The world was starting to develop a healthy skepticism for tech companies and their claims of making data privacy a priority. The Facebook-Cambridge Analytica scandal seemed to get our attention and we began to understand how easy it is for groups to track our digital lives.
Then COVID-19 spread with bullet speed across the world and now surveillance of our movements to track the virus is sounding to many like a good idea.
When Apple and Google announced on Friday it would join forces to develop tracing apps for smartphones that could ultimately alert us to our risk of contact with the deadly coronavirus, civil liberties groups issued strong warnings of the potential privacy consequences.
Privacy in the age of COVID-19
The two tech giants vow to make privacy a key feature of any app. But the Electronic Frontier Foundation fears third-parties and bad actors will find ways to get their hands on data.
“Context matters, of course,” the EFF’s Andrew Crocker, Kurt Opsahl and Bennett Cyphers wrote in an essay published shortly after the Apple-Google announcement. “We face an unprecedented pandemic. Tens of thousands of people have died and hundreds of millions of people have been instructed to shelter in place.
“While this gives urgency to proximity app projects, we must also remember that this crisis will end, but new tracking technologies tend to stick around. (Developers) must be sure they are developing technology that will preserve the privacy and liberty we all cherish, so we do not sacrifice fundamental rights in an emergency.”
EFF and others are calling for full transparency on how the apps and APIs operate, include an open-source cord and provide easy-to-understand language of any risks to allow users to give informed consent.
The American Civil Liberties Union said it was encouraged by Apple and Google for a commitment to privacy. But the ACLU noted that greater availability of COVID-19 tests and work to fill shortages of medical equipment would be more effective against the virus than a contact tracing app.
“No contact tracing app can be fully effective until there is widespread, free, and quick testing and equitable access to health care,” said Jennifer Granick, the ACLU’s surveillance and cybersecurity counsel. “These systems also can’t be effective if people don’t trust them. We will remain vigilant moving forward to make sure any contact tracing app remains voluntary and decentralized, and used only for public health purposes and only for the duration of this pandemic.”
‘Techno-magic’ could bring ‘false hope’
The Apple-Google technology will combine Bluetooth, cryptology and location tracking. The voluntary app will use anonymous Bluetooth chirps from smartphones as a way to tell whether you have come into contact or occupied the same space, such as bus, as an infected person.
Various Contact-tracing tools in other countries, including Singapore, South Korea and China have been effective, but in all cases, the programs expose private information to unacceptable risks.
“People are dying. We have to save lives. Everyone understands that,” Pam Dixon, executive director of the World Privacy Forum, told The Guardian. “But at some point, we’re going to have to understand the privacy consequences of this.”
Ross Anderson, a security engineer advising the United Kindom on contact tracing apps, shared several doubts he has about the effectiveness of these apps or the ability for government health officials to keep information private.
The opt-in app Apple and Google eventually releases will only be effective if Bluetooth is on and the cryptography can work with the dozens of different smartphone models in the hands of people, said.
He also said there are many risks of false-positive encounters, like when a person is speaking to an infected person through a closed window or when a Bluetooth signal passes through a plaster wall.
“Our effort should go into expanding testing, making ventilators, retraining everyone with a clinical background from vet nurses to physiotherapists to use them, and building field hospitals,” Anderson wrote on a security website. ”We must call out bullshit when we see it, and must not give policymakers the false hope that techno-magic might let them avoid the hard decisions.”