True North Networks Blog
Will the Proposed Google and Apple COVID-19 Initiative Violate Privacy Rights?
The UK Information Commissioner’s Office (ICO) has recently released its opinion on Google and Apple’s collaboration initiative on COVID-19 contact tracing technology. The opinion sets out what the regulator’s stance is on the joint initiative between the two parties. In short, Google and Apple are not building an application, but rather functionality (through APIs – Application Program Interface) that allows third parties to leverage that functionality to create contact tracing applications that exchange information through Bluetooth. The technology will be able to track whether a person has encountered another individual who has been diagnosed with COVID-19. Let’s say you have a public health application that leverages this technology downloaded on your phone and you are out shopping at your local grocery store. If you come across another person in your same vicinity who has downloaded the app and has tested positive for COVID-19 (either now or in the future), you will receive an alert on your phone — if their test result has been recorded in the application. The personal information of the individual who has tested positive will remain anonymous and other users will not receive an alert unless they have also come across the individual.
There has been a lot of speculation about whether this application violates the privacy rights of individuals. According to the ICO, the proposal currently follows the principle of privacy by design and incorporates adequate security measures for the data. Google and Apple released a simple overview of contact tracing technology capability. Some of the key points from the release are summarised below:
- User consent is required
- Doesn’t collect identifiable information or user location data
- Your list of contacts doesn’t leave your phone
- People who test positive are not identified to other users, Google or Apple
There are a few others, but these are the most important ones from a privacy perspective. This technology will be extremely beneficial for people around the world, especially since Google and Apple are planning on interoperability between the two platforms, but nothing comes without its risks. So far for this project, it appears that both parties are respecting privacy and security principles when creating the new contact tracing technology. As of now, the biggest risk will come from third party developers or the public health authorities who create applications wanting to leverage the new contact tracing technology. Although the contact tracing technology collects minimal information itself (as highlighted in the linked overview above), this does not prevent the applications from collecting more information or aggregating the information with other data about a user. Application creators will have to ensure that they assess the data protection implications prior to implementing the application and ensure that the processing of personal data is lawful.
So far plans for two phases have been released. In phase one, applications that are built using the new contact tracing technology will be provided through the app stores of the respective devices; which means that users will have a choice on whether they download applications that leverage this technology. However, from our current understanding, in phase two, the contact tracing technology will form a part of the device’s OS. This means that it will become more difficult to refuse the enablement of the contact tracing technology, reducing the freedom of choice for the user. Users could always disable Bluetooth in their settings (or remove it by other means), but as stated by the ICO, “a user should not have to take action to prevent tracking.” This is in line with the “opt out by default” principle which suggests that users should have to always opt-in to personal data collection instead of being opted in by default and afterwards provided the opportunity to opt out.
Although there are some risks, they seem to be low in comparison to the benefits that this new technology will provide. Google and Apple have been extremely transparent and have done a phenomenal job of providing transparency and guidance as to how they will be implementing this technology. Even though there are some kinks to workout, this level of commitment to privacy and security are pivotal to creating innovative and successful technologies. Large organisations should continue to work together to embrace privacy and security’s role in the development of new technology. This will not only help the organisation’s bottom line, but also provide trust to the end users who rely on their products.
By Lecio De Paula, Data Privacy Director, KnowBe4