Remember a year ago, when the first COVID contact-tracing apps were being developed, and there was a big debate about their privacy? Turns out the issue hasn’t gone away.
On Monday, it emerged that Google and Apple have been blocking England and Wales’s National Health Service (NHS) from rolling out an update to its contact-tracing app, because the change would enable the collection of location data.
Specifically, the update would have encouraged the COVID-19 app’s infected users to upload a history of the venues they have visited, so other visitors to those restaurants and shops could then be advised to book a test if multiple people at one of those places tested positive for the coronavirus.
A user can already scan a QR code when visiting a venue, so that the app on the person’s phone knows about the visit. If local authorities subsequently flag the venue as a hotspot, the app then learns this information and informs the user. The update would have largely automated that process, so alerts could go out without relying on the local authorities’ actions.
The issue is, neither Google nor Apple allows contact-tracing apps based on their technology to collect location data, because of the privacy implications. This respect for anonymity has been a significant factor in getting people to trust contact-tracing apps that use the Big Tech firms’ decentralized technology.
And so, the BBC reported, the companies blocked the NHS app’s update last week, and there is no sign of it being let through in its current form.
“The deployment of the functionality of the NHS COVID-19 app to enable users to upload their venue history has been delayed,” a Department for Health and Social Care spokesperson said in a statement. “This does not impact the functionality of the app, and we remain in discussions with our partners to provide beneficial updates to the app which protect the public.”
Neither Google nor Apple had responded to a request for comment at the time of publication.
Privacy battle
However, the Open Rights Group—a digital rights organization—indicated the companies had made the right call.
“The Government’s proposed changes to the NHS app would have a significant impact on user privacy,” ORG executive director Jim Killock said in a Monday statement.
Last year, the Open Rights Group lobbied hard for the decentralized, privacy-preserving approach that was embodied in Google and Apple’s contact-tracing tech.
At the time, the NHS was determined to avoid that technology, because it wanted a centralized database that would give it more options for data analysis. However, it had to abandon its stance a few months later, because the app it developed kept going to sleep when it wasn’t in active use—a quirk that is only overcome with the smartphone companies’ assistance.
This month’s fiasco with the NHS app update demonstrates just how much power Google and Apple have in this area. However, in this context, privacy advocates see that power as the lesser of two evils.
“While Apple and Google’s ability to prevent the Government from making changes should make us concerned, so should this Government’s propensity to grab surveillance powers and personal data, while reducing and ignoring oversight and claiming key safeguards such as impact assessments are just ‘bureaucracy,’” said Killock.
There is an alternative path for England and Wales’s NHS here, as demonstrated by their northern neighbor.
Scotland has had a venue check-in app, which allows the sharing of visit histories, since December—but it’s separate from the Scottish contact-tracing app, so there’s no clash with Google and Apple’s rules.