The American Civil Liberties Union (ACLU) has praised some aspects of the Apple/Google coronavirus contact tracing API, while saying that the companies need to do better in three areas.
The ACLU says that any electronic contact tracing needs to respect six principles. The Apple/Google API makes “a strong start” with these, it says, but it has three criticisms …
The ACLU’s six principles are:
- Voluntariness — Whenever possible, a person testing positive must consent to any data sharing by the app. The decision to use a tracking app should be voluntary and uncoerced. Installation, use, or reporting must not be a precondition for returning to work or school, for example.
- Use Limitations — The data should not be used for purposes other than public health — not for advertising and especially not for any punitive or law enforcement purposes.
- Minimization — Policies must be in place to ensure that only necessary information is collected and to prohibit any data sharing with anyone outside of the public health effort.
- Data Destruction — Both the technology and related policies and procedures should ensure deletion of data when there is no longer a need to hold it.
- Transparency — If the government obtains any data, it must be fully transparent about what data it is acquiring, from where, and how it is using that data.
- No Mission Creep – Policies must be in place to ensure tracking does not outlive the effort against COVID-19.
It begins by praising the decision not to track locations.
The Apple/Google proposal, for instance, offers a strong start when measured against these technology principles. Rather than track sensitive location histories, the Apple/Google protocol aims to use Bluetooth technology to record one phone’s proximity to another. Then, if a person tests positive, those logs can be used to notify people who were within Bluetooth range and refer them for testing, recommend self-isolation, or encourage treatment if any exists.
The organization also likes the way the API doesn’t use personally-identifiable data. However, it says, there are still three issues with it.
First, it doesn’t allow the user to confirm contacts at the time they are logged. This is an issue raised before: that Bluetooth range can indicate exposure when there was in fact none, for example close proximity but with a wall or car window offering protection.
Second, users cannot review data prior to upload. This should, it believes, offer a second opportunity for app users to review the contacts and delete any that did not carry any exposure risk.
Third, it says that it isn’t satisfied that the amount of data captured can’t be used to identify people.
These latter two points are effectively impossible to implement, however. Users can’t review the contacts recorded because the whole point of using Bluetooth codes is that individuals cannot be identified. So a user would have no way of knowing which codes to redact. And you cannot reduce the data without compromising the ability to identify exposure.
It would technically be possible to allow a user to exclude false contacts. For example, there could be a toggle that allows us to say we are alone in a room or vehicle, even if there may be people the other side of a thin wall or outside our sealed car. However, the more you rely on people manually toggling things on or off, the less reliable the apps would become.
Other countries are pressing ahead with contact tracing apps. Reuters reports that Italy is about to begin testing an app which meets European privacy standards but does not use the Apple/Google coronavirus contact tracing API. Other European countries are moving at a slower pace.
A separate Reuters report notes that an Australian app is already in use, based on the Singapore one. This does not have the same privacy protections as the EU and Apple/Google approaches.