Apple, Google team up to track Coronavirus spread as some official Govt apps are already doing it

The app will use a Bluetooth technology to trace every phone a person comes in contact with, raising concerns over privacy.

Apple and Google announced Friday an unusual collaboration to leverage smartphone technology to help trace and contain the spread of coronavirus.

The collaboration will open up their mobile operating systems to allow for the creation of advanced “contact-tracing” apps, which will run on iPhones and Android phones alike.

So how will Bluetooth tracing work on Android and iOS phones ?

Both Apple and Google have put out details on the Bluetooth technical specifications and how this technology will work with contact tracing. The technology will work on both Android and iOS.

First, the user will have to give explicit and clear permission that they are opting-in for this kind of contact tracing, according to the companies. Exactly how this permission will be taken is not clear, but it could be within the app they use.

If this is at the software level, pushing out the iOS update will be easier given most phones are on the latest version and Apple has tighter control over the ecosystem. But in the fragmented Android universe, it is not clear how this update will reach all smartphones.

In a graphic, the companies have explained how the Bluetooth bit will work. Say two people named A and B meet for a brief period. Their phones will then exchange identifier beacons via Bluetooth; these beacons are updated frequently. A few days later person B tests positive for COVID-19 and decides to enter that data into a public health authority app. With their consent, the phone will upload their broadcast beacon (the same which was shared with person A’s phone) from the last 14 days to the cloud.

Meanwhile, person A’s phone will continue to download the broadcast beacon keys of everyone who has tested positive for COVID-19 in their region. When a match is found with the B’s anonymous identifier beacons, person A is alerted that they have been in contact with a COVID-19 patient and a notification is sent to their phone alerting them on what to do next.

Here’s a quick look at the technical details of the Bluetooth tracing, though these could be modified later on.

• First, there is a Tracing Key, which is generated once per device.
• Then, there’s a Daily Tracing Key, which is derived every 24 hours from the main Tracing Key. This is being done for privacy reasons.
• A Diagnosis Key is generated when a user tests positives for COVID-19 and this is based on a subset of Daily Tracing Keys.

There’s also a Rolling Proximity Identifier which changes every 15 minutes to prevent any kind of wireless tracking of the device. This is derived from the Daily Tracing Key, and sent in the Bluetooth advertisements or the Bluetooth messages to other mobile devices.

What about privacy here?

The idea is to help national governments roll out these contact-tracing apps to allow lockdowns to be lifted earlier, by letting authorities much more readily identify new clusters of infection. The technology would also help those who have been exposed to a person with Covid-19 self-isolate before they themselves become infectious.

Concerns are already being raised about the effectiveness of such technology and privacy concerns surrounding its implementation. The companies are opting to use Bluetooth to track who has been in contact with Covid-19 cases rather than location services to protect some user privacy, but advocacy groups are still wary.

“No contact-tracing app can be fully effective until there is widespread, free, and quick testing and equitable access to healthcare,” Jennifer Granick, the surveillance and cybersecurity counsel at the ACLU said. “People will only trust these systems if they protect privacy, remain voluntary, and store data on an individual’s device, not a centralized repository.”

Similar apps have already been trialled in nations including Singapore and China. In Europe, the Czech Republic says it will release such an app this month. Britain, Germany and Italy are also developing their own tracing tools.

India who has huge number of mobile internet users (approx 600 million), their Government also launched app name "Aarogya Setu". The app detects other devices with "Aarogya Setu" installed that have come in the Bluetooth or GPS proximity of one’s phone and captures this information.

“There isn’t enough information available on what data will be collected, how long will it be stored and what uses it will be put to. If the data gets shared with the government of India, what the government can use it for needs to be specified. Otherwise, it will be a violation of the notice and consent principles,” said Prasanna S, a Delhi-based lawyer.

On the data retention part, the app’s privacy policy mentions that all information provided at the time of registration will be retained for as long as the user’s account remains in existence “and for such period thereafter as required for the purposes for which the information may lawfully be used…”.

“This is only the app-side data. What about the server side data? How long the Government of India retains it also needs to be specified,” Prasanna argued.

Privacy and civil liberties activists have warned that such apps need to be designed so governments cannot abuse them to track their citizens. Apple and Google said in a joint announcement that user privacy and security are baked into the design of their plan.

Pam Dixon, executive director of the World Privacy Forum, said she’ll be looking closely at the companies’ privacy assurances and for evidence that any health data they collect will be deleted once the emergency is over.

Given the great need for effective contact tracing, the companies will roll out their changes in two phases. In the first, they will release software in May that lets public health authorities release apps for both Android and iOS phones. In the coming months, they will also build this functionality directly into the underlying operating systems.

On Friday, the companies released preliminary technical specifications for the effort, which they called Privacy-Preserving Contact Tracing.

“People are dying. We have to save lives. Everyone understands that, But at some point, we’re going to have to understand the privacy consequences of this.” said by Pam Dixon, ED of the World Privacy Forum.

------------------------------------- END ------------------------------------

Sources: The Guardian & The Indian Express

Instant View made by Privacy Matters 🛡️