“It’s definitely possible that some evil advertiser could use this to augment their data sets,” Green says. “But, gosh, it really requires a lot of evil. And it seems to me like a small case.”
Keeping ad tracking as an unlikely scenario, of course, depends on Apple and Google continuing to deny advertisers access to the API—or deprecating the feature altogether—after the coronavirus threat fades.
Will Contact-Tracing Apps Also Ask for Location Data?
Tracing Covid-19 infections based on Bluetooth contacts rather than GPS location data avoids a huge privacy concern. The latter, after all, can be used as evidence of everything from extramarital affairs to political dissent. But some critics have pointed out that contact-tracing apps that use Google and Apple’s Bluetooth-tracing functionality will inevitably ask for location data anyway.
They may want to do so to make the system more efficient, argued cryptographer Moxie Marlinspike, creator of the popular encrypted communications app Signal, in a series of tweets following Apple and Google’s announcement. According to the initial description of Apple and Google’s API, every app user’s phone would have to download the keys of every newly diagnosed Covid-19 person every day, which would quickly add up to a significant load of data. “If moderate numbers of smartphone users are infected in any given week, that’s 100s of [megabytes]” for every phone to download, Marlinspike wrote. “That seems untenable.” Instead, apps could better determine who needs to download which keys by collecting location data, sending users only the keys relevant to their area of movement.
Representatives from Google and Apple’s joint project and the TCN Coalition had the same response to this point: If the app simply asks the user for their region, that very general location would allow the app to download a manageable number of keys. By both groups’ back-of-the-napkin math, telling the app what country you’re in would reduce the daily key download to just a megabyte or two, no GPS tracking required.
That doesn’t mean some apps using Google and Apple’s API won’t ask for location data anyway. Health care organizations may miss the point of a system that avoids using GPS, or simply want the extra data to help better track infections. Google and Apple point out that if a location-tracing app wants to use GPS, it will need to first ask permission from the user, just as any app does.
But the question of location data points to a larger issue: Google and Apple can only point developers toward the most privacy-preserving approach. Every app will need to be judged independently on how it implements that framework. “There are a lot of additional problems that an app developer would need to work through in order to ship a product,” Marlinspike wrote. “That can possibly be done responsibly, but Apple/Google aren’t doing it for us.”
Can the App Itself Identify Covid-19 Patients?
Bluetooth-based Covid-19 contact-tracing schemes are designed to upload no data from most users, and only anonymous data from people who are infected. But it still uploads some data from users who report themselves as positive. That raises the question of whether the upload can truly be anonymous, given how hard it is to move any data across the internet without someone learning where it came from.
Even if the keys that the app uploads to a server can’t identify someone, they could, for instance, be linked with the IP addresses of the phones that upload them. That would let whoever runs that server—most likely a government health care agency—identify the phones of people who report as positive, and thus their locations and identities.