When the notion of enlisting smartphones to help fight the Covid-19 pandemic first surfaced last spring, it sparked a months-long debate: Should apps collect location data, which could help with contact tracing but potentially reveal sensitive information? Or should they take a more limited approach, only measuring Bluetooth-based proximity to other phones? Now, a broad survey of hundreds of Covid-related apps reveals that the answer is all of the above. And that’s made the Covid app ecosystem a kind of wild, sprawling landscape, full of potential privacy pitfalls.
Late last month Jonathan Albright, director of the Digital Forensics Initiative at the Tow Center for Digital Journalism, released the results of his analysis of 493 Covid-related iOS apps across dozens of countries. His study of those apps, which tackle everything from symptom-tracking to telehealth consultations to contact tracing, catalogs the data permissions each one requests. At WIRED’s request, Albright then broke down the data set further to focus specifically on the 359 apps that handle contact tracing, exposure notification, screening, reporting, workplace monitoring, and Covid information from public health authorities around the globe.
The results show that only 47 of that subset of 359 apps use Google and Apple’s more privacy-friendly exposure-notification system, which restricts apps to only Bluetooth data collection. More than six out of seven Covid-focused iOS apps worldwide are free to request whatever privacy permissions they want, with 59 percent asking for a user’s location when in use and 43 percent tracking location at all times. Albright found that 44 percent of Covid apps on iOS asked for access to the phone’s camera, 22 percent of apps asked for access to the user’s microphone, 32 percent asked for access to their photos, and 11 percent asked for access to their contacts.
“It’s hard to justify why a lot of these apps would need your constant location, your microphone, your photo library,” Albright says. He warns that even for Covid-tracking apps built by universities or government agencies—often at the local level—that introduces the risk that private data, sometimes linked with health information, could end up out of users’ control. “We have a bunch of different, smaller public entities that are more or less developing their own apps, sometimes with third parties. And we don’t we don’t know where the data’s going.”
The relatively low number of apps that use Google and Apple’s exposure-notification API compared to the total number of Covid apps shouldn’t be seen as a failure of the companies’ system, Albright points out. While some public health authorities have argued that collecting location data is necessary for contact tracing, Apple and Google have made clear that their protocol is intended for the specific purpose of “exposure notification”—alerting users directly to their exposure to other users who have tested positive for Covid-19. That excludes the contact tracing, symptom checking, telemedicine, and Covid information and news that other apps offer. The two tech companies have also restricted access to their system to public health authorities, which has limited its adoption by design.
But Albright’s data nonetheless shows that many US states, local governments, workplaces, and universities have opted to build their own systems for Covid tracking, screening, reporting, exposure alerts, and quarantine monitoring, perhaps in part due to Apple and Google’s narrow focus and data restrictions. Of the 18 exposure-alert apps that Albright counted in the US, 11 use Google’s and Apple’s Bluetooth system. Two of the others are based on a system called PathCheck Safeplaces, which collects GPS information but promises to anonymize users’ location data. Others, like Citizen Safepass and the CombatCOVID app used in Florida’s Miami-Dade and Palm Beach counties, ask for access to users’ location and Bluetooth proximity information without using Google’s and Apple’s privacy-restricted system. (The two Florida apps asked for permission to track the user’s location in the app itself, strangely, not in an iOS prompt.)