Earlier this month, Google and Apple announced a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the COVID-19 virus. As you may have expected, people had questions about how that contact tracing technology would work.
In response, Apple and Google released a Frequently Asked Questions PDF with more information. Some of it explains what contact tracing is, how it works, and how it can help slow the spread of COVID-19. It also covers how their contact tracing system will protect user privacy.
Here are some key points about user privacy:
- Each user will have to make an explicit choice to turn on the technology. It can also be turned off by the user at any time by uninstalling the contract tracing application or turning off exposure notification in Settings.
- This system does not collect location data from your device, and does not share the identities of other users to each other, Google or Apple. The user controls all data they want to share, and the decision to share it.
- Bluetooth privacy-preserving beacons rotate every 10-20 minutes, to help prevent tracking.
- Exposure notification is only done on device and under the user’s control. In addition people who test positive are not identified by the system to other users, or to Apple or Google.
- The system is only used for contract tracing by public health authorities apps.
- Google and Apple can disable the exposure notification system on a regional basis when it is no longer needed.
However, the FAQ also makes it clear that government health authorities will have access to the information facilitated by the app. “Access to the technology will be granted only to public health authorities. Their apps must meet specific criteria around privacy, security, and data control. The public health authority app will be able to access a list of beacons provided by users confirmed as positive for COVID-19 who have opted into sharing them. The system was also designed so that Apple and Google do not have access to information related to any specific individual.”
The FAQ states a user can choose to report a positive diagnosis of COVID-19 to their contact tracing app. The user’s most privacy-preserving beacons will be added to the positive diagnosis list shared by the public health authority so that others who came in contact with those beacons can be alerted. I don’t see how that can be done without the app being able to identify one individual user from another.
It comes down to how much you trust your government to use the information from the app to help people. This sort of heath information can be used to prevent people from being eligible for health insurance coverage, or to be discriminated against in other ways. Personally, I am not going to use this app.