- There’s a power battle between the UK, Germany, and France on one side and Apple and Google on the other about coronavirus contact-tracing.
- Like other countries, the UK, Germany, and France are creating apps that will track people who report COVID-19 symptoms or test positive and then alert those they have had contact with.
- The fight centers on how much data these apps gather up and where that information is stored, with Apple and Google pushing for a more privacy-friendly approach.
- If France, Germany, and the UK try and roll out their apps in defiance of Apple and Google, there’s a good chance they won’t work properly, particularly on iPhones.
- Visit Business Insider’s homepage for more stories.
The UK, France, and Germany are locked in a power battle with Apple and Google over the way COVID-19 should be tracked via apps.
Like other nations, the three countries are racing to launch apps that would rely on signals broadcast via Bluetooth to monitor the spread of COVID-19.
Broadly, this is how such apps will probably work: if someone running the app reports coronavirus symptoms and tests positive, the app will alert people who may have had contact with them over the previous 14 days. These people can then go for testing themselves.
It’s a digital form of “contact-tracing,” an established way for public health authorities to find and notify people with exposure to a disease.
The current fight centers on how much data these apps gather up and where that information is stored, with Apple and Google pushing for a highly privacy-friendly approach.
Contact-tracing is an established way of monitoring disease outbreak, and it’s becoming digital during coronavirus
Contact-tracing has conventionally been performed manually, but with global smartphone penetration averaging out at an estimated 80%, using apps may make more sense.
The risk here is that individual countries each put out their own apps based on wildly different privacy protocols and technologies, ending up in a piecemeal approach and increased surveillance. Most people in western Europe certainly aren’t used to any form of pervasive tracking by authorities.
Apple and Google, being the dominant providers of smartphone software as the makers of iOS and Android, respectively, have sought to unify the approach by jointly creating an API.
Public health authorities and governments can base any contact-tracing apps they build on Apple and Google’s API, making for a consistent, privacy-friendly approach. You can read about the Google-Apple API and how it works here.
The issue is that Apple and Google will only permit apps that meet their privacy standards to use their API, and not every country seems to agree with those standards. Similarly, Google and Apple unveiled their joint API after several countries began building their apps.
The tension lies in how, exactly, contact-tracing apps collect information, who they receive it from, and where they store it.
The UK, Germany, and France are pursuing a centralized approach not currently permitted by Apple and Google
The UK has not revealed in-depth technical details of its app. Still, expert sources with knowledge of its development, and public statements indicate that authorities want to be able to collect and analyze more data than the tech giants are comfortable with. A key plank of Google and Apple’s API is a limit on the amount and type of information collected.
If apps collect more data than basic privacy-preserving identifiers, it would almost certainly need to be stored in a centralized way by health authorities or governments. This is what Apple and Google oppose. Their API relies on a decentralized approach and a minimal amount of data collection.
“I am worried about function creep,” said Eerke Boiten, cybersecurity professor at De Montfort University. “You shouldn’t collect more data than you need to in the first place, which is known as data minimization.”
Professor Boiten added that if, in the UK, the NHS simply wanted to send out Bluetooth alerts to people about possibly being infected, there would be zero reason to store that information centrally.
But it sounds like the UK wants people to hand over more data. On Friday, NHSX, the arm of the NHS developing app, said: “In future releases of the app, people will be able to choose to provide the NHS with extra information about themselves to help us identify hotspots and trends.
“Those of us who agree to provide this extra information will be playing a key role in providing additional information about the spread of COVID-19 that will contribute towards protecting the health of others and getting the country back to normal in a controlled way, as restrictions ease.”
Boiten said: “The NHS’ app announcement includes a statement that people can choose to give the app additional information. That’s an inherently centralized idea.”
Professor Ross Anderson, a University of Cambridge computer scientist who advised the government on the app, previously told BI that UK authorities wanted to collect more information to conduct “fine-grained” contact-tracing to enable epidemiologists to take more effective action in response to COVID-19.
As it stands, none of these apps will probably work on the iPhone
Why does this all apparently technical quibbling matter?
The governments could simply go ahead and launch apps based on their preferred protocols and technology. But here they run into the global power of these two tech giants, and the fact they have the entire 3.5 billion smartphone ecosystem tied up.
The way France, the UK, and Germany’s contact-tracing apps are thought to work means that they would require phones to scan for Bluetooth signals continuously. It is not something permitted on the iPhone, which only allows such scanning if an app is open and running on your phone screen. If you swipe away from the app or lock your phone, the scanning stops. To get the app to work correctly, you would need to have it running all the time on your unlocked phone — itself a privacy and theft risk.
This effectively renders Bluetooth contact-tracing apps useless — and it’s been a key problem for Singapore’s TraceTogether app, which was only downloaded by about a sixth of the population, according to The Economist. And yet the success of contact-tracing apps relies on the bulk of the population using them.
Here is where the Apple-Google API comes in. The two firms will make an exception on this Bluetooth scanning restriction for contact-tracing apps that meet their privacy standards. Obey our privacy standards and your Bluetooth contact-tracing app will work, is the message to governments.
While privacy advocates have praised the Apple-Google approach, which should ensure governments aren’t spying on you more than they need to, some countries appear to dislike the restrictions.
France, as first reported by Bloomberg, has lobbied Apple to permit its Bluetooth-powered contact-tracing app saying that the current restrictions mean its app won’t work correctly.
Per TechCrunch’s reporting, Germany also appears to be pushing for a more centralized approach with its app, which will do more than just issue Bluetooth alerts. Reuters reported that Germany’s chancellor Angela Merkel is in talks with Apple.
And sources told Business Insider earlier this month that the UK was likewise lobbying Apple to permit the current version of its app.
It’s possible European countries will fall in line with Apple and Google
Sources with knowledge of the UK’s app development expect the NHS to rewrite the contact-tracing app to abide by Apple and Google’s rules, but public statements so far mean this is still ambiguous.
NHSX said on Friday: “We are working with Apple and Google on their welcome support for tracing apps around the world.”
This, according to both Profs. Anderson and Boiten, is not a guarantee the NHS will reconfigure its app.
“That is a little unclear, because of the way they have phrased it,” said Professor Boiten. “You could [take it to mean] they’ll connect directly to the Google-Apple proposal, which would be good, but it could also mean they realize that for the app to work they need to collaborate with Google and Apple, and so [add to] the French pressure on Apple.”
Anderson said: “I expect that the UK, French, and German governments are still arguing with Google and Apple behind the scenes.”
A further complication is that other European countries have backed a decentralized technical solution, called Decentralized Privacy-Preserving Proximity Tracing (DP-3T). This does align with Google and Apple’s requirements. Estonia, Austria, and Switzerland will all base their apps on the DP-3T protocol.
While it may make more sense for the UK, France, and Germany to change up their approach, it would be another indication of Apple and Google’s global power.
As Logan Finucan, senior manager of data and trust for Access Partnership notes: “None of this would be possible without the technology these companies provide. I don’t think it is entirely unreasonable for Google and Apple to refuse to be deputized to carry out state surveillance. Because if France can do it, then China and Iran want it too, which could enable harms we don’t want on a much larger scale.
“At the end of the day, while governments will be accountable to their citizens, technology providers will be responsible to their consumers. If people don’t trust the technology, they won’t use it, and that helps no one.”
Join the conversation about this story »
NOW WATCH: A cleaning expert reveals her 3-step method for cleaning your entire home quickly