Tuesday, April 14, 2020

The Google-Apple infection tracker has a privacy problem. Just not the one you think.

By Stewart Baker - April 14, 2020 at 12:29PM

Google and Apple have released specifications for how to use a mobile phone to track coronavirus infections. That's good news. As the country moves toward at least partial resumption of normal life, we're likely to need good tracking capabilities to avoid a second peak in infections, and that can't be done without the cooperation of Google and Apple.

But the more I study the design that these companies are promoting, the less attractive it looks. To be blunt, I think the companies were so eager to avoid criticism from privacy groups and Silicon Valley libertarians that they produced a design that raises far too many barriers to effectively tracing infections. The good news, though, is that Google and Apple won't have the last word. The two companies are creating an absolutely essential set of tools, or APIs, that will allow other tracking apps to interact with phone operating systems. They've also sketched what might be described as the default tracking system that they intend to implement "while maintaining strong protections around user privacy."  This default system is less essential, and a good thing too. The Google/Apple default tracking system is seriously flawed, mainly because it elevates privacy over effectiveness. Luckily, national health systems will be free to write better, more workable tracking apps that can still plug into Google and Apple operating systems without buying into the questionable choices those companies seem to favor.

Public health agencies have tracked infections as a way of stopping the spread of disease for more than a century, and not just for pandemics. It's a routine part of the public health response to syphilis and other sexually transmitted diseases. The process is straightforward. If someone tests positive for an infectious disease, health authorities ask for a list of all his contacts while he had the disease. They track those people down, treat or quarantine them, and then get a list of their contacts. Eventually, everyone in the chain of infection is accounted for, and the chain is broken. COVID-19 is a challenge to this model because asymptomatic infection is so easy, which makes it hard to recreate all of a COVID-positive person's contacts. Which is what makes mobile phone tracking so attractive. An app that knows where you've been for the last two weeks allows a reconstruction of your contacts that your memory can't match. That's why there's been such an emphasis in many countries on using location data for infection tracking. But as the initial enthusiasm encountered reality, public health officials realized that location data on phones was not well-suited to the task. It wasn't detailed enough, gathering everyone's locations over the length of the emergency felt unnecessarily intrusive. Singapore came up with a better approach: using not location data but an exchange of Bluetooth signals between the phones of people who were actually close to each other for a period of time. Then if one of them tested positive, the health authorities could collect the contact data and send alerts to everyone who had exchanged signals with the infected party.

But Singapore's system did not work well with the Android and iOS operating systems.  It only worked if Bluetooth was actively seeking connections all the time, which often required that the phone be continually unlocked. The app still hasn't achieved more than about twenty percent market share.

Google and Apple soon realized that for such a system to work, they would have to adapt the operating system to the needs of a disease tracking app. That's why they are developing new APIs. At the same time, their engineers seem to have decided that they could make an app that worked like Singapore's but had more privacy protections. That idea is the source of the default tracking app they are promoting.

It's also the source of most of the problems with the default app. Probably the biggest mistake the default app makes is trying to build a tracing system will be completely independent of any central health authority.  That's not realistic or wise. Real-world disease tracing systems like Singapore's (and like those of the United States for a century) all rely on the public health authorities to identify infected people, collect their contacts, and notify those at risk. But Silicon Valley is in love with a "trust no one" approach to security that is grounded in an assumption that centralized systems can be abused if authoritarian governments get access to the data. That's always possible, but the risk is pretty modest in this case since the only data at issue is two weeks' worth of contacts. And any authoritarian government worth its salt could get far more location and contact data simply by subpoenaing Google's adtech files. Nonetheless, Google and Apple are pushing a default app that does not depend on centralized administration and therefore is guarded against that particular abuse.

But in preventing abuses from the center, such an app would invite many abuses from the edge. The design seems to envision a regime in which testing results are known to health authorities, but the place and identities of those who've come into contact with each other are never disclosed. That means the health authorities can tell someone who tests positive to notify his contacts, but they will have no way of knowing whether he follows their advice. Predictably, some people won't.  Maybe they'll forget. Maybe they'll be worried about retaliation from those they've exposed. And maybe they'll just be freeloaders who wanted to be notified if they were at risk but have no interest in notifying others. By leaving the decision to the user, and even creating additional barriers to notification with a separate "consent to notify" hurdle, the default design from Google and Apple compromises public health in the name of privacy

Other abuses are made possible by the designers' preference for keeping information from the authorities. In the default design, those getting a notification are told only that they've been near an infected person, but not who and not where. Anonymity breeds irresponsibility, as many Zoom users learned in recent weeks. Surely some irresponsible app users will be delighted to cause random grief by sending out false infection alerts to everyone with whom they've been in contact. Google and Apple say that they can prevent that by having public health authorities verify test results. But a verification process, such as cryptographic signing of test results, is likely to add substantially to notification friction.

The same effort to keep data out of the hands of a central administrator leads the Google and Apple engineers to store and process all contact data locally on the phone.  This is bad news for anyone who loses or has to reset their phone.  It looks as though, under the default Google/Apple design, those already unfortunate people also lose their contact records and thus run the risk of missing a notice that they may have been exposed. Indeed, as far as I can see, the design doesn't even allow people to store a backup of their contacts in the cloud.  Similarly, suppose a person using the app comes to the health system's attention by collapsing in public, or dying before they make it to the hospital, as all too many victims have. In that case, it would be impossible to trace the person's contacts or notify those affected. Apple's famously law-enforcement-hostile phone design will ensure that the authorities cannot open either the phone nor the app.

That's a lot of dysfunction to suffer just to avoid the theoretical risks of a centralized infection tracing system like the ones we've been using for the last hundred years.

A related problem is that Google and Apple seem to assume that infection tracing needs the same kinds of user consent as a weather or traffic app. (And, to be fair, the designers may believe that more privacy features will induce more users to download the app.) But it's increasingly clear that to be effective, a tracing app is going to require a market share well over 50%. That can't be achieved by throwing something into the app store and waiting for users to find it.  Even though Singapore's app has substantial privacy protections and its populace is generally compliance-minded, its app is being used by less than a fifth of the population. In fact, as I've said before, it's likely that mobile phone infection tracking will only work if Google and Apple are required to install such an app automatically on Androids and iPhones, the way Apple Maps or iTunes updates are auto-downloaded.  (Apple is, after all, famous for having automatically sent all its users a U2 album that none of them ordered; last time I checked.) Google and Apple have said that they intend to add a contact tracing platform to their phone operating systems, though it's not clear that the feature will be on by default.

At the end of the day, the purpose of infection tracing is to notify people who may have been infected. Unfortunately, without a lot of changes, the Google/Apple system will make notification a lot less likely. First, in an effort to reduce the role of central authorities, the app design separates testing from contact tracing, so the health authorities who do the testing can't confirm that the contacts got notice of the result. Instead, the design imagines that someone who tests positive will be given the option of sending notice. That means friction every step of the way—a user who tests positive must remember to send the notice, open the app, navigate the "do you really consent?" screen, and wait for the notification to upload.  And all of those steps depend entirely on the user's sense of social responsibility.  That's just a bad idea. At a minimum, public health authorities need to be able to tell who tested positive but didn't send notifications.  That would allow the authorities to ping those who didn't notify others, reminding them to do so. It would also allow the health authority to impose fines or other sanctions on those who use the system to protect themselves but not others.

Finally, Google and Apple's assumption that tracking apps should keep location data away from health authorities leads to absurd results.  It's quite true that in most cases, there's no need to record the exact location where each contact occurred. What matters most is just whether one person was in close proximity to another. But there are times when location matters too. Someone who gets a notice and can't figure out how the contact occurred might want more data before quarantining himself; maybe there was a wall that Bluetooth didn't recognize between him and the infected party, or perhaps they were standing outside with a breeze blowing between them.  I suspect that few people will thank Google and Apple if we end up with an American tracking app that assumes that it's better for them to endure an unnecessary two-week quarantine than for them to tell health authorities the location of their potential infection.

Being able to get precise location data in at least some cases will be especially important if commerce resumes and the app is not universally adopted. Suppose that an infected person spends time at a Starbucks, where a quarter of the people in the shop have installed the Google/Apple app. When the infected person sends out a notice, only a quarter of the customers will get it. But some of them will suspect that the contact was at Starbucks. Without knowing the infected person's location data; authorities would have no idea where the exposures occurred. What if health authorities want to find the other customers, plus the barista? It wouldn't be that hard if they knew the place and time of the infected person's visit. The barista's hours are already recorded by Starbucks, and customers who were there at the time could be found through payment records. But it appears that the Google/Apple app makes no provision for public health authorities being able to identify hotspots by time and location. In fact, in the world the two companies envision, potentially infected parties themselves apparently won't know for sure where their exposure occurred.

These are a lot of problems, most of them stemming from design assumptions that start in the wrong place, privileging decentralization and anonymity over the goal of defeating the virus. Don't get me wrong. Google and Apple deserve a lot of credit for having stepped up to the challenge of providing essential APIs. We're going to need their help to get it onto phones all over the country. But the companies also have blind spots and a fear of getting crosswise with privacy advocates is one of them. This means mean we can't simply trust them to set the parameters for a tracing app that does what we want in the real world.

And we don't have to. Pandemics force us to trust elected leaders with great power over individuals and businesses. State governments have ordered people to stay home even at the cost of their jobs. Governors have been given authority to seize private supplies of ventilators and to close otherwise lawful businesses and gatherings—even church services on Easter.   And as I've written before at greater length, 40 states have adopted a post 9/11 public health emergency law that gives governors broad authority to intervene in private industry to respond to crises. This authority extends even to companies that deal in "communication devices." If they can mandate that people sacrifice jobs and access to in-person religious services, surely state governors can also order companies like Google and Apple to build an interface that works with tracking apps that actually fit society's needs and not Silicon Valley's conventional wisdom.


from Reason Magazine Articles
via IFTTT