Is Apple and Google's Covid-19 Contact Tracing a Privacy Risk?
They may want to do so to make the system more efficient, argued cryptographer Moxie Marlinspike, creator of the popular encrypted communications app Signal, in a series of tweets following Apple and Google's announcement. According to the initial description of Apple and Google's API, every app user's phone would have to download the keys of every newly diagnosed Covid-19 person every day, which would quickly add up to a significant load of data. "If moderate numbers of smartphone users are infected in any given week, that's 100s of [megabytes]" for every phone to download, Marlinspike wrote. "That seems untenable." Instead, apps could better determine who needs to download which keys by collecting location data, sending users only the keys relevant to their area of movement.
Representatives from Google and Apple's joint project and the TCN Coalition had the same response to this point: If the app simply asks the user for their region, that very general location would allow the app to download a manageable number of keys. By both groups' back-of-the-napkin math, telling the app what country you're in would reduce the daily key download a megabyte or two, no GPS tracking required.
That doesn't mean some apps using Google and Apple's API won't ask for location data anyway. Health care organizations may miss the point of a system that avoids using GPS, or simply want the extra data to help better track infections. Google and Apple point out that if a location-tracing app wants to use GPS, it will need to first ask permission from the user, just as any app does.
But the question of location data points to a larger issue: Google and Apple can only point developers toward the most privacy-preserving approach. Every app will need to be judged independently on how it implements that framework. "There are a lot of additional problems that an app developer would need to work through in order to ship a product," Marlinspike wrote. "That can possibly be done responsibly, but Apple/Google aren't doing it for us."
Can the App Itself Identify Covid-19 Patients?
Bluetooth-based Covid-19 contact-tracing schemes are designed to upload no data from most users, and only anonymous data from people who are infected. But it still uploads some data from users who report themselves as positive. That raises the question of whether the upload can truly be anonymous, given how hard it is to move any data across the internet without someone learning where it came from.
Even if the keys that the app uploads to a server can't identify someone, they could, for instance, be linked with the IP addresses of the phones that upload them. That would let whoever runs that server—most likely a government health care agency—identify the phones of people who report as positive, and thus their locations and identities.
Apps can prevent anyone other than the server from eavesdropping on those IP addresses and identifying diagnosed users by using HTTPS encryption and also padding data they upload to obscure it, says Johns Hopkins' Green. But you still have to trust the app server itself not to collect and store identifying data from those uploads.
The TCN Coalition and the Google/Apple project both say the server shouldn't collect those IP addresses as a matter of policy. But it's up to the app developer to follow that policy.
In fact, many health care agencies will want to identify Covid-19-positive people. On that point, however, a representative from the Google/Apple project argued that trying to keep the Covid-19 status of infected patients secret from health care agencies themselves may be an unrealistic goal. After all, these are likely the same agencies administering Covid-19 tests. As such, the public has already entrusted them with identifying data about Covid-19-positive people.
What About False Positives?
Aside from surveillance issues, there's also the problem of making sure a Bluetooth contact-tracing app doesn't overwhelm people with incorrect warnings that they've been exposed. Those false positives could come users self-diagnosing incorrectly or worse, trolls spamming the system. University of Cambridge computer scientist and cryptographer Ross Anderson warned that "the performance art people will tie a phone to a dog and let it run around the park" to create canine contact-tracing chaos.
Cristina White, the executive director of contact-tracing project Covid-Watch and a Stanford computer scientist, suggests a solution to those problems: Only allow people to report a positive diagnosis with a health care provider's approval. To create that safeguard, Covid-Watch would distribute a separate app to health care providers that generates unique confirmation codes. When doctors or nurses have determined that a patient is Covid-19-positive, they would tap a button to generate a confirmation code and give it to the patient, who then enters it into their contact-tracing app. A representative from Apple and Google's joint contact-tracing project said that their system similarly envisions that patients can't declare themselves infected without the help of a health care professional, who would likely confirm with a QR code.
April 17, 2020