Contact-Tracing Apps: Apple Dictating Policies to Nations Won't Help Its EU Anti-trust Probe

Farknot Architect/Shutterstock.com

Apple’s approach arguably fits a wider narrative about the company being heavy-handed in determining what apps are allowed on iPhones.

There’s a growing problem with Apple’s role in the contact-tracing apps that countries are developing to help fight the coronavirus pandemic. This has been underlined by the UK’s announcement that its long-awaited NHSx app is being parked in favour of a different model recommended by Apple and Google.

Apple is effectively dictating to governments the privacy levels that their contact-tracing apps must meet. Unless apps meet Apple’s requirements, they can’t get access to Bluetooth in the background on users’ phones, which is essential for the apps to work properly (Google takes a more laissez-faire approach, without these restrictions).

Apple’s approach arguably fits a wider narrative about the company being heavy-handed in determining what apps are allowed on iPhones. The company has just been made the subject of an EU antitrust investigation for similar reasons. There are also limitations to the alternative Apple/Google model that could make contact-tracing apps less effective.

What Apple Wants …

Contact-tracing apps aim to prevent the spread of the coronavirus by monitoring who a person comes into contact with. If any contact is likely to be infected, the app triggers a warning telling the user to self-isolate and get tested. Such apps have already launched in numerous countries.

The UK’s approach had been to hold the data used by the app to determine who is probably infected in a central database. But this fell foul of Apple’s restrictions, which favour keeping the data on people’s phones instead – the so-called decentralised model.

As UK Health Secretary Matt Hancock said, the NHSx app might have worked but for Apple’s unwillingness to negotiate on the restrictions. Developers also have to contend with a special addendum to the App Store’s standard legal agreement.

Apple did not reply to requests for comment in time for publication. Google welcomed the UK announcement and said that its approach had been developed “based on consultation with public health experts around the world, including in the UK, to ensure that our efforts are useful to authorities as they build their own apps to limit the spread of COVID-19, while ensuring privacy and security are central to the design”.

Apple’s restrictions have meant that the UK’s intended app could only recognise around 4% of iPhones in some circumstances. Google supports the same decentralised approach, but only Apple insists on it by preventing users from installing apps on an iPhone unless they come from the App Store. Absent the same restrictions on Android phones, the app was recognising users around 75% of the time.

Google and Apple have justified their restrictions as being to protect user privacy. And, indeed, privacy advocates favour their model. Privacy is certainly pivotal to user confidence in contact-tracing apps, but it’s less clear where the line should be drawn.

There are important limitations to the Apple/Google approach. For one thing, it doesn’t allow apps to share the type of phone each person uses. The NHSx app used this to more accurately estimate the distance between people, to reduce false-positive alerts. The decentralised system sends alerts only after a user has reported that they have tested positive for the virus. Unlike centralised apps, it can’t base alerts on factors like the modelled risk from an infectious individual, which draws on information about symptoms users have been reporting through the app.

Waiting on a confirmed test result might well be too late to prevent the virus from spreading. The virus is believed to have a median incubation time of around 5.1 days, and scientists believe that people may be contagious from around two days before they experience symptoms, and at their most contagious before symptoms begin.

The Bigger Picture

For a tech company to be telling a government what to do is an interesting sign of our times. France, too, clashed with the iPhone operating system maker. In the end, it launched a centralised app earlier in June that destroys all information held after 14 days. The French app doesn’t have access to Apple’ background Bluetooth system either, despite their attempts, so we will see how well it performs.

Privacy is undoubtedly important, but this situation raises wider questions about tech companies in modern life. Much of the EU’s new anti-trust investigation into Apple relates to how the company charges a cut of up to 30% for payments on the App Store to the third-party apps it carries. These compete with apps that Apple itself makes, on the platform whose rules it sets.

With contact-tracing apps, Apple won’t be charging developers for access or really making any money from them. But like with third-party apps more generally on the App Store, Apple acts as a gatekeeper. If you want to make an app available to the 51% of UK smartphone users with iPhones, you have to do what Apple says. Even if you’re an elected government amid a pandemic.

There has been much discontent among app developers about Apple’s level of control over access to the App Store, and what some perceive as subjective and inconsistent application of the rules. Much recent focus has centred on an email service called Hey, which drew attention to these issues after being threatened with removal from the store.

In the end, the situation has been resolved after Basecamp launched a free “lite” version of Hey on iPhones, which encourages Mac users to download a paid-for version from the company’s website. This chimes with how many providers, notably Spotify and Netflix, get around the Apple payments rule by not allowing customers to either make orders or sign up for paid services on the iPhone app.

Dictating terms to companies is one thing; dictating to countries during a global pandemic is another. Apple’s position may be about preserving users’ privacy, but the timing is unfortunate when some of its restrictions on third-party apps are to be investigated by the EU.

The UK government says it will try to work with Apple and Google to improve their model of tracing, with an app now potentially only coming in winter. But given some of the inherent limitations of the decentralised model compared to the NHSx approach, it remains to be seen how effective this will be – especially if some key advantages are lost through requiring coronavirus tests, and not being able to model the risk to individual users to make alerts more accurate.

Greig Paul is the lead mobile networks and security engineer at University of Strathclyde.

The ConversationThis article is republished from The Conversation under a Creative Commons license. Read the original article.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.