On Monday, May 4, Google and Apple shared sample code for their new contact tracing technology—tools that they have jointly developed to help to slow the spread of COVID-19 by using cell phones to aid the labor-intensive process of tracking down people who have been in contact with those infected. The companies also released guidelines to protect user privacy. Here, Al Gidari, the Consulting Director of Privacy at the Stanford Center for Internet and Society at Stanford Law School, discusses the new tools and privacy concerns surrounding tech in contact tracing.
Google and Apple are developing tools for an app (though they may develop or help to develop apps going forward). Who would develop an app?
At this point, it will be up to the states and their public health authorities to develop the app, conforming to the Google-Apple specifications. The Google-Apple operating system changes are limited in purpose to helping states ensure the broadest possible exposure notification while protecting user privacy. The approach relies upon a confirmed tested positive person getting the state-confirmed test result identifier so that the Bluetooth app can be triggered to send notices to others who downloaded that app and who came within contact of the infected person. This approach reduces security risks of false positive alerts by bad actors and ensures the integrity of the system. The app [using Googele-Apple technology] would be available for download in the Play or Apple Store. The app will not be able to draw on other location information from the device, must be opt-in by definition inasmuch as the user downloads it, does not share personally identifiable information, and will be disabled when the pandemic abates.
Are there other apps for this?
There are other apps being developed by nations, states, private parties and others, but the distinction here is that the Google-Apple approach is decentralized, temporary, and does not result in information sharing with governments.
Can you briefly tell us how the Google/Apple technology would work to help with contact tracing?
It is better to think about the Google/Apple approach as an exposure notification system. In other words, it doesn’t actually permit direct tracing by public health officials but rather allows people to be notified that they were exposed to someone who tested positive in the past few days. Once notified, it will be up to the state public health authorities to decide what happens next. For example, a notified person without symptoms could be instructed to self-isolate for two weeks. Or, someone with some symptoms could be instructed to go get tested or call their doctor. Exposed users could be asked to report the notification so that public health can see the trajectory of the disease and it would be up to them whether to do so or not.
So this would work in tandem with live contact tracing?
Right. This is not a substitute for traditional manual contact tracing but rather an aid to it. Manual tracing will still occur, but this will identify a population of exposed people who can get off the street, get tested and in positive, relay information to contact tracers.
They are using Bluetooth technology rather than location data. Is this significant for privacy concerns?
Yes, the entire approach has been designed to consider the most privacy protective method of providing exposure notification. Bluetooth allows for proximity identification—that is, users will know they were within a few meters of someone for a definitive period of time (e.g., 15 minutes) by means of a Bluetooth beacon. Location data from GPS or cell towers is not specific enough to permit that kind of accurate exposure. The other location technologies also permit identification of users whereas the bBuetooth approach makes it very difficult to identify anyone specifically.
So using Bluetooth technology is important for privacy. What about privacy concerns regarding the government?
The key is that no governmental agency gets a list of exposure-notified individuals. The approach allows individuals to act smartly and quickly, rather than depending on public health to analyze data and potentially use data to force quarantines or limit individual freedom. Because all data is on the client device, the government or third parties are not getting any information about any individual. It really is up to the individuals to do the right thing with the notification and up to the states to facilitate the instructions, information, and followup.
Hopes are high that technology can help with contact tracing. How successful has it been in countries that are trying it now, such as South Korea? And how are they different from Google-Apple approach?
Nothing like the Google-Apple approach is being done elsewhere. The approaches around the world are centralized, government run programs and with that comes some degree of distrust. Where Bluetooth or other location apps are voluntary, the adoption rate has not been high in centralized systems. But where it is in use, it is the case that the notification process works—that is, people learn of exposure and can take steps to protect themselves.
Do you expect many countries to adopt the Google/Apple technology –or their own?
Some countries have come out in support of the decentralized approach, like Germany, whereas others like the UK are insisting on a centralized, mandatory approach, which then will not be able to access the Google or Apple software. Given the breadth of coverage of Android and Apple phones, it seems more likely that governments will support the Google-Apple approach in order to more quickly identify exposure and avoid the cost and delay of developing their own alternative technology that will not otherwise be able to use Google or Apple data and that users won’t likely opt in to use.
Albert Gidari is the Consulting Director of Privacy at the Stanford Center for Internet and Society and a recognized expert on electronic surveillance law. A partner for over 20 years at Perkins Coie LLP before retiring to consult with CIS, he negotiated the first-ever “privacy by design” consent decree with the Federal Trade Commission on behalf of Google, which required the establishment of a comprehensive privacy program including third party compliance audits. Long an advocate for greater transparency in government demands for user data, he brought the first public lawsuit before the Foreign Intelligence Surveillance Court, seeking the right of providers to disclose the volume of national security demands received.