Privacy and New Google-Apple COVID-19 Tracing Technology

Author(s): 
Publication Type: 
Other Writing
Publication Date: 
May 7, 2020

On Monday, May 4, Google and Apple shared sample code for their new contact tracing technology—tools that they have jointly developed to help to slow the spread of COVID-19 by using cell phones to aid the labor-intensive process of tracking down people who have been in contact with those infected.  The companies also released guidelines to protect user privacy.  Here, Al Gidari, the Consulting Director of Privacy at the Stanford Center for Internet and Society at Stanford Law School, discusses the new tools and privacy concerns surrounding tech in contact tracing.

Google and Apple are developing tools for an app (though they may develop or help to develop apps going forward). Who would develop an app?

At this point, it will be up to the states and their public health authorities to develop the app, conforming to the Google-Apple specifications. The Google-Apple operating system changes are limited in purpose to helping states ensure the broadest possible exposure notification while protecting user privacy. The approach relies upon a confirmed tested positive person getting the state-confirmed test result identifier so that the Bluetooth app can be triggered to send notices to others who downloaded that app and who came within contact of the infected person. This approach reduces security risks of false positive alerts by bad actors and ensures the integrity of the system. The app [using Googele-Apple technology] would be available for download in the Play or Apple Store. The app will not be able to draw on other location information from the device, must be opt-in by definition inasmuch as the user downloads it, does not share personally identifiable information, and will be disabled when the pandemic abates.

Are there other apps for this?

There are other apps being developed by nations, states, private parties and others, but the distinction here is that the Google-Apple approach is decentralized, temporary, and does not result in information sharing with governments.

Can you briefly tell us how the Google/Apple technology would work to help with contact tracing?

It is better to think about the Google/Apple approach as an exposure notification system. In other words, it doesn’t actually permit direct tracing by public health officials but rather allows people to be notified that they were exposed to someone who tested positive in the past few days. Once notified, it will be up to the state public health authorities to decide what happens next. For example, a notified person without symptoms could be instructed to self-isolate for two weeks. Or, someone with some symptoms could be instructed to go get tested or call their doctor.  Exposed users could be asked to report the notification so that public health can see the trajectory of the disease and it would be up to them whether to do so or not.

Read the full piece at SLS Legal Aggregate