Apple-Google Exposure Notification system worthless due to privacy policies, health expert...

Posted:
in General Discussion edited May 2020
As Apple and Google work to build out a so-called "Exposure Notification" API and accompanying operating system-level assets to help monitor the spread of COVID-19, health experts argue the companies' overly stringent privacy policies will render the solution useless out of the gate.

Exposure Notification


Experts in the field, including those currently building digital contact tracing apps for government health authorities, expressed concern about the Apple-Google system in Friday expose published by The Washington Post.

Specifically, officials are concerned about data sharing restrictions that are baked into the Exposure Notification API. Without access to geolocation data and other important user information, public health agencies building apps on the framework are at a disadvantage, some experts say. Further, Apple is preventing access to iPhone's Bluetooth communications stack, meaning contact tracing apps are forced to run in the foreground to be effective.

Though they decry the Apple-Google solution, it appears that interviewed experts have little to no knowledge of how the system is designed to function.

For example, Helen Nissenbaum, a professor of information science and director of the Digital Life Initiative at Cornell University, called the companies' leveraging of consumer privacy in defence against PHA access to smartphone technology a "flamboyant smokescreen." Nissenbaum said it was ironic that two tech firms who "for years tolerated the mass collection of people's data" are now preventing access to information that could be vital to public health, according to the report.

"If it's between Google and Apple having the data, I would far prefer my physician and the public health authorities to have the data about my health status," Nissenbaum said. "At least they're constrained by laws."

Apple and Google have consistently positioned user privacy as a guiding feature of the Exposure Notification platform, an asset that the companies contend will lead to greater adoption.

The system does not store data on central servers run by Apple or Google, but instead silos anonymized Bluetooth beacons -- contact information -- on user devices until participants elect to share the information with an outside party. If and when a user is diagnosed with COVID-19, they can opt to upload a 14-day list of recent contacts (again, anonymized) to a distribution server, which matches beacon IDs and sends out notifications alerting those individuals that they came in close contact with a carrier of the virus. Doctors can also peruse the data, if such access is granted.

Indeed, governments have bemoaned Apple and Google's reluctance to store Exposure Notification data on centralized servers, a decision made in part to protect sensitive information and in part to prevent potential mission creep. Britain's NHS, for example, is testing its own contact tracing app with a centralized data storage scheme. Without Apple and Google's help, however, the system has encountered problems.

Matt Stoller, director of research at the American Economic Liberties Project, is another critic quoted by The Post.

"They are exercising sovereign power. It's just crazy," Stoller said, adding that Apple and Google have "decided for the whole world that it's not a decision for the public to make. You have a private government that is making choices over your society instead of democratic governments being able to make those choices."

Both Apple and Google are operating within strict telecommunications and trade regulations and offer the COVID-19 tracking initiative as a service to customers. Here, Stoller does not seem to have a base understanding of the technology industry or the apparatus that controls it. He appears to be advocating for an alternative that would, by proclamation, enlist the companies to open aspects of iOS and Android to overarching government oversight.

The report also mentions North Dakota's efforts to augment traditional contact tracing programs with digital logs stored on a user's smartphone. State officials initially hoped the Apple-Google solution would provide a boost to the app, but restrictions have prompted developers to start from scratch. Instead of a single piece of software, the state is building one app for contact tracing teams and another that integrates the Exposure Notification API.

"Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can," said Vern Dosch, contact tracing liaison for North Dakota. "I get it. They have a brand to protect. I just wish they would have led with their jaw."

The report goes on to suggest that, despite causing issues for PHAs, the privacy protocols might be for naught. Some health officials, like assistant professor of medicine at the University of California at San Francisco, Mike Reid, are dubious that tech companies can maintain high levels of privacy protection. Reid is training contact tracers in California.

"We go to pains to minimize the amount of data we take from people and we ask consent from people we're talking to on the phone. We go to considerable lengths to ensure there are strong technical controls to ensure the anonymization of our platforms," Reid said. "Can you say the same thing about these big tech companies? I'm not sure."

Distilling the complexities, and perhaps misunderstandings, surrounding the Apple-Google initiative is a somewhat contradictory statement from former chief technologist of the Federal Trade Commission, Ashkan Soltani.

"We've overcompensated for privacy and still created other risks and not solved the problem," Soltani said. "I'd personally be more comfortable if it were a health agency that I trusted and there were legal protections in place over the use of the data and I knew it was operated by a dedicated security team."

Apple and Google released initial APIs for their Exposure Notification system in late April ahead of a public launch expected for mid-May.
«1345

Comments

  • Reply 1 of 98
    larryjwlarryjw Posts: 1,031member
    It seems the Apple Google system is based on the PACT Protocol (Private Automated Contact Tracing).

    See https://pact.mit.edu
    edited May 2020 minicoffee
  • Reply 2 of 98
    viclauyycviclauyyc Posts: 849member
    Sure let every city, every town make their app and host their own data. I am sure they are full equipped to protect the data from hacker and foreign agencies.

    Not to mention I need to download a new app whenever I go to different town. I am sure everyone will follow the rules.
    baconstangrandominternetpersonuraharawilliamlondonisrandyigorskyjony0minicoffeemazda 3slolliver
  • Reply 3 of 98
    emoelleremoeller Posts: 577member
    No good deed goes unpunished....
    israndyigorskyAnilu_777jony0pujones1frantisek
  • Reply 4 of 98
    Rayz2016Rayz2016 Posts: 6,957member
    Oh, the whining …

    And I see the users in the UK trial are complaining about the battery drain, as predicted by just about everybody outside NHSX. 

    Next step for the UK: a humiliating climb down smothered in a pack of lies designed to make it look as though this was the plan all along. 

    “Our original system was designed to provide a test baseline for the eventual rollout of our app using the Apple/Google API. We are pleased to report that the real system, which we always planned to release, is working exactly as we intended.”
    PetrolDaveDAalsethwilliamlondonisrandyigorskyjdb8167jony0edredbadmonkfrantisek
  • Reply 5 of 98
    apple ][apple ][ Posts: 9,233member
    To be honest, I don't think that any of the solutions are going to be that effective, regardless of how well they are made or implemented, simply because I don't think that enough people will be using them.

    Will a tracking system really be effective if a great percentage of people wont bother to install or if they refuse to be a part of the system, no matter which system that may be?
    edited May 2020 PetrolDaveDAalsethjcs2305christophbfrantisek
  • Reply 6 of 98
    jimh2jimh2 Posts: 631member
    It’s as if these states and localities think they can out do Apple and Google engineers. The hubris of having other people’s money (taxes) to blow in what will be a failure. 
    randominternetpersonlongpathisrandyigorskypscooter63jdb8167jony0minicoffeelolliverfrantisek
  • Reply 7 of 98
    anantksundaramanantksundaram Posts: 20,405member
    Why even bother...
    longpathigorskydewmefrantisek
  • Reply 8 of 98
    nlrznlrz Posts: 11member
    You have a private ... that is making choices over your society instead of democratic governments being able to make those choices."

    I'm sorry, the "democratic government" lost all technological credibility when they voted against network neutrality.


    DAalsethjdb8167dewmejony0MisterKitlolliverbadmonkinTIMidator
  • Reply 9 of 98
    Sad how much bad press Apple gets for its privacy-first approach. 
    longpathlkruppigorskyjony0georgie01MisterKitmazda 3slolliver
  • Reply 10 of 98
    dutchlorddutchlord Posts: 223member
    No way I am going to use any covid app. I don’t trust any of the parties involved. 
    PetrolDavewilliamlondonlongpathgeorgie01pujones1entropysinTIMidator
  • Reply 11 of 98
    hucom2000hucom2000 Posts: 149member
    Sad how much bad press Apple gets for its privacy-first approach. 
    I think maybe Apple’s mistake was to partner with Google. 

    Apple has been diligent about protecting its user’s data for a long time. Google on the other had had to be forced by law to take steps toward respecting it’s users privacy. 

    It seems like a terrible move to throw yourself in the same basket with Google out of all companies. 

    But maybe there are technological reasons for the collaboration.
    williamlondon
  • Reply 12 of 98
    xbitxbit Posts: 391member
    Rayz2016 said:
    Oh, the whining …

    And I see the users in the UK trial are complaining about the battery drain, as predicted by just about everybody outside NHSX. 

    Next step for the UK: a humiliating climb down smothered in a pack of lies designed to make it look as though this was the plan all along. 

    “Our original system was designed to provide a test baseline for the eventual rollout of our app using the Apple/Google API. We are pleased to report that the real system, which we always planned to release, is working exactly as we intended.”
    The elephant in the room is that Apple’s new API will only work on devices running the very latest version of iOS (and the same for Android). This kind of app requires mass adoption so Apple and Google new API is next to useless. 

    NHSX were right to explore alternatives.
    williamlondon
  • Reply 13 of 98
    svanstromsvanstrom Posts: 702member
    dutchlord said:
    No way I am going to use any covid app. I don’t trust any of the parties involved. 
    Then throw out your phone this instant.

    Apple could easily force push out a "critical" update that grabs more information than you ever could imagine; a whole cloud of millions of phones, tablets, and computers, scanning everything around them.

    So, hey, if you don't trust any of the parties involved you're pretty much screwed.

    You could of course try to explain this away by talking about how skilled you are at limiting what your phone is able to do, what apps you install etc; which means nothing if they push out an update, and means even less considering the data already available to phone and network companies simply for your stuff to function as just the most basic connected devices.

    All this tracking could for instance be implemented at a network level where they use triangulation data to calculate the risks to individuals, which are at a certain risk level then targeted with an sms telling them that they should go to one of a list of providers doing COVID-19 testing.

    Besides, the odds are pretty much up there that your phone company is already selling your location data; depending on the local laws they've just (more or less) anonymised it first.
    israndychristophb
  • Reply 14 of 98
    svanstromsvanstrom Posts: 702member
    hucom2000 said:
    Sad how much bad press Apple gets for its privacy-first approach. 
    I think maybe Apple’s mistake was to partner with Google. 

    Apple has been diligent about protecting its user’s data for a long time. Google on the other had had to be forced by law to take steps toward respecting it’s users privacy. 

    It seems like a terrible move to throw yourself in the same basket with Google out of all companies. 

    But maybe there are technological reasons for the collaboration.
    If nearly every unit out there spoke its own flavour of tracking-codes there'd be no tracking at all done; so they had to collaborate with Google to make it a viable system while protecting user's privacy.
    PetrolDavegregoriusmuraharahucom2000jony0lolliver
  • Reply 15 of 98
    svanstromsvanstrom Posts: 702member
    xbit said:
    Rayz2016 said:
    Oh, the whining …

    And I see the users in the UK trial are complaining about the battery drain, as predicted by just about everybody outside NHSX. 

    Next step for the UK: a humiliating climb down smothered in a pack of lies designed to make it look as though this was the plan all along. 

    “Our original system was designed to provide a test baseline for the eventual rollout of our app using the Apple/Google API. We are pleased to report that the real system, which we always planned to release, is working exactly as we intended.”
    The elephant in the room is that Apple’s new API will only work on devices running the very latest version of iOS (and the same for Android). This kind of app requires mass adoption so Apple and Google new API is next to useless. 

    NHSX were right to explore alternatives.
    There's almost never anything wrong with exploring alternatives; but there's a difference between having a bunch of us nerds in a room arguing about best approaches, and butthurt politicians running to the press crying about how the evil tech giants won't allow them to track every person in the world.

    As far as the new API being next to useless… well… at least people on the Apple-side of the isle are quite good at keeping their phones updated, and the app could simply launch a huge "push here to update your phone to a compatible level"-button if it isn't. So no need to call it "next to useless" before actually tried; because it could be just that level of extra needed to "flatten the curve" just right.
    PetrolDavegregoriusmisrandy
  • Reply 16 of 98
    gregoriusmgregoriusm Posts: 514member
    svanstrom said:
    xbit said:
    Rayz2016 said:
    Oh, the whining …

    And I see the users in the UK trial are complaining about the battery drain, as predicted by just about everybody outside NHSX. 

    Next step for the UK: a humiliating climb down smothered in a pack of lies designed to make it look as though this was the plan all along. 

    “Our original system was designed to provide a test baseline for the eventual rollout of our app using the Apple/Google API. We are pleased to report that the real system, which we always planned to release, is working exactly as we intended.”
    The elephant in the room is that Apple’s new API will only work on devices running the very latest version of iOS (and the same for Android). This kind of app requires mass adoption so Apple and Google new API is next to useless. 

    NHSX were right to explore alternatives.
    There's almost never anything wrong with exploring alternatives; but there's a difference between having a bunch of us nerds in a room arguing about best approaches, and butthurt politicians running to the press crying about how the evil tech giants won't allow them to track every person in the world.

    As far as the new API being next to useless… well… at least people on the Apple-side of the isle are quite good at keeping their phones updated, and the app could simply launch a huge "push here to update your phone to a compatible level"-button if it isn't. So no need to call it "next to useless" before actually tried; because it could be just that level of extra needed to "flatten the curve" just right.

    Or save even one life... 
    urahara
  • Reply 17 of 98
    entropysentropys Posts: 4,192member
    Rayz2016 said:
    Oh, the whining …

    And I see the users in the UK trial are complaining about the battery drain, as predicted by just about everybody outside NHSX. 

    Next step for the UK: a humiliating climb down smothered in a pack of lies designed to make it look as though this was the plan all along. 

    “Our original system was designed to provide a test baseline for the eventual rollout of our app using the Apple/Google API. We are pleased to report that the real system, which we always planned to release, is working exactly as we intended.”
    It makes sense they would try to do it on their own because then they would have total control over the privacy protocols and what it can be used for. Meglamaniacs.
    williamlondonlolliver
  • Reply 18 of 98
    apple ][apple ][ Posts: 9,233member

    Or save even one life... 
    No sorry, they will just have to die. One life is not worth it.

    The saving 1 life argument is a very silly one to make in my opinion.


    georgie01mike1christophbinTIMidator
  • Reply 19 of 98
    DAalsethDAalseth Posts: 2,802member
    Doctor’s Disease. That’s what we called it years ago. Just because the person was a medical Doctor they would think they knew best about everything, from running a business to fixing their radio. We had Doctors absolutely blow up at us because we wouldn’t do something the way they thought it should be done, whether it violated laws or not. Whether it might literally kill them or not. 

    So in this case these Doctors think they know better than professional programmers how  a system should be programmed to run and better than professional data security people how private data should be handled. Plus as the article pointed out their own complaints show that they don’t really know how the Apple/Google system actually works.  Typical Doctor’s Disease. If they think they know how to do it better they need to get off their collective @$$es and do it. Nothing is forcing them to use the Apple/Google APIs. 

    Other than the fact that they don’t know how. 
    svanstromisrandypscooter63jdb8167jony0georgie01pujones1lollivermike1
  • Reply 20 of 98
    jcs2305jcs2305 Posts: 1,337member
    apple ][ said:

    Or save even one life... 
    No sorry, they will just have to die. One life is not worth it.

    The saving 1 life argument is a very silly one to make in my opinion.


    Unless it was your life saved, or a person you cared very much about. Then there would be no mention of silliness.  🤦‍♂️ 
    israndyigorskyjdb8167rotateleftbyteleavingthebigglollivercoolfactor
Sign In or Register to comment.