Getty Images/iStockphoto

Apple, Google Address COVID-19 Contact Tracing App Privacy Concerns

After reviewing feedback from industry stakeholders, Apple and Google have revised their COVID-19 contact tracing app proposal to address privacy concerns, stressing transparency.

Apple and Google updated their initial COVID-19 contract tracing app proposal to address feedback from industry stakeholders and some of the privacy concerns raised after the tech giants announced their partnership two weeks ago.

The companies are working to develop a COVID-19 contract tracing app designed to support governments and health agencies control the spread of the virus. The proposed technology would lean on proximity data pulled from the Bluetooth of mobile phones and alert users to potential Coronavirus exposures.

At the time of the announcement, Google provided a detailed plan of its privacy policies, including a requirement for explicit user consent.

However, a group of about 200 scientists and the American Civil Liberties Union issued a warning of potential privacy risks posed by planned contact tracing apps from Google, Apple, and others. For these groups, the issues lie with inherent trust, limitations, availability, and affordability, among others.

In response to some of these concerns, both Google and Apple have pledged to disable the service once the pandemic has been contained. The company engineers have stressed the app is not designed to be indefinitely maintained.

The companies also released detailed list of frequently asked questions to reiterate the companies’ privacy policies. The updates include changing the app from a “Contact Detection Service” to “Exposure Notification Service.”

Further, the tech giants will strengthen current privacy protections, which will be included in the early launch of the app for developers this week. Those measures include randomizing the generation of tracking keys linked to the user’s device, instead of mathematically pulling the data from the user’s private key.

The changes also include now allowing developers to decide how close of a proximity phones should have and the length in order to to trigger a handshake, while preventing devices from logging any meeting as having lasted longer than 30 minutes.

The new features also outlined the metadata protections for the app’s Bluetooth transmissions, including the use of encryption. Officials said the app will deduce the devices’ base power level and the version the device is using for the tracing tool, which is used to calculate proximity.

“On platforms supporting the Bluetooth Random Private Address with a randomized rotation timeout interval, the advertiser address rotation period shall be a random value that is greater than 10 minutes and less than 20 minutes,” according to the specifications.

“The advertiser address, Rolling Proximity Identifier, and Associated Encrypted Metadata shall be changed synchronously so that they cannot be linked,” it adds. “Proximity identifiers obtained from other devices are processed exclusively on device. Users decide whether to contribute to exposure notification.”

Lastly, if users are diagnosed with COVID-19, they must give consent to share the diagnosis keys with the server. And the privacy policy is written to provide transparency into their participation in the exposure notification.

If a user does provide that information, public health authorities will be able to access a list of those users who’ve tested positive and consented to sharing their data. The devices will project a beacon of those users that the tech giants will download daily to share with the public health authority. The data will be checked against a primary exposure list downloaded from a server maintained by the companies.

If a match is found, the user will be notified of the potential exposure and provided guidance on possible actions.

Google and Apple plan to release the app to developers this week, with a public launch scheduled for mid-May. The companies are also working with NHSX, the UK’s digital department of the National Health System, on a UK version of the contact tracing app.

As noted by the Department of Health and Human Services in 2019, these apps are not covered by HIPAA as they are chosen by patients – rather than providers: “Once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA-covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.”

The responsibility for third-party app privacy, as such, falls to the developers, policymakers, and Congress.

Next Steps

Dig Deeper on Health data threats