Google, Apple collaboration on Bluetooth-based Covid-19 contact tracing prioritizes privacy

A collaboration between Google and Apple that leverages Bluetooth technology could help health and government officials curb the COVID-19 pandemic and kickstart economies around the world by offering vital contact tracing while still ensuring data security and privacy.

Contact tracing is a critical – but challenging – part of controlling the spread of disease and location-based technology clearly has a place in relieving the burden.

“To further this cause, Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing,” according to an Apple update explaining the plan will roll out in two steps, the first the May release of “APIs that enable interoperability between Android and iOS devices using apps from public health authorities.”

The companies expect to roll out the second step – “enabling a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms,” the update said – over the next few months. This solution is more robust “than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities,” they said, pledging to build “functionality in consultation with interested stakeholders” as well as “openly publish information about our work for others to analyze.”

Location-based surveillance has been floated for everything from tracking past movements and tracing contacts of infected persons to enforcing quarantines and social distancing.

“Tracking exposure is an effective way to identify people that are at risk and limiting the spread of infection by having people exposed quarantine themselves,” said Chris Hazelton, director of security solutions at Lookout.

“Support by Apple and Google means essentially all mobile phones can be used, as together iOS and Android make up 100 percent the smartphone market of the worldwide,” he said, noting a phone essentially will become a digital passport. “A user’s status in tracking apps and services will be used to permit and prevent them from entering public or private spaces.”

The limitations of mobile surveillance technology –  and potential for abuse –  have raised the hackles of privacy advocates. Apple and Google, though, stressed that “privacy, transparency, and consent are of utmost importance in this effort.”

Jennifer Granick, ACLU surveillance and cybersecurity counsel, said the two companies have taken a step in the right direction when it comes to privacy. "To their credit, Apple and Google have announced an approach that appears to mitigate the worst privacy and centralization risks, but there is still room for improvement,” Granick said, noting that the rights organization would nevertheless “remain vigilant moving forward to make sure any contract tracing app remains voluntary and decentralized, and used only for public health.”

Even with assurances by Apple and Google, Hazelton is concerned that users will be identified. “While Apple and Google state they will not capture user identities this does not prevent public health authorities or any other government agency from doing so,” he said. And, it is not clear if the companies will share location data other than GPS “derived from cell towers or nearby WiFi networks,” he explained. “Even if this is anonymized, it can be paired with other data, like mobile analytics, to still identify users and their health status.”

Hazelton said “medical privacy could go out the window” with users alerted to being exposed wanting to identify who exposed them. “Many easily be able to do so if they only interact with a small number of people,” he said.

Privacy concerns could compromise the technology’s usefulness. Contact tracing systems “can’t be effective if people don’t trust them,” said Granick, and that trust would only come if the systems “protect privacy, remain voluntary and store data on an individual’s device, not a centralized repository.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.