Both giants of the technology world, Google and Apple are otherwise fierce rivals in every sense of the word. But with the ongoing COVID-19 pandemic seeing no end, the two company have now joined forces to roll out a contact tracing smartphone app that will alert the users whenever they come in contact with carriers of the deadly virus.
The rare collaboration, comes as governments across the world look towards tech giants for crisis solutions that don’t jeopardize user privacy. Now, public health experts across the world have been stating for a while that smartphones could provide a solution to an urgent need for quick, extensive contact tracing.
But what is contact tracing and if it is something as simple as it sounds, why haven’t tech companies been able to crack the code and develop a simple cross-platform app then? Well, the answer to that question is far more complicated than you think. While contact tracing does mean tracking infected people and checking whom they come in contact with as they move through the world, it also means collecting data packets with user-sensitive data.
How are contact-tracing apps expected to work?
Proponents of a smartphone-based contact-tracing approach point out that many people already own smartphones, which are frequently used to track users’ movements and interactions.
“Contact tracing makes it possible to combat the spread of the COVID-19 virus by alerting participants of possible exposure to someone who they have recently been in contact with, and who has subsequently been positively diagnosed as having the virus,” Apple said in one of the technical documents it released.
But the wider challenge at hand appears to be that of data privacy.
Using GPS and cell site information, for example, aren’t suitable measures for contact tracing because they aren’t reliable when it comes to tracing close physical interactions. Instead, developers are trying to consolidate their focus on apps that trace proximity using Bluetooth signal strength to determine whether two smartphones were close enough together for their users to transmit a virus. Now there have been several different proposals for such Bluetooth-based proximity tracking but the approach is mostly the same.
As per Apple and Google’s common API approach, the app broadcasts a unique identifier over Bluetooth that other, nearby smartphones can detect. To protect privacy, each phone’s identifier is rotated frequently to make third-party tracking almost impossible.
When two users of the app come near each other, both apps estimate the distance between each other using Bluetooth signal strength. If the apps estimate that they are less than approximately six feet apart for a sufficient period of time, the apps exchange identifiers. Each app logs an encounter with the other’s identifier. The users’ location is not necessary, as the application only needs to know if the users are sufficiently close together to create a risk of infection.
How is the government’s Aarogya Setu app approach different?
You might have come across this name on an SMS circulated in public interested by the Department of Telecom of late, but Aarogya Setu is a contract-tracing app developed by the Government of India to determine if they have been in the proximity of COVID-19 affected patients.
As opposed to a co-developed API though, apps like Aarogya Setu rely on one or more central authorities that have privileged access to information about users’ devices. In this model, the central authority (or government ministry) keeps a database that maps app identifiers to contact information. When a user tests positive, their app uploads a list of all the identifiers it has come into contact with over the past two weeks.
The central authority then looks up those identifiers in its database, and uses phone numbers or email addresses to reach out to other users who may have been exposed. This places a lot of user information out of their own control, and in the hands of the government, risking it to hackers.
An analysis of the Aarogya Setu app by experts at a Paris-based cybersecurity consultancy named Defensive Lab Agency further reveals information which could frighten privacy seekers. The app gathers a user’s identity, tracks their movement in realtime, and also continuously checks if other people who have downloaded the app are in the proximity of the user.
This allows the Aarogya Setu app to create a social graph of a user by tracking everyone they have been close to. Combining this data with existing government databases (like Aadhaar) can exponentially increase the government’s powers of surveillance.
The concept of such an app isn’t an original idea though. TraceTogether is a similar app developed for the government of Singapore which requires all users to share their contact information with the app’s administrators.
How is Google, Apple’s approach better than Aarogya Setu?
Both approaches do attempt to achieve the same goal but Google and Apple’s approach seems to be a much safer, more accurate bet for reasons I’ve already talked about.
Traditionally, any proximity app creates new risks for users. A log of a user’s proximity to other users could be used to show who they associate with and try and gauge what he/she is up to. Fear of disclosure of such proximity information might chill users from even downloading an app which attempts to trace the COVID-19 spread — a task which is so important.
But then again, almost every other smartphone-based internet service does a similar job of tracking and reporting your location (from a Fitbit to GPS-based AR games like Pokemon Go). Just carrying a mobile phone often brings the risk of tracking through cell tower triangulation. Thousands of users are duped to “opt-in” to services like Google’s location services, which keep a detailed log of everywhere they have gone. Facebook attempts to quantify associations between people through myriad signals, including using face recognition to extract data from photographs, linking accounts to contact data, and mining interactions. But in this case, simply knowing that the data collected is anonymous and safe from third-party hacking, is reassuring to a certain point.
The other encouraging fact is that Apple and Google will not be doing the contact tracing themselves, but are making their smartphone platforms available for governments and NGOs. This will ensure governments and health agencies use the framework to develop apps which are more effective. In the case of our own government, it will be a worthwhile switch to a more reliable form of tracing within cities once the first phase of the platform does go live next month.