Google and Apple have confirmed that they are working together on a coronavirus contact-tracing app (£) that they hope may facilitate the lifting of the lockdowns that have paralyzed much of the world in recent weeks.
The idea behind the app is that it would be able to scan for other active devices in your location and if a person you come close to is subsequently diagnosed with coronavirus, you will be automatically informed and advised to self-isolate in line with your national guidelines.
Similar apps have already been launched in some countries, including Singapore. We also reported earlier this week how the UK was also contemplating such an app and it will come as no surprise that one is badly needed in the US as well.
On the face of it, these apps are a great solution to the invisible nature of coronavirus and while they don’t provide a solution to the pandemic, they do offer the chance to ease some of the restrictions that have brought many countries and their economies to a standstill.
Indeed, there is only one drawback to contact-tracing apps such as these. But it is a big one: privacy.
Contact-tracing apps and privacy
In our article discussing the UK’s planned contact-tracing app, we quoted Lord Evans, a former head of MI5 who raised major concerns about the privacy implications of a contact-tracing app. It has also proved highly controversial in Singapore for the same reason.
Neither Google nor Apple has glowing reputations when it comes to user privacy, so it will come as no surprise to learn that privacy is the main worry surrounding their plan. The only real surprise is who has been voicing these concerns.
The European Union (EU) has been conspicuous by its absence from the handling of coronavirus as national governments have rightly seized the initiative across the continent. Up until now, the EU’s biggest intervention has been to apologise to Italy for the group’s failings when the virus first reached Europe.
But they have decided to weigh into this debate with Thierry Breton, the EU’s single market commissioner speaking to senior executives at both Google and Apple this week to stress that any contact-tracing apps must still comply with EU law.
Google worryingly vague
Breton told Google CEO Sundar Pichai that Brussels would be closely scrutinising the roll-out of the app to ensure it didn’t breach people’s right to privacy, even if it was only offered up to people on a voluntary basis.
Breton made it clear that he supported the notion of a contact-tracing app in principle but had severe reservations about any app that tracks the individual movements of people in real-time using GPS technology.
The response of Google’s CEO to the concerns raised by Breton was not exactly reassuring. In a statement, Google said it’s was “designed to be opt-in and to have the highest privacy and security standards” but failed to offer any more details.
Pichai himself merely said that Google was “trying very hard to be private”.
Such vague responses will not encourage those who are already familiar with the way Google handles the vast quantities of user data it already routinely gets sent and it seems inevitable that privacy concerns about the Google/Apple app and all other similar projects will continue.
How a privacy-friendly contact-tracing app should work
The truth is that there is no need for a coronavirus contact-tracing app to use GPS data. The virus can only be transmitted when you are in close confines with someone, which is why social distancing rules require you to stay 2 metres (6 feet) away from other people.
The app that has already been deployed in Singapore shows that Bluetooth is more than adequate and identifying people who come closer to you than that. But Singapore has also proved that doing away with the need for GPS does not negate the privacy risks that come with an app of this type.
If Google really wanted to create an app that truly respected user privacy, it would first and foremost make its app open-source. This would not only allow it to be deployed in the largest possible number of countries and so help to protect people everywhere, but it would also allow developers to scrutinize the coding behind the app.
This would mean that they could see how the app worked and ensure that Google’s privacy promise is being adhered to. It would also allow them to identify vulnerabilities in the app that could place users at risk and flag these to Google.
They should also be up-front about what happens to the data that is collected on this app. Ideally, the retention of this data would be time-limited and it would be stored on secure encrypted servers where no-one, not even Google, would be able to access it.
A contact-tracing app can never be perfect from a privacy perspective. But most people would be willing to make some sacrifices if it meant being able to lift the lockdown while still keeping people safe.
But if such an app is really going to work, and ensure the trust of the public, Google and its fellow tech companies have to meet people halfway.