April 20, 2020
By Jennifer McKenzie and Amanda Branch
On April 10, 2020, Google and Apple announced that they would partner to develop Bluetooth technology to help governments and health agencies reduce the spread of the COVID-19 through contact tracing.
Contact tracing is the tracing of individuals who may have been in contact with COVID-19 positive individuals. In theory, those who have been in contact with infected individuals are contacted by tracers and assessed whether they are at low or high risk and if the latter, told to isolate for 14 days.
Public health officials believe that contact tracing is critical to combatting the pandemic. In the last few days, South Korea has brought the spread of COVID-19 virus to single digits, in part, through aggressive contact tracing by technological means. Other Asian countries have also been successful through their contract tracing.
Why is contact tracing critical? It has to do with the transmission of respiratory infections, which is through close proximately to infected individuals. According to current evidence published by the WHO, the COVID-19 virus is primarily transmitted by respiratory droplets. This occurs when a person is in close or direct contact (within 1 m) with someone who has respiratory symptoms, such as coughing or sneezing, and exposes the uninfected person to the potentially infective droplets through his/her mouth, nose or eyes. However, transmission may also occur through indirect contact such as touching the surfaces in the immediate environment of an infected person or through objects used to treat an infected person (e.g., stethoscope or thermometer).
Google and Apple are proposing a two stage launch of the contact tracing technology. In May, both companies will release application program interfaces (“API”) that enable interoperability between Android and iOS devices using apps from public health authorities. (APIs are a set of tools for building software applications.) The apps will be available for users to download from their respective app stores.
After this initial phase, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform, which is intended to be a more robust solution than an API. More individuals would be able to participate voluntarily and the platform would enable interaction with a broader ecosystem of apps and government health authorities.
Dave Burke, VP Engineering (Android) at Google and Bud Tribble, VP of Software Technology at Apple, appeared on CBS News Sunday Morning on April 19 to discuss the partnership and the technology. In lay person’s terms, this is how the technology would work. An individual can voluntarily download an app from a government or health agency onto their Android or iOS phone (the “Public Authority App”). Through Bluetooth, the Public Authority App will keep track of all the other phones the user’s phone has been near throughout the day. Each participating phone will continuously broadcast Bluetooth beacons, which change frequently (to help maintain anonymity) and are derived from a cryptographic key. At the same time, the participating phone will constantly monitor the phones around them and record the codes of any other phones they encounter within a certain range and time. If a participating individual is positively diagnosed with COVID-19, if he so chooses, he can enter that information in the Public Authority App which then uploads the cryptographic keys that were used to generate beacons over the last two weeks to a server. If other users of the Public Authority App “match” with the infected user, (meaning they were near that infected individual) they will receive an alert that they may have been exposed. The alert will not disclose who or where the contact occurred. The entire system is decentralized and opt-in. If the infected individual does not disclose the positive COVID-19 test through the Public Authority App, all others who were in contact with him will not get an alert.
The COVID-19 pandemic has underscored the tension between the need of personal information about infected individuals while preserving their privacy. In their press release, Google and Apple state that privacy, transparency, and consent are of “utmost importance in this effort”. Nevertheless, following the announcement, many commentators raised privacy concerns, even though it is premised on participant opt-in.
The development of the technology renews interest in “privacy by design”, which was a concept developed in the 1990s to address the privacy concerns raised by large scale networks of data. Dr. Ann Cavoukian, the former Information and Privacy Commissioner of Ontario and the now Executive Director of Global Privacy and Security by Design Centre, has a summary of the seven fundamental principles of this concept. The principles of this concept include that privacy must be proactive and not reactive by anticipating privacy invasive events before they happen or materialize. The concept is also premised on the principle that privacy is the default setting, which seeks to deliver maximum privacy protection, even if the individual does nothing. Apple has been commended for its approach to privacy and its renewed focus on privacy by design. Apple’s Privacy page states that it “designs Apple product to protect your privacy and give you control over your information”. This commitment to considering privacy throughout the design and development process is further echoed in its Privacy Governance statement, which notes that Apple “designs products and services according to the principle of privacy by default” and it collects only the minimum amount of data necessary to provide users with a product or service. We also see this theme continued in the contact tracing project, which states that user privacy and security are central to the design.
While this initiative has been largely praised for its privacy-conscious approach (for example, see letter signed by 300 academics around the world), it is not without criticism. For example, this initiative relies on individuals self-reporting, which they may not do. There is also the potential for false positives, users trolling or spamming the system or users incorrectly self-diagnosing. Further, there have been reports that as many as 2.5 billion users may not be able to use these apps because of geographic restrictions (e.g., China has banned Google software and services in the country) or because their devices are outdated or incompatible. It is important to note that Google and Apple are not writing the actual apps, but rather are helping public health agencies create the apps. This creates further questions, like could the owner of the Public Authority App override any individual’s decision in order to combat a greater public health risk?
The Google and Apple partnership is an important initiative that balances the urgent need to prevent and respond to COVID-19 cases while also protecting user privacy. Google and Apple have announced their intention to be transparent. To that end, they have published draft technical documentation and intend to openly publish information about their work for others to analyze.
Content shared on Bereskin & Parr’s website is for information purposes only. It should not be taken as legal or professional advice. To obtain such advice, please contact a Bereskin & Parr LLP professional. We will be pleased to help you.