Due to the coronavirus pandemic, the issue of digital rights is becoming more and more relevant. Fear makes people all over the world pass on their data in exchange for safety. There is a boom of social contact-tracing apps. And there is no consensus regarding the topic. Some countries favor a centralized approach to the collection and control of data, while others favor a decentralized approach. The latter have to focus on Apple and Google’s contact-tracing API. The companies started developing this technology in April. Many experts believed it would be useless. Nevertheless, apps with the Apple & Google system are already being released or developed. Let’s talk of the following: solutions for tracking social contacts that are under development; the problem with Apple and Google’s contact-tracing API; who has already released apps with this technology, and what the alternatives are.
Contact tracing through apps
MIT Technology Review identifies four core technologies:
- Location. Some apps identify a person’s contacts by tracking smartphone location (via GPS or triangulation from neighboring cell towers) and tracking other smartphones found in the same location.
- Bluetooth. It’s all about the PEP-PT standard. Smartphones exchange encrypted tokens with other nearby smartphones via Bluetooth. This is more anonymous and is generally considered better for privacy as opposed to location tracking. NS Tech explores this technology in more detail. The problem is that an iOS app must be open and cannot run in the background while Android apps that run in the background for a long time are deactivated to save resources.
- Google & Apple. A collaborative API developed by Apple and Google that allows iOS and Android devices to communicate with each other via Bluetooth. Thanks to this, developers can create contact-tracing apps that work for both systems. In the future, the two companies plan to integrate this option directly into their operating systems.
- DP-3T. Decentralized privacy-preserving proximity tracing technology. This is an open source protocol for contact tracing via Bluetooth, in which the contact logs of individual smartphones are stored only locally, and no central authority can find out who is exposed.
What’s the problem with Apple and Google’s contact-tracing API?
According to the rules provided by the companies, the joint Bluetooth-based system should notify the user if he or she contacted a potential carrier of the virus. However, the data does not reach any health authorities but is stored on smartphones. Locations with dangerous contacts are not shown as well.
The authorities (we’re talking more or less of all countries here) are asking Apple and Google to provide them with more information and control to be able to track outbreaks and deal with the pandemic effectively. Companies refuse to do so, citing user rights and privacy.
As a result, discussions come down to blaming Google and Apple, who essentially dictate their rules to governments. In particular, Apple restricts all apps not directly created by Apple to Bluetooth background tracking to avoid battery drain and privacy issues. It turns out that the apps can only work if they are always open, which is not very efficient due to human error.
The issue of centralization and decentralization of data has again started a discussion about who should be trusted with confidential information. Some are afraid to transfer their data to the government, and some want to stay away from the companies. Wouldn’t it be better to share health condition data with health authorities than with companies like Google and Apple? On the other hand, where is the guarantee that governments will not abuse the power obtained along with confidential data?
Germany, Italy and the Netherlands said they would use the Apple & Google system. Ireland, Switzerland, and Estonia favored a decentralized approach too. They have to do it. The French Digital Affairs Minister said during a television interview he regretted that Apple had been unable to help the country’s efforts during the crisis, and that officials would remember that. As a result, France decided to follow a centralized approach, trying to circumvent company restrictions. So did Norway, United Kingdom, Bulgaria, Spain, Cyprus, and Poland. Some countries are developing different apps, not only governments, but also private companies. For example, in the Czech Republic, there is eRouska, an Android-only app (decentralized), and Mapy.cz, a private app (centralized and available for both Android and iOS).
Immuni is Europe’s first contact-tracing app. It uses Google & Apple technology. It officially launched in Italy as recently as on June 8. The app is currently available in four regions – Liguria, Abruzzo, Marche, and Puglia. More than 40,000 people install it daily (this is cumulative data for both stores). The daily installs are growing.
So far, user reviews and ratings are contradictory.
Here is one of the comments: «Too many contradictions in the contract. It says it won’t track location and then asks for GPS to sign me up. It says it won’t collect data while data may be used, it says it won’t collect data and then data must be deleted by the end of the year. There’s too little clarity».
United Kingdom: NHS COVID 19
So far, this app is only tested on the Isle of Wight. It’s expected to be available to the rest of the UK by the end of June if it’s successful. The app also traces contacts through Bluetooth «handshakes» and PEP-PT, and alerts those who have contacted an infected person anonymously.
In May, the NHSX (Digital Transformation Division of the National Health Service UK) signed a £ 3.8 million contract with the Swiss company Zuhlke Engineering, which was involved in the development of the initial version of NHS COVID-19.
The contract includes the requirement to «investigate the complexity, performance and feasibility of implementing native Apple and Google contact-tracing APIs within the existing proximity mobile application and platform». The findings are monitored by the UK’s Department of Health and Social Care.
The US: Care19
In North Dakota, developers have created Care19, a contact-tracing app. It records the whereabouts of people and works as a memory tool or ‘digital diary’.
If users receive a positive Covid-19 test result, the app allows them to voluntarily share their movement data over the past two weeks with the State Department of Health to help slow the spread of the virus.
It sounds good. But Jumbo, when tracking the flow of data from Care19, found out it was sending them to Foursquare. It’s about a person’s location, their advertising identifier (a code representing a specific smartphone) and the unique ‘citizen code’ generated by the app.
So far, the app is available in only a few states. In total, it was installed by about 50,000 people (App Store and Google Play).
This app has a complicated destiny. It was developed back in April based on PEP-PT and location tracking. Back then, the Apple & Google system was just being developed. At that time, most Norwegians supported the idea of a contact-tracing app. A survey commissioned by the health authorities showed that 64% of Norwegians are positive about the idea, and only 16% are against it.
Smittestopp remembers when two people who signed up are close to each other for longer than a set period of time. If one of them is later diagnosed with COVID, the other gets a warning and a request to self-isolate to avoid further spread of the virus.
There were discussions around the app about whether to make it more decentralized and implement the Apple & Google system. As a result, the Norwegian Data Protection Authority and the health authorities could not agree on the solution. On June 15, news appeared that Norway had deleted all data the app collected and suspended its further use. By that time, more than 60% of Norwegians installed it.
France refused to collaborate with Apple and Google, citing data privacy concerns, and developed its own PEP-PT-based application. The data is processed on a centralized server. The idea is to track the spread of infection at an early stage not ‘manually’ but automatically through defining smartphone contacts. The smartphone will ‘record’ contacts and warn the user if he or she communicates with a person positive with Covid-19.
Many consider the app controversial and are afraid that its use will lead to being tracked by the government. At the end of April, a group of 471 cryptography and security experts signed a letter urging the government to reduce data privacy risks. Prior to the release, 15 deputies from the ruling party, La République en Marche, published an open letter to Le Figaro calling for broader discussions on the use of new technologies that jeopardize fundamental freedoms.
According to the France Info poll, about 45% of French people are ready to use the app. For it to be effective, at least 60% of the population must install it. The release was on June 2. Now the app has been installed more than 900,000 times.
This whole situation around contact tracing raises many questions. Who should we trust our data with? How can we control the transparency of its collection? Is it okay that Google and Apple provide 99.47% of all devices with their systems and thus are able to dictate terms to governments? However, it is not clear whether decentralized apps can help keep the pandemic at bay. On the other hand, the effectiveness of the centralized approach is also not yet obvious. For example, in Australia, more than 6 million people have installed the app. But so far, using the collected data, it has been possible to isolate only one user who contacted an infected person. Perhaps a small number of COVID cases in this country is the cause.
Anyway, it is still difficult to draw any conclusions. Some apps are still under development, the rest are still being tested. Only one thing is certain – arguments of digital rights will get more heated. The pandemic has opened up new possibilities for the digital Big Brother. You can look for updates on the restriction of civil rights around the world due to coronavirus here.