Amid a crisis like this, it's encouraging to see major companies collaborating for the common good.
Apple and Google are working together to assist health authorities with contact tracing, which some believe is one of the best ways to combat the COVID-19 pandemic.
But will these apps put your privacy at risk?
What is contact tracing?
In short, contact tracing involves getting extremely detailed or granular about your location and those with whom you come into contact.
With contact tracing, health authorities map the activities of disease carriers. By retracing a sick person's travel, destinations, and potential contacts, they can spread warnings about specific areas and test anyone in direct contact.
Contact tracing is the technique that South Korea is currently using to curb the spread of coronavirus, and Vox recently shared a video explaining the significance of contact tracing to the coronavirus pandemic.
But contact tracing is a lot easier when researchers or governments can track someone's whereabouts before they get sick.
This way, they have a definitive picture of where the disease has been and where it could be going.
And this is where Apple and Google come in. From a post by Apple:
"Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing."
With contact tracing apps, a user can consent to give their location via their mobile device. Not only can the app notify users about infections in their area, but the data can also help health authorities if the user becomes sick themselves.
Google and Apple are imagining this project as a two-step process, and plan to use Bluetooth to make it happen:
- In May, both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities. These official apps will be available for users to download via their respective app stores.
- In the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms. This is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities.
What are the privacy risks of contact tracing?
In theory, contact tracing sounds like an excellent solution.
But Ryan Calo, a professor at the University of Washington School of Law and co-director of the university's Tech Policy Lab, identified the privacy risks of this system when he testified before Congress in April 2020:
"The appeal of contact tracing apps is intuitive. Many Americans today face a Hobson's choice: remain at home in isolation, leaving social relations—and the economy—in tatters, or venture out into the world and potentially contract and spread COVID-19. The developers of contact tracing apps hope to offer a third way: safe mobility even in the absence of herd or vaccine immunity by crowd-sourcing the detection and avoidance. Laudable as this goal may be, the technique is unproven and the drawbacks potentially significant."
And one of the potential drawbacks is privacy.
When you consent to a contact tracing app, you're giving all the data surrounding your whereabouts over to health authorities. You're also giving it over to other users (though your name and identity are almost never available with these apps; you're usually just a "dot," like in the Vox video).
How will Google and Apple protect privacy in contact tracing?
To hopefully relieve anxieties, Google and Apple have specifically addressed how their apps with address privacy:
- The Contact Tracing Bluetooth Specification does not require the user's location; any use of location is completely optional to the schema. In any case, the user must provide their explicit consent in order for their location to be optionally used.
- Rolling Proximity Identifiers change on average every 15 minutes, making it unlikely that user location can be tracked via Bluetooth over time.
- Proximity identifiers obtained from other devices are processed exclusively on device.
- Users decide whether to contribute to contact tracing.
- If diagnosed with COVID-19, users consent to sharing Diagnosis Keys with the server.
- Users have transparency into their participation in contact tracing.
The idea of giving our data to health authorities and people around us is a real possibility, but in some ways also a scary one.
In a time like this, it's important to consider the differences between physical health and digital health, and how to weigh the balance between the two.
For more information on the Apple and Google initiative, visit here.
[RESOURCE: SecureWorld daily security briefings; see the schedule.]
