Yesterday, Apple and Google launched the first phase of their joint effort to help track the spread of COVID-19. The two tech companies have begun testing an initial version of their exposure notification API that should help public health authorities contain the spread of coronavirus by quickly identifying people who might have been exposed to new cases. It will be widely available to most public health agencies by mid-May.
For this effort to work, people using Apple and Android phones will need to download the apps and report whether or not they have been diagnosed with coronavirus. In a country where people are protesting lockdowns and social distancing and where big tech hasn’t exactly gained the public’s trust, how likely are Americans to use these apps?
A new survey conducted by The Washington Post and the University of Maryland found that a majority Americans aren’t planning on using the apps, with nearly 3 in 5 Americans are either unwilling or unable to use the infection-alert system that Google and Apple have developed. For the apps to be most effective, they require a large portion of the population to contribute. A recent study by epidemiologists at Oxford University estimated that the ideal number would be 60% of the population. If Americans are already rather adverse to the idea of using the contact-tracing tech, then it’ll be difficult to persuade them that this initiative will help find potential new infections, thus helping us to ease lockdown restrictions faster and make resuming economic and social activities safer.
Just under half of polled Americans said that they would definitely or probably use the apps, however, and that’s no small number. Additionally, 59% said that they would feel comfortable using the app to anonymously inform people they came physically close to if they were to be diagnosed with coronavirus.
In Australia, coronavirus tracing app COVIDsafe was released on Sunday and by Tuesday had over 2 million downloads, which is about 10% of Australia’s population. Singapore’s contact tracing app saw similar percentages of downloads, whereas among Norway’s population, about 30% have downloaded the app. As Casey Newton points out in his newsletter The Interface, “The first thing to say about this is that it’s very difficult to predict what people will do when they are asked to begin participating in Big Tech’s exposure notification system…if exposure notification appeared to be working — if public health agencies use it as part of a broader scheme relying on human beings to do more old-fashioned tracing — you can imagine big campaigns within communities to get more people to opt in. (Or your employer forcing you to!)”
According to the survey, Democrats and people who reported they are worried about becoming seriously ill from COVID-19 are more willing to use the apps, whereas Republicans and people who are less worried about getting infected are more likely to resist use of contact-tracing apps. One barrier to the success of this effort is the fact that 1 in 6 Americans don’t have smartphones, especially among the senior population who are more vulnerable to the virus.
Another barrier to adoption would be concerns about privacy and lack of trust. The poll asked Americans how much they trusted tech companies like Apple and Google, universities, public health agencies and health insurance companies to keep their identities anonymous. More than half of Americans don’t trust tech companies or health insurance companies, and only 56% and 57% do trust universities and public health agencies.
Contact-tracing sounds very dystopian and concerns over privacy are understandable, but are they justified? Apple and Google say that they’d be using Bluetooth technology “with user privacy and security central to the design.” This means that the app will use your phone’s Bluetooth chip to find other devices whose owners have also opted to use the COVID-19 tracking apps. Public health authorities will determine what they consider to be likely exposure, based on physical proximity — six feet or closer based on current CDC guidelines — and time spent in proximity. These variables will be calculated on a user’s phone and if contact is likely, then both phones will log the event, but the information will not be shared with Google or Apple.
The most likely concern here is that governments or third parties can use this tech for surveillance. Google and Apple are essentially addressing this by changing the code that each device’s Bluetooth signals outward every 10 to 20 minutes, limiting a person’s ability to eavesdrop on these codes to track a someone’s movements.
“When a user reports a positive COVID-19 diagnosis, their app uploads the cryptographic keys that were used to generate their codes over the last two weeks to a server,” reports Wired. “Everyone else’s app then downloads those daily keys and uses them to recreate the unique rotating codes they generated. If it finds a match with one of its stored codes, the app will notify that person that they may have been exposed, and will then show them information about self-quarantining or getting tested themselves.”
But it’s not foolproof against correlation attacks or linkage attacks. In the case of a correlation attack, the contacts of an infected person can figure out which people they encountered is infected. “Taken to an extreme, bad actors could collect RPIDS [(rolling proximity identifiers)] en masse, connect them to identities using face recognition or other tech, and create a database of who’s infected,” writes the Electronic Frontier Foundation, a nonprofit that defends civil liberties in the digital world. “A well-resourced adversary could collect RPIDs from many different places at once by setting up static Bluetooth beacons in public places, or by convincing thousands of users to install an app. The tracker will receive a firehose of RPIDs at different times and places. With just the RPIDs, the tracker has no way of linking its observations together.”
Given the global state of emergency, many argue that potential surveillance is a “price worth paying.” The Tony Blair Institute for Global Change recently published a report that argues that the public must accept a level of intrusion that would normally be unacceptable in liberal democracies.
“The paper argues all governments must choose one of three undesirable outcomes: an overwhelmed health system, economic shutdown, or increased surveillance,” reports the BBC.
In May, we’ll see a larger rollout of APIs that can communicate between Android and iOS devices using apps from public health authorities that users can download from the Apple App Store or Google Play. Over the summer, the second phase of the effort will allow exposure notification to be built directly into iOS and Android.
“This is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities,” according to an Apple press release. “Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders. We will openly publish information about our work for others to analyse.”