May 20, 2020 – Today, Apple and Google announced the public release of their Application Programming Interfaces (APIs), allowing Bluetooth-enabled “exposure notification” applications to move toward public release and potentially assist public health authorities in conducting contact tracing to combat the COVID-19 pandemic. While many questions remain as to the effectiveness of Bluetooth applications for this purpose, this technology is more promising than phone location information for supporting contact tracing efforts. New America’s Open Technology Institute (OTI) is encouraged that Apple and Google have taken a number of steps to ensure that such apps are privacy-protective. For states that are intent on moving forward with digital contact tracing, OTI urges that they should pursue Bluetooth-based apps as the preferred alternative. But there is still an urgent need for Congress and state legislatures to enact legislation to ensure that enforceable safeguards are in place.
Last month, amid the COVID-19 pandemic and following attempts to use digital contact tracing tools by governments throughout the world, Apple and Google announced their partnership in launching the APIs and allowing interoperability between Android and iOS devices. This plan would create a decentralized, opt-in digital exposure notification tool that is intended to help notify individuals when they have been exposed to someone with COVID-19. The APIs support apps that rely on Bluetooth technology, which can detect proximity between two phones. With today’s announcement, these apps can begin to be made available in Apple and Google’s app stores—but only after state public health authorities have approved them for listing.
Although both Apple and Google have access to vast quantities of location data and other information on their users through the products and services they offer, it is notable that with this new API, neither of these tech giants will be collecting data from app users. Other companies have been designing the apps that will be approved by public health authorities, and available for download through the Apple and Google interface. Apple and Google have required apps to meet a number of design specifications related to user privacy in order to be allowed on their systems. The Apple-Google protocol has incorporated some key safeguards:
- No location data may be used; strictly Bluetooth proximity data may be used.
- A user’s anonymous proximity identifier changes on average every 15 minutes to reduce the privacy risk of reidentification.
- Proximity identifiers obtained from other devices are processed and stored exclusively on individual devices, rather than stored in a centralized database; neither the app providers or Apple or Google will be able to collect location information.
- If a user is diagnosed with COVID-19, they must provide their consent to share that information with the server.
These prerequisites may be in conflict with some governments’ desires, as some states beginning to explore contact tracing apps have sought to collect cell phone location data. However, phone location data is not precise enough to establish whether two individuals have come within a six-foot-distance, and GPS data only works when individuals are outside. These types of data are not sufficiently granular, and are overly invasive; therefore, collection of these types of data is not justified in digital contact tracing tools. OTI urges governments deciding to move forward with any digital contact tracing tools to use tools that rely exclusively on Bluetooth technology, and welcomes the safeguards offered by the Apple-Google protocol. However, OTI implores Apple and Google to conduct regular, responsible oversight to ensure that any apps offered on their platforms maintain these safeguards, even under pressure from governments, and calls on Congress to enact such safeguards into law.
The following quote can be attributed to Lauren Sarkesian, senior policy counsel at New America’s Open Technology Institute:
“Bluetooth proximity data is likely a much better proxy for determining exposure to the virus than individual location data, and is far more privacy protective. Still, Bluetooth’s accuracy is less than certain, and Bluetooth apps’ effectiveness will largely be determined by how many individuals participate. Americans’ ability and willingness to voluntarily participate in a digital contact tracing regime is an open question that is complicated by many equity issues, including the digital divide, distrust of government and big tech, and growing health disparities. Recent data from Pew Research suggests that even in the face of ongoing isolation and public health threats, about half of Americans would be unlikely to use such apps, and other polling suggests uptake could be even lower. In order to gain wider participation, governments and app providers must ensure that strong privacy protections are in place, especially by avoiding collection of sensitive location data—privacy and effectiveness go hand-in-hand here. Congress must also swiftly enact legislation to limit the privacy and equity harms posed by all digital contact tracing tools and ensure that platforms and app developers can be held accountable.”
The Open Technology Institute (OTI) works at the intersection of technology and policy to ensure that every community has equitable access to digital technology and its benefits. We promote universal access to communications technologies that are both open and secure, using a multidisciplinary approach that brings together advocates, researchers, organizers, and innovators. To learn more, please visit us online at www.newamerica.org/oti and on Twitter @OTI.