I made a mistake. On May 20, 2020 I updated my phone without thinking. I wrote about this very issue and yet my lizard brain went ahead and clicked “update”.
Now Google’s COVID-19 Exposure API is on my phone. And I can’t turn it off. The best I can do is disable my Bluetooth, which isn’t a solution.
The COVID-19 notification system is worse than I originally thought. It’s not an app created by Google and Apple, it’s an API. APIs store information that developers can use in their apps. In the COVID-19 Notification API, Google and Apple handover:
- Random ID
- Positive COVID-19 results
In order for the API to work, your phones Bluetooth and Location need to be turned on. Neither are reported by the API.
“API lists a bunch of operations that developers can use, along with a description of what they do. The developer doesn’t necessarily need to know how, for example, an operating system builds and presents a “Save As” dialog box. They just need to know that it’s available for use in their app.”
How to Geek
What makes this scary is on the other end. Anyone can make an app to connect to this data. In China, people can’t enter buildings or towns unless they show a green status on their phone. Now the same thing can happen here. A government building, like the post office or DMV can deny you access unless you download their app, which connects to your phone’s COVID-19 Notification API.
“Apple and Google’s API allows public health agencies to define what constitutes potential exposure in terms of exposed time and distance, and they can tweak transmission risk and other factors according to their own standards.”
Tech Crunch
How are Apple and Google protecting our privacy? (sounds like a joke, right?)
- They encrypt all Bluetooth metadata (signal strength, specific transmitting power). These type of data could potentially lead to your personal identification.
- Any apps that try to use the API that also capture geolocation aren’t allowed to use the tracing API.
How does the Notification Exposure API know if you tested positive for COVID-19?
According to a joint statement from Apple and Google, it up to each individual to report their status in the public health app.
“if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app.”
Apple and Google Joint Statement
I understand that contact tracing is the best way for the CDC and public health agencies to see what’s going on with COVID-19. But I think these software updates by Apple and Google are sneaky and set a bad precedent for government and Big Tech. I’m not the only one. In a poll conducted by the Washington Post, 3 in 5 Americans say they are unwilling to use an infection alert system created by Apple or Google. But I’m willing to bet most Americans don’t know what the system looks like or that it was included in the May 20th software update.
Who is making apps to take advantage of the Notification Exposure API?
I couldn’t find any specific agencies making apps for the API. All I could find are three states that received access to the app (Alabama, South Carolina, and North Dakota).
Google was also kind enough to provide a sample app called Public Health Authority.
Here’s the terms of service for public health agencies to use the API: Exposure Notifications Service Additional Terms.
Public Health Terms of Service Highlights
You can only use the Exposure Notification Service if your app:
- Is published through Google Play by or on behalf of a government public health authority, limited to one app per country unless the country has a regional approach, or as otherwise permitted by Google;
- Has been endorsed a relevant government public health authority.
- Discloses the public health authority and juristicion in the app’s description.
- Is used exclusively for COVID-19 response efforts and not for any other purpose, such as law-enforcement or any punitive action (e.g., individual quarantine enforcement);
- Does not require data that identifies or can be used to target an individual.
Under Data Collection and Responsibility the terms state, “you will not share this end-user personal data with Google. You may only share end-user personal data with third parties with user consent, and only as necessary for COVID-19 response efforts.”
What laws protect us from Contact Tracing APIs?
This time it looks like Google is doing it’s best to control who can use the API data and what for. (I didn’t read Apple’s TOS, Android girl here). But what’s to stop a government agency from breaking Google’s Terms of Service? And what’s to keep Apple and Google from releasing a less strict API in the future?
In April, a group of Republican senators led by Roger Wicker of Mississippi introduced the COVID-19 Consumer Data Protection Act. A group of Democrats led by Connecticut Sen. Richard Blumenthal also proposed a bill, the Public Health Emergency Privacy Act.
Both bills have important data protections and protections of our civil liberties. I hope the two groups can work together to make a comprehensive bill to protect our individualism and rights as Americans.
These bills are far from becoming law. In the mean time, we have to stay diligent. Let’s not give our rights away through ignorance. Once these types of technologies are put in place, they rarely go away.
Technology is a great leveler. The internet created a whole new age of information and knowledge. But with it comes the bad. Laws are slow to keep up with fast paced changes. We have to be careful not to make rash decisions in the wake of fear. Let’s do our best to embrace the good in tech while staying educated on each new development.
Featured Photo by Hal Gatewood on Unsplash
Coffee = Blog Fuel
If you find joy and value in what I write, please consider donating by “buying me a coffee”.
Lily Snyder 
Leave a Reply