The Apple Google API is a supplement to manual tracing, not a substitute
This week Apple and Google rolled out a new application programming interface (API), which is meant to help in the fight against COVID. The “Exposure Notification API” gives public health officials and other selected developers the ability to create new mobile applications that would alert users if they came into contact with someone positively tagged as having COVID.
The API has faced a spat of criticism. Some deride it as being ineffectual, while others have serious concerns about the system’s implications for privacy. Yet, the Exposure Notification API should be understood on its own terms. Digital contact systems are only a supplement to existing manual tracing efforts; they are not a substitute. Moreover, Apple and Google have worked to ensure privacy is embedded into the core of the API. Given all of these constraints, this API is the best possible framework.
What does the Exposure Notification API do?
The system that Google and Apple have created is one implementation of an idea that has many other incarnations. If an app with the API is enabled, a user’s phone will use Bluetooth to send out a beacon every five minutes. That beacon includes a unique identifier, which is a string of random numbers that changes every 10–20 minutes and isn’t tied to a user’s identity. Whenever another phone with the app turned on comes into close contact, it securely stores that string of information. At least once a day, the system will download a set of keys that have been verified by health care workers as COVID positive. If a match is made, the user will be alerted and be given further steps.
When the project was announced in April, neither Apple or Google said that they would develop a contact tracing application to implement their framework, leaving that work to public health officials. Earlier this month, however, both Apple and Google announced that the COVID beacon system would eventually be written into the operating system itself. Only after users opt-in would the Bluetooth announce the random identifier. If a match is made and the user doesn’t have an application, they will be prompted to download an official app, which could only be supplied by public health offices that meet specific criteria around privacy, security, and data control.
Where do apps fit into contact tracing methods?
Tracing infections to isolate a virus has been shown to be a successful mitigation strategy in a pandemic. In large outbreaks, like the current one the United States faces, manual tracing becomes a laborious process, requiring recruitment and training to help identify the sick and quarantine the exposed. A recently released report from California’s public health department and the U.S. Centers for Disease Control and Prevention attests to these costs. From February 5 to March 17, state health employees spent nearly 1,700 hours collecting and analyzing data on 11,574 travelers from China and Iran at California airports and were only able to identify just three positive cases.
States are already budgeting large sums of money to get manual tracing programs working. Massachusetts intends to spend $44 million to hire 1,000 contact tracers while New York State plans to hire as many as 17,000 with funding from Bloomberg Philanthropies.
Researchers at Johns Hopkins Center for Health Security estimate that the United States needs 100,000 contact tracers to properly track the virus, which would come at a cost of $3.6 billion. Scott Gottlieb and Andy Slavitt, both former high ranking health care officials, have suggested that the only way to tackle the problem is by both hiring tracers and then working with hotels to house quarantined patients. Their program would cost $46.5 billion, including $12 billion for up to 180,000 contact tracers, another $4.5 billion to house infected and exposed in vacant hotels, and $30 billion for 18 months of income support for those voluntarily self-isolating. There is hope that smartphones might be enlisted in this task to lighten the load.
Singapore’s TraceTogether app stands as the most widely adopted COVID contact tracing program. It is the subject of countless news articles, but it still remains a minor player in the country’s broader intervention strategy. Importantly, Singapore shut its borders to Chinese travelers in early February, banned large-scale gatherings, imposed quarantine measures, and mobilized a small army of contact tracers to investigate infections manually. These contact tracers rely on non-app data to do their job, including credit-card records and public transportation ticketing data. Even with these measures in place, Singapore now faces a second wave of infections from abroad.
While digital contact tracing is theoretically promising, wider adoption is needed for the program to even begin to show promise. “In order for TraceTogether to be effective, we need something like three-quarters — if not everyone — of the population to have it,” Minister Lawrence Wong explained. With a buy-in of 18 percent of the population, the TraceTogether app captures, at best, 3 percent of all potential viral transmissions, using Metcalfe’s Law as a method of estimation. But epidemiologists suggest that 70 to 90 percent of all viral transmissions would need to be logged for any contact tracing system to be effective in trampling COVID. In practice, then, countries would need 84 percent to 95 percent of the population to adopt and actively use the digital system. In the United States, only 81 percent own a smartphone, and polling from Ipsos suggests that in a best-case scenario, only about half of Americans would participate in a digital tracing program. For now, contact tracing apps will play an ancillary role.
Even if there were perfect adoption, digital systems have their limitations. As Jay Stanley and Jennifer Stisa Granick of the American Civil Liberties Union (ACLU) point out, proximity technologies like Bluetooth and GPS cast a wide net, which could mean that two people separated by a wall might be tagged as being close to one another. Israel has implemented a system of notification based on GPS, which is admittedly less nuanced than Bluetooth, which illustrates this problem. As reported by Haaretz, an entire neighborhood was told to test and quarantine, even though their neighbor that did have the disease never came into contact with them. The wife of the man who has COVID said reporters that it “raises suspicions that the geolocation missed by a lot and sent us into isolation for no reason.” The Exposure Notification API uses Bluetooth, which was designed to connect headphones, wireless devices, and other peripherals, not to provide proximity alerts accurately. In other words, the jury is still out on whether Bluetooth can correctly capture transmission vectors. Regardless, with data collection rightly comes privacy concerns.
Privacy issues
Critics of the Apple and Google API have attacked the approach from both sides, with some claiming that it is too privacy-invasive and others claiming that it doesn’t go far enough. While no system is perfect, the API helps to protect users’ privacy without allowing the surveillance of countries like China and Singapore.
Privacy professionals have largely lauded the effort. The system was built to ensure that sensitive health information is kept secure. Contacts are stored locally and encrypted. Bluetooth technology is employed, and GPS isn’t allowed, which was a pressing concern laid out in an open letter by 300 technologists and scientists. All of these elements working in concert clearly show that Apple and Google designed this technology with privacy at the front, as law professor Lokke Moerel explained,
The ICO also just concluded that the “contact tracing framework in development by Google and Apple indeed meets the principles of privacy by design. According to the ICO, the same applies to the “Decentralized Privacy-Preserving Proximity Tracing” system developed by a separate expert group, which is based on similar principles.
Unsurprisingly, survey research suggests that more people will use contact tracing apps if they are privacy-focused. John Gruber said that these goals are “table stakes for designing a system that people will actually install and use.” While Singapore’s broader intervention strategies should raise eyebrows, their TraceTogether includes many of the same privacy features as the Exposure Notification API. Users must opt-in to the service, they can withdraw their consent at any time, no location data is collected, and the information remains encrypted on the phone until a positive match is made for a COVID test.
Some of the harshest criticism has been coming from those saying that the Exposure Notification API provides too much protection for consumer data. As the Washington Post reported, local health authorities in states like North Dakota, as well as in countries such as Canada and the United Kingdom, say they’ve pleaded with the companies to give them more control over the kinds of information their apps can collect. In Reason, former Bush-era official Stewart Baker called the tech “seriously flawed…because it elevates privacy over effectiveness.”
The poster-child of an effective but troubling surveillance technology already exists in South Korea. Much like Singapore, South Korea’s contact tracing system relies heavily on non-app data by linking GPS phone tracking, surveillance camera records, and credit card transactions. Local government agencies compile this information to jog memories, chase down potential hotspots, and test. If they are found to have the disease, officials will anonymize the data and then disclose it to the public through blogs, social media accounts, and emergency text alerts. Yoon In-jin, a professor of sociology at Korea University in Seoul, explained that people are using the information to ridicule patients and dox them. The Exposure Notification API doesn’t completely stop this from happening but makes it exceptionally difficult.
The most cogent criticism of the API is that Apple restricts apps from using location data like GPS alongside the Exposure Notification API. Apple restricts apps from using Bluetooth in the background due to the privacy concerns. France, in particular, has taken umbrage with this limitation and has been vocal that the two companies should loosen restrictions. The limitation creates a hard binary. Either public health officials can go the route of Utah by developing a contact tracing app that explicitly tracks users via GPS, or they can adopt a contact tracing app that uses the Exposure Notification API.
Privacy law also casts a long shadow on the API. Location data is subject to a rafe of protections and typically requires affirmative consent from the user. In 2016, for example, the Federal Trade Commission settled with the ad platform InMobi because the platform was engaged in deceptive tracking of location information. Combining both location information and sensitive health information is a surefire way to face scrutiny from privacy enforcement agencies. So instead of creating a standalone app, Google and Apple have given public health authorities the tools to create their contact tracing app. While the Department of Health and Human Services recently said it would hold off on any enforcement action, privacy regulators in the states, as well as Europe, have made no such commitment.
Since most successful digital tracing methods haven’t gone the route of an app, the more realistic threat to privacy comes, not from tech companies, but from government agencies wanting to build comprehensive tracing systems. The recently passed CARES Act included $500 million for the Centers for Disease Control and Prevention to build a “surveillance and data collection system.” Early reports on this project suggest that anonymous aggregated geolocation data is being combined with other data to find where people are highly concentrated, suggesting that person-to-person infection is probable. Congress should ensure that agencies have the proper safeguards.
Law professors Jack Goldsmith and Andrew Keene Woods cautioned in the Atlantic that “digital surveillance and speech control in the United States already show many similarities to what one finds in authoritarian states such as China.” But the systems in China are far more invasive and concerning, and would face opposition if adopted in the United States. In Hong Kong, digital tracing is being used to ensure that people stay in their homes. China is also moving towards a nationwide system to track every person’s COVID status. To ride the subway or enter a crowded shopping mall, a person has to scan a government-mandated QR “health code” on their cell phone that’s either green (likely Covid-19 free), yellow (at risk of Covid-19), or red (likely Covid-19 positive). The United States needn’t flirt with this kind of oppressive surveillance to get a handle on the virus.
What’s next?
In the near future, apps integrating the Exposure Notification API should begin to appear. State and federal public health authorities have already deployed applications, so some might switch to the API. One could also imagine that insurance companies would incorporate this proximity system into their apps and encourage users to turn it on. Given the restrictions imposed, however, it is unlikely that Instagram, Facebook, and Google would integrate this API into their most popular mobile programs.
But what happens after COVID has passed? A system for privacy protected proximity alerts has been worked out and could be used for other applications. As computer programmer Moxie Marlinspike noted,
While many are rightly focused on the current pandemic, this framework could unlock a new world of proximity-based technologies. Imagine, for example, grocery stores and other retail outlets that want to advertise in their stores but are also worried that consumers might be turned off by tracking. This kind of framework could offer a way for both parties to be happy.
In the end, however, the contract tracing apps should be understood on their terms. They will only act as a nudge to get tested. They will supplement much needed manual work, not supplant it.
