Apple and Google’s contact tracing APIs and personal privacy

Posted by

Apple and Google are uniting in a historic collaboration to offer APIs to allow healthcare agencies of states to build apps for the possibility of tracing contacts for COVID 19 infections. It shows 4 key lessons, the importance of Ownership Privacy and Security, data minimization, this is hard and the need for more work.

Apple and Google explained it in this overview graphic. (Source) And in detailed specs

At ROWND we think there are a few key lessons here.

  1. Ownership, Privacy, and Security are being emphasized even in the midst of a global pandemic, even by serial abusers like Google. We’re not surprised to see such attention from Apple.
  2. Use only the data you need. Location tracking is not necessary to do this work. Proximity can be determined by BTLE – however-that doesn’t change that our phones are ceaselessly location data surveillance devices that groups less trustworthy than Apple and even Google constantly harvest. If you haven’t viewed this disturbing project by the NY times you really must.
  3. This is really hard. Google isn’t used to engineering for Ownership, Privacy and Security. Moxie Marlinspike, Founder of Signal outlined security flaws in this scheme, especially related to DOS and others use of the Blue Tooth Low Energy (BTLE) keys for individual tracking in this Tweet thread.
  4. This will take more work and granularity is key. This is a massive undertaking to build APIs then apps to answer only one simple question: “Have I been within 10 feet of someone infected with COVID-19 for 10 minutes?” There is so much more our scientists and public health officials could benefit from. Symptoms, days until onset, biometric measurements, diagnoses, prognoses, outcomes. All of these could measurably improve how we all address this. And we don’t yet have the infrastructure to make it happen.

At ROWND we are working to address all of these concerns from the ground up. Building a platform for Owners to manage their data on their own terms, with Ownership, Privacy and Security coded in form the beginning.