Privacy hawks say they’re keeping a close eye on a new project tied to contact tracing that involves Apple and Google, warning that information gathered on Americans must remain limited to fighting the coronavirus.
The two companies earlier this month announced their joint effort to create a software package for public health organizations that would allow them to develop contact tracing apps.
The apps will create a list, kept on individuals’ phones, of people they have come into contact with over a roughly two-week period. If an app user becomes infected with COVID-19, the disease caused by the novel coronavirus, they can choose to share the diagnosis with a centralized database operated by the public health service.
Privacy advocates would normally be opposed to that kind of information gathering, but many are indicating a willingness to set those concerns aside, up to a point, in order to help fight the spread of the coronavirus. Tracing the disease is seen as a key step to safely reopening the economy, particularly since a vaccine is 12-18 months away, at best.
“Contact tracing will be key, along with actual testing, to help stop the spread of the novel coronavirus,” Sen. Mark Warner (D-Va.) said in a statement to The Hill on Tuesday. “While the approach Google and Apple are pursuing appears to be less invasive than alternatives, it is not without privacy risks.”
The program’s use of Bluetooth for tracing means a user’s physical location will not be collected, just the identities of the people they have been in contact with. If necessary, the public health service would notify everyone who has come close to an infected person, likely recommending that they self-isolate or seek a coronavirus test.
Apple and Google said in their announcement that the program had “user privacy and security central to the design.” They later added that the project was more of an exposure notification system than contact tracing, noting that the service does not involve identifying infection hot spots or interviewing users.
Some lawmakers said they plan to monitor the project to ensure privacy standards remain intact.
“Apple and Google have a lot of work to do to convince a rightfully skeptical public that they are fully serious about the privacy and security of their contact tracing efforts,” Sen. Blumenthal (D-Conn.) said in a statement when the project was announced.
“A public health crisis cannot be a pretense to pave over our privacy laws or legitimize tech companies’ intrusive data collection about Americans’ personal lives.”
House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) said in a tweet that the “new feature to contact trace coronavirus cases has positive potential, but we must ensure privacy concerns are considered.”
“I’ll be following this closely to ensure consumer privacy is protected,” he added.
“As will I,” said Rep. Jan Schakowsky (D-Ill.), head of the Energy and Commerce subcommittee on consumer protection. “Tech companies need to put privacy first, and ensure these products and services include privacy by design.”
Apple and Google last week announced additional steps aimed at addressing potential privacy concerns.
Both companies vowed for the first time to disable the service once the outbreak is sufficiently contained. It remains unclear how public health officials would make that determination, but engineers from both companies have insisted the service is not intended to be maintained indefinitely.
The two firms also updated the encryption specifications to only share a user’s daily tracing keys with the central database if that user decides to submit a positive COVID-19 diagnosis.
Those privacy changes were well received by some lawmakers who were initially critical of the launch.
“I’m glad Apple and Google are taking privacy seriously and have made important changes to how their program works,” Pallone said in a statement to The Hill on Tuesday. “Individual privacy should not be arbitrarily sacrificed in the search for ways to leverage technology to mitigate the spread of this disease.”
Sen. Ron Wyden (D-Ore.) said in a statement the same day that the plan “appears to be a sincere effort to bring tech’s resources to bear on the COVID-19 pandemic, and I appreciate Google and Apple’s transparency about their contact-tracing technology.”
Civil liberties groups have similarly expressed some praise for Apple and Google’s steps, but remain wary.
Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, said the privacy steps appear “to mitigate the worst privacy and centralization risks” but cautioned that “there is still room for improvement.”
“We will remain vigilant moving forward to make sure any contract tracing app remains voluntary and decentralized, and used only for public health purposes and only for the duration of this pandemic,” she said in a statement after the project was unveiled.
Evan Greer, deputy director of digital rights group Fight for the Future, told The Hill in an interview Tuesday that her organization’s “general outlook is that we need to take public health concerns extremely seriously and we also need to take civil liberties and human rights concerns just as seriously.”
She warned that if it became mandatory for the service to be enabled on phones, or if Apple and Google are pressed to collect geolocation data, then her group would oppose it.
“Having real firewalls and safeguards in place that prevent any data that’s collected in relation to the public health crisis from being used, for example, for law enforcement purposes is essential,” she added.
Sara Collins, policy counsel at consumer rights group Public Knowledge, told The Hill her organization “appreciates that Apple and Google have been a very privacy centric approach” to this project.
Still, she said, Public Knowledge will be closely monitoring how the service is used due to concerns that developers could collect geolocation data.
Sen. Josh Hawley (R-Mo.), a frequent critic of Silicon Valley, raised similar concerns last week in letters to the CEOs of Apple and Google, saying they should make themselves personally liable for any data collected about individuals using the service.
He also raised questions about whether the data will remain anonymous and if the program would continue even after the pandemic is over.
The U.S. will not be the first country to make use of contact tracing in the coronavirus era.
More than 2 million people downloaded a government-made contact tracing application in Australia on Monday, a sizable portion of the country’s 25 million population.
A day earlier, Germany said it would adopt a decentralized approach to contact tracing backed by Apple and Google after initially planning to use a different, more centralized design.
Contact tracing applications have also been used in China, Singapore and Israel but have been marred with concerns about invasive data collection.
Google and Apple have addressed some of those issues in previous iterations of contact tracing applications, but privacy concerns and oversight are unlikely to disappear entirely.
“It will be up to governments to decide the hard questions that will have the greatest impact on Americans’ rights, including how information will be collected and shared, and whether it could be made mandatory by governments or businesses,” Wyden said.
“There’s no indication that any federal agency is prepared to take responsibility for answering those questions.”