As Apple and Google collaborate, governments weigh privacy balance of virus contact tracing

With Apple and Google to collaborate on coronavirus tracing smartphone technology, many of the world's governments are weighing the privacy implications of using the ubiquitous gadgets tucked into our pockets to help society emerge from economy-crippling lockdowns.

With 3.5 billion smartphone owners — almost half of the world’s population — governments have quickly understood they can use the vast troves of location data collected through smartphones to determine the next hot spots for the virus, the effectiveness of stay-at-home orders, or whether stricter quarantine measures are needed.

Apple and Google, makers of the world's two most heavily used mobile operating systems, said today in a joint statement that they will collaborate to allow both iPhone and Android smartphone owners within months to use Bluetooth technology that would convert their devices into Covid-19 watchdogs, sending them an alert following any close contact with someone who discovers they are infected.

"The plan is to implement this solution in two steps while maintaining strong protections around user privacy," the companies said of the technology, which would require users to opt in to apps or operating system settings, and then voluntarily share their health information anonymously should they become sick or infected with the virus.

Governments in Asia, notably China, South Korea, Taiwan and Hong Kong, are already using smartphones as digital tracking devices to ensure that citizens are following quarantine restrictions; the two-step plan by Apple and Google to develop software interfaces as soon as May could accelerate those efforts. 

Western democracies are loath to imitate these measures because of strict data-protection rules, but they are weighing the privacy implications of using mobile apps to help ease confinement orders as the rate of new infections either reaches a plateau or starts to fall.

In Europe and the US, researchers and developers are scrambling to develop an app that would warn someone when they come into contact with someone who has tested positive for Covid-19.

These contact-tracing apps, which would be voluntary and use anonymous data, have been endorsed by eight European countries including Germany, and are under serious consideration by the French and Italian governments.

The European Commission is developing guidelines that could be used across the 27-nation bloc to ensure that these apps work with each other and include safeguards to ensure the protection of citizens’ fundamental rights. EU governments that deploy tracking apps must respect fundamental privacy values, a draft commission recommendation seen by MLex says.

In the US, a government-sanctioned approach to location tracking apps is unlikely to happen, for both legal and social reasons. The US is pursuing a bottom-up approach to smartphone data, with an idealistic coalition of tech entrepreneurs and academics cobbling together Covid-19 tracking apps that would protect privacy and gain people’s trust, something the US government and big tech companies have struggled to do.

Contact tracing

Contact tracing seeks to identify the people who have had close contact with the infected individual and therefore may be infected themselves. The strategy reduces the need for stay-at-home measures.

When a novel virus starts to spread, manual contact tracing is used. Public health workers rush to interview infected people to determine with whom they’ve been in contact. But this is subject to a person's ability to recall everyone they've been in contact with over a two-week period.

Manual contact-tracing for Covid-19 is no longer an option. That means governments are looking to automate this process with mobile apps.

Singapore’s app is often cited as the most likely model for the West. Residents voluntarily download an app called TraceTogether, which uses Bluetooth technology to keep a log of nearby devices. If somebody gets infected, that user can upload relevant data to a central server run by a public entity, which then notifies the owners of all the devices pinged by the infected person’s phone.

People who receive an alert would know they should be tested and go into self-isolation. The goal is to prevent the epidemic from accelerating again when governments start lifting lockdown orders and people begin circulating in public.

The system identifies not only contacts, but also the distance and the amount of time they spent in close proximity to each other. This is particularly important with Covid-19, which excels at spreading because it's contagious when there are few or no symptoms.

The urge to use contact-tracing technology is tempting because three-quarters of Europe’s population walks around with smartphones. But governments are wary of jumping in without taking a hard look at whether such technology would make a difference and whether the privacy and data protection hurdles are too high. They argue the priorities should remain on social distancing, testing and finding a vaccine.

To ease those concerns, governments have stressed that there would be no obligation to download the app and that the data would be anonymous: it wouldn’t be possible to geolocate infected individuals. Other safeguards include the deletion of data when the system is no longer needed, an independent public entity to oversee the app, and measures to prevent the re-identification of individuals.

These assurances are meant to place Europe’s attempts at a tech solution in a privacy-friendly framework that would contrast with the intrusive, mass-surveillance approach applied in China and South Korea.

In China, citizens are obliged to download the Alipay Health Code, which uses a traffic-signal system: green means people can travel freely; yellow means home isolation; red dictates mandatory hospital quarantine. The color label is generated by factors including whether the areas the person has visited have had a confirmed case, and whether the person has been to a high-risk area such as Wuhan, where the outbreak started in China.

Since the earliest stages of the epidemic, South Korea has taken some of the world’s most aggressive measures to use phone location and other digital data to trace infections. Concerned about the inflow of the disease from overseas, the government is now requiring people entering the country to download an app that tracks their location during a two-week isolation period. The government receives an alarm if a person ventures as far as 30 meters from his or her designated quarantine area.

After some people were found to have left their quarantine areas without their phones, the government is considering stricter measures, including mandatory location-tracking wristbands.

Bluetooth-based approach

Bluetooth technology, which would be the basis of the system planned by Google and Apple, is also gaining traction in many European countries because it would involve storing data on a user's phone and doesn’t employ geolocation data, which is seen as much more privacy-invasive.

The European Data Protection Board said today that it welcomed the Apple-Google plan to create contact-tracing technology that would run on both iOS and Android devices. "Ensuring interoperability between operating systems can be a necessary step towards deploying technology solutions to serve humankind in this time of history," the EDPB said in a Tweet.
In Germany, a group of researchers from eight European countries are working on a common project to employ contact-tracing technology that would be in line with the EU’s strict data-protection rules.

The French government this week endorsed the Singaporean and German approaches. French officials have said they want to avoid more intrusive geolocation-based apps that privacy advocates say amount to mass surveillance. 

In the US, a patchwork of research projects to develop contact-tracing apps is emerging, often tied to universities, including NextTrace and Seattle-based CoEpi, as well as Covid Watch, a group of technologists with backing from Stanford University. Most are still in the development and testing phases. Researchers at MIT Media Lab are developing “Safe Paths” — a tracing app that uses GPS and Bluetooth trails to allow individuals to determine whether they've crossed paths with someone who was later diagnosed positive for the virus.

Unconfirmed reports that the Trump administration is developing a national coronavirus surveillance system, which has already spurred a privacy furor, appear to be keyed to the demand on hospitals rather than tracing people's movements through phone apps.

Europe’s wariness has given governments a chance to analyze how Asian nations have adopted contact tracing. 

A technical distinction between various contact-tracing apps — whether they are based on Bluetooth technology or geolocation data — has a significant impact on whether authorities consider one more privacy-damaging than another.

Germany is developing an app similar to Singapore's. In China, Taiwan and South Korea, geolocation has been preferred, making it possible to determine whether people respect confinement orders, as the government tracks them all day. 

But a group of lawmakers questioned the French government’s approach, even if it’s based on Bluetooth technology. For the app to be effective and have enough data to function properly, at least 60 percent of the population would have to download it. Given that the most vulnerable people, the elderly, are less likely to have smartphones, this threshold “seems unattainable,” the lawmakers said.

They also questioned the effectiveness of the Singaporean app, particularly because only about one in six people use the app and the government was still obliged to order a lockdown this week.

The quandary facing European governments is how to roll out such technology and respect the EU’s data-protection rules. EU regulators plan to issue guidance next week on how to create Covid-19 contact-tracing mobile apps with “safeguards” to ensure the respect for fundamental rights and privacy.

In Australia, the country’s privacy watchdog has said the use of phone-location data, such as to identify whether an individual has been exposed to a case of Covid-19, could take place without consent if authorized under a national law, or done in the interest of public health, such as during a global pandemic.

Geolocation data

The EU regulator said this week that a pan-European approach to contact-tracing apps is needed because EU governments are already adopting measures that raise questions concerning fundamental rights and freedoms, including the right to privacy and the protection of personal data.

These measures include geolocation-based tracking of individuals, technology to rate individuals’ health risk level, and the centralization of sensitive data, the commission said.

Some states are moving unilaterally to deploy smartphone data in ways that are putting greater pressure on privacy rights.

In Poland, the government has deployed a smartphone app called Home Quarantine. Citizens register by uploading personal details and a photo. The government then sends text messages to check on citizens, who must upload a new self-photo within 20 minutes to prove they’re at home.

Other countries such as Slovakia and Spain have created smartphone apps to track and monitor people’s movements.

Privacy advocates have expressed concerns that even if mobile apps use anonymized and aggregated data, there’s a possibility governments will eventually use the data to increase their surveillance of citizens.

The commission said it’s also concerned that a “fragmented and uncoordinated approach risks hampering the effectiveness of measures aimed at combating the Covid-19 crisis, while also causing serious harm to the single market and to fundamental rights and freedoms.”

The commission said one of the goals of the common approach is to “uphold the integrity of the single market and protect fundamental rights and freedoms, particularly the rights to privacy and protection of personal data.”

Big Tech data

While most privacy concerns have been focused on contact-tracing, privacy advocates in Europe and US lawmakers are also wary of governments' use of location-data from mobile operators and Big Tech. The new collaboration between Apple and Google will doubtlessly receive privacy scrutiny, and perhaps even raise antitrust concerns.

In Brazil, the state of São Paulo yesterday reached an agreement with all major telecom operators in the state to expand the monitoring of its citizens’ mobile-location data, using artificial intelligence to monitor aggregated, anonymized data on people’s movements while social distancing restrictions are in place.

Such a state-sanctioned approach is unlikely to be accepted — or perhaps even be legal —  in the US. New comprehensive privacy laws such as the California Consumer Privacy Act limit the re-sale of commercial data, but the CCPA is mute about sharing location data during a public health crisis. However, older laws like the Electronic Communications Privacy Act, the Foreign Intelligence Surveillance Act and the Health Insurance Portability and Accountability Act, or HIPAA, all limit the electronic data the government can collect about citizens, and the health data that can be disclosed about them.

“This is not a country where people will accept being force-fed a government-sponsored application that they must use on their phones,” said Albert Gidari, consulting director of privacy at Stanford Law School’s Center for Internet and Society in California.

Last week, Google published reports on 131 countries that present aggregated, anonymized mobile-phone location-data history for places such as restaurants, parks, stores and offices to help authorities analyze the impact of stay-in-place orders in halting the spread of the novel coronavirus.

The announcement prompted US Senators Edward J. Markey and Richard Blumenthal to query Google on whether it intends to share users’ coronavirus-related personal data or pseudonymous information with any government entities.

“Access to this type of information can pose risks to both individuals’ civil liberties and their physical safety," the senators said. "While we commend Google’s efforts to assist in combating the coronavirus pandemic, we caution you against steps that risk undermining your users’ privacy.”

--With assistance from Ana Paula Candil in São Paulo, Choi Hyung-jo in Seoul, Amy Miller and Mike Swift in San Francisco, Laurel Henning in Sydney and Dave Perera in Washington.