If there’s one thing that’s become abundantly clear since Apple and Google’s API partnership, it’s that the coronavirus contact tracing privacy protections need to be spelled out in terms that non-technical people (even POTUS) can understand.
The two companies have gone to pains to explain that privacy was top priority in the design of the application programming interface, but mainstream media reports and conversations with non-techy friends have made it obvious that many don’t understand why apps that use this can be trusted …
I don’t blame people in the slightest for their mistrust. The track record of governments in surveilling their own citizens, and of most tech companies in using personal data for commercial gain, makes this inevitable.
Apple’s track record is far better than most, of course, because its business model doesn’t involve monetizing personal data. But still, even Apple isn’t perfect. It had to up its privacy game in order to comply with Europe’s gold-standard privacy law GDPR. It has had some privacy stumbles. And it still makes a deliberate decision not to fully protect iCloud backups.
So combine big data with governments and tech giants, and it’s no surprise at all that people are suspicious.
Both Apple and Google are being completely transparent about the API design, including sharing in great detail the cryptography specification. But that is, of course, meaningless to the vast majority of the population. Even most techies can only understand it at a conceptual level.
Apple and Google need to explain the privacy protections in lay-person’s terms. Here’s my own attempt to do it.
You choose whether or not to participate
You don’t have to download any of the apps. If you do, you don’t have to agree to contact tracing.
No personally identifiable data is used
The only thing to represent you is a code (a “private master key”) that never leaves your phone. Apple has no idea what your code is, Google has no idea what your code is, governments have no idea what your code is. It’s not linked to your Apple ID or Google login or phone serial number or anything else traceable to you. That’s not a theory, that’s how the system is designed.
(Explaining more is virtually impossible without getting technical, but your private master key and a daily-changing key and a rolling code are all mathematically combined when data is exchanged, and that is a one-way process: you can’t work backwards from the end result to work out your code.)
No location data is captured or stored
If you and I meet, the API knows that your phone came within Bluetooth range of my phone, but it has no idea where we were at the time. Again, you don’t need to trust anyone not to extract that data because the system doesn’t ever log it in the first place.
No data goes to your government without your permission
All that happens is that your phone and the phones of people you meet exchange anonymous codes. The data remains on your phone.
If you are tested positive for COVID-19, you will be asked to give permission for your Bluetooth codes to be uploaded to a government server. These codes don’t identify you or any of the locations you have visited. The only thing that happens to them is other people’s phones can check these codes against the ones stored on their own phone.
No one will know who infected them
Let’s say I was unknowingly infected, and then I met you and I infected you. All that happens is that your phone will, when it downloads my Bluetooth codes, find that they match ones stored on your phone. It will then alert you that you have been exposed to someone, somewhere who tested positive. It won’t tell you who or where because it doesn’t know. All it knows is that the codes match, and that the contact happened sometime in the previous 14 days (the codes are automatically deleted after this time).
Only official government apps can access the data
Apple and Google only allow the API to be used for official government health apps. Commercial apps cannot get access.
Apple and Google can disable the system at any time
Let’s suppose your government wants to continue collecting this data after the coronavirus crisis has ended. It won’t be able to do that because Apple and Google are each able to switch off the API at any time. They can do this on a regional basis too, allowing it to continue operating only in areas where the outbreak persists while disabling it everywhere else.
All of these claims are independently verifiable
Of course, a non-techy can still turn round and respond with, “Says you.” But all this stuff can be independently verified by anyone with the necessary technical know-how.
For example, with Apple’s COVID-19 symptom checker, we were able to easily verify that no data ever left the phone. The only way Apple and Google could be lying about this is if every techie on the planet capable of checking the information were in on the conspiracy.
Do these the contact tracing privacy features reassure?
As techies, are you reassured by the contact tracing privacy safeguards? And do you think your non-techie friends will be when they are spelled out in this way?
Please take our poll, and share your thoughts in the comments.
FTC: We use income earning auto affiliate links. More.