Why countries keep bowing to Apple and Google’s contact tracing app requirements
Last month, after Apple and Google announced some changes to their forthcoming attempt to track the spread of COVID-19, I noted the surprising degree to which tech giants are setting the terms of the pandemic response. They own the hardware, they own the software, and national governments who would use it to find new cases of COVID-19 have to do it on the companies’ terms.
This week, that process began to accelerate. But first, a bit of background.
The Apple-Google collaboration will ask you to opt in to a system that causes your phone to emit Bluetooth signals to other phones around you. When you are in close proximity to another person for an extended period of time — more than five minutes, typically — both of your phones record the interaction. When a person tests positive for COVID-19, they will have the option of anonymously notifying other phones that they may have been exposed to the virus and encouraging their contacts to self-quarantine or seek treatment.
A sticking point between the tech giants and nation states has been who will process the exposure notifications. Apple and Google want to process the notifications on users’ phones without storing them on a central server, to preserve the maximum degree of privacy possible. Some European countries, meanwhile, have sought to process notifications on a central server, in the hopes that having more detailed information will help them identify additional exposures and more rapidly contain the spread of the virus. (MIT Tech Review has a great tracker that looks at how countries are building these apps, including whether or not they’ve adopted the Apple-Google approach.)
This put France, whose politicians have regularly upbraided Silicon Valley for perceived data privacy lapses, in the very funny position of begging Apple and Google to lower their privacy standards. Germany, whose scientists had helped devise Europe’s (deep breath) proposed Pan-European Privacy-Preserving Proximity Tracing project, decided to throw in with Apple and Google after it became clear that was not going to happen.
Until now, the United Kingdom has held holding firm in its commitment to building its own exposure notification app, even though it will have limited access to the Bluetooth notifications necessary for it to work. James Vincent explained why this is a problem this week at The Verge:
Both Google and Apple restrict how apps can use Bluetooth in iOS and Android. They don’t allow developers to constantly broadcast Bluetooth signals, as that sort of background broadcast has been exploited in the past for targeted advertising. As The Register reports, iOS apps can only send Bluetooth signals when the app is running in the foreground. If your iPhone is locked or you’re not looking at the app, then there’s no signal. The latest versions of Android have similar restrictions, only allowing Bluetooth signals to be sent out for a few minutes after an app has closed. Such restrictions will block devices from pinging one another in close quarters, drastically reducing the effectiveness of any contact-tracing app.
Google and Apple can rewrite these rules for their own contact-tracing API because they control the operating systems. But for countries trying to go it alone, like the UK, the restrictions could literally be fatal. iPhone users with the app installed could interact with someone who is later diagnosed with COVID-19 and never know it, if their phone doesn’t keep a log of their interaction.
Now it seems that all of this has dawned on the UK’s National Health Service, which has asked the consulting firm charged with building its app to investigate switching over to the Apple-Google model. Here are Alex Hern and Kate Proctor today in the Guardian:
With growing questions over that approach, it emerged that the Swiss-based consultancy Zühlke Engineering has been hired to undertake a two-week “technical spike” to investigate implementing Apple and Google’s system “within the existing proximity mobile application and platform”. […]
The prime minister’s official spokesman left open the possibility that a change could be made, telling reporters: “We’ve set out our plans for a centralised model and that’s what we are taking forwards but we will keep all options under review to make sure the app is as effective as possible.”
Right now, it’s unclear how an app that only works when every citizen in the United Kingdom has the app downloaded, open, and running in the foreground at all times is going to be “as effective as possible.” As of today, I’d be surprised if the UK hadn’t adopted the Apple-Google approach by the end of this month.
It’s a fascinating tension: corporations trying to do right by their users versus countries trying to do right by their citizens. As Sam Lessin notes in The Information, this is an uncomfortable place for a tech giant to be. “This isn’t an enviable position for tech companies,” he writes. “It puts them in a nearly impossible position in terms of almost always absorbing blame no matter what they do whenever the choices are hard.”
Elsewhere, India is learning that the privacy concerns around exposure notification apps and contact tracing are not merely abstract. Aarogya Setu, the country’s own homegrown exposure notification app, has significant privacy flaws, Andy Greenberg reported this week at Wired:
Independent security researcher Baptiste Robert published a blog post today sounding that warning about India’s Health Bridge app, or Aarogya Setu, created by the government’s National Informatics Centre. Robert found that one feature of the app, designed to let users check if there are infected people nearby, instead allows users to spoof their GPS location and learn how many people reported themselves as infected within any 500-meter radius. In areas that have relatively sparse reports of infections, Robert says hackers could even use a so-called triangulation attack to confirm the diagnosis of someone they suspect to be positive.
“The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area,” says Robert, a French researcher known in part for finding security vulnerabilities in the Indian national ID system known as Aadhaar. “With triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app.”
On one hand, privacy has never been the prime directive for a contact tracing scheme. The whole point is to find out people’s real names, phone numbers, and locations so you can tell them that they’re sick before they infect anyone else. At the same time, tech giants are understandably wary of building a tool that could be misused by law enforcement, oppressive governments, or the sorts of bad actors that Robert describes in India. For the moment, it’s the giants’ argument that has carried the day — and done so, at least for now, with remarkably little resistance………Read More>>