coming months.
“This is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities,” the companies said.
Users will be required to download official apps developed by public health authorities to submit information and will in turn receive alerts and additional information, such as links with details on symptoms and self-quarantine guidelines.
Privacy concerns over contact tracing
The coronavirus pandemic has given rise to wartime rhetoric from leaders around the world and with it a stronger push for emergency powers. Globally, citizens have come to realize that dealing with the coronavirus pandemic requires certain measures to be put in place that might encroach on their civil liberties.
The privacy rights of citizens have been greatly impacted by the pandemic, as governments have used various surveillance methods to track people’s movement in an effort to stem the spread of the virus.
China was the first country to introduce strict measures on citizens by using their personal data and the existing surveillance infrastructure to trace and limit people’s movements.
While this approach was initially criticized, in light of the perceived success China has had in limiting the spread of the coronavirus, other countries are starting to follow suit.
However, there is growing concern among privacy advocates that the use of intrusive tracking methods could ultimately lead to surveillance states, as governments resort to measures like using CCTV footage, tracking users’ phones and storing their credit card data.
According to the Wall Street Journal, the Centers for Disease Control and Prevention (CDC) and state, federal and local governments in the US are using mobile advertising data to analyze whether people are adhering to social distancing orders.
Last week, the American Civil Liberties Union (ACLU), released a report entitled “The Limits of Location Tracing in an Epidemic.” In the report they discuss issues related to the use of phone location tracking to help contain the coronavirus, who gets to access the data collected, how that data is then used and what the lifecycle of that data is.
“In this crisis, we need to seriously consider how technology might help improve public health,” said the ACLU’s Jay Stanley and Jennifer Granick. “This investigation must be based on a realistic understanding of what technology and data can and cannot do, lest we divert attention, expertise and financial resources from other, simpler but time-tested methods that are more effective. In particular, policymakers should understand the limits of existing location data and devices for automated contact tracing.”
After Apple and Google announced plans for their contact tracing system, Granick said in a statement, “No contact tracing app can be fully effective until there is widespread, free, and quick testing and equitable access to health care. These systems also can’t be effective if people don’t trust them. People will only trust these systems if they protect privacy, remain voluntary, and store data on an individual’s device, not a centralized repository.”
The two companies have stressed that the system doesn’t personally identify the user or use location data, that the user’s anonymous codes change every 15 minutes to prevent tracking and that any data collected remains on the device and doesn’t leave a user’s phone unless they choose to share it.
However, the extent to which governments will try to use the technology is still unclear, including how much data governments will collect with the technology and what they might do with this data.
Apple and Google didn’t respond to our questions on whether the tracking system will be in place after the pandemic. However, they have stated that those who do not wish to have the feature on, can simply turn it off.
“To their credit, Apple and Google have announced an approach that appears to mitigate the worst privacy and centralization risks, but there is still room for improvement,” said Granick. “We will remain vigilant moving forward to make sure any contact tracing app remains voluntary and decentralized, and used only for public health purposes and only for the duration of this pandemic.”
Apple and Google have said that they will openly publish their work around contact tracing for analysis.