COVID-19 Tracking Apps
Over these last few days, both the news cycle and social media have been extensively covering the various COVID-19 contact tracking apps and APIs that are either being released or being finalized. In this briefing, we will take a look at who the major forces behind these apps are, what is being done to protect the privacy of users, and what the public opposition to the apps may teach us about privacy literacy.
Who is developing contact tracking apps?
The brief answer is - most countries as well as Apple and Google. The two tech giants have teamed up for a common goal. This is certainly rare. Instead of leaving the development of such tracking apps up to governments or the private sector - and thus expose them to widely varying levels of technological know-how and malicious intent - the developers of the two main mobile operating systems are likely better equipped to develop a technically sound solution.
Since Apple’s iOS and Google’s Android combined make up 99% of the mobile OS market, this also greatly increases potential coverage.
Notably, the solution that Apple and Google are working on is not what the end-user will work with. Instead, they aim to provide an API that will allow other developers - for example, governments - to build secure and somewhat private applications on top of it. The specifications of the API are explicitly designed to protect user privacy. However, valid concerns naturally remain.
At the same time, many governments, including Singapore, Australia, and the United Kingdom, have started rolling out their own apps. Most of the governmental apps also aim to provide high levels of privacy but are running into strong opposition. After all, the universal location tracking of citizens by their government is a deeply disturbing vision. To combat this fear, the UK government has gone as far as to announce the release of the source code of their tracking app.
What are the real risks of these tracking apps?
That is an exceptionally difficult question to answer and is best broken down into two parts:
The near term risks
In the near term, the majority of contact tracking apps will likely cause no major privacy breaches or incidents of government surveillance. This is especially true for those apps that use the API developed by Google and Apple. While theoretical attacks are possible, these require extensive resources and are unlikely to go unnoticed.
The long term risks
In the long term, risks are more significant. By creating a precedent, more tracking apps can be more easily introduced in the future. The COVID-19 contact tracking is largely transparent, voluntary. and for a good cause. But much more obscure and privacy-invading mandatory tracking apps could easily follow in the name of “protecting children”, “counter-terrorism” or any of the other standard justifications that are employed to reduce civil liberties.
Should I use the app?
We are in no position to answer this question since it heavily depends on you, your location, your government, and the upcoming continued spread of COVID-19. For what it’s worth, Reflare recommends that it’s employees install the apps provided by the governments in jurisdictions we operate in. However, we would reverse this decision if these apps became obscured or mandatory.
At the same time, it is important to note that complaining about the risks of the current generation of contact tracking apps on a platform like Facebook is akin to only eating organic food to protect your body from toxins while smoking a pack of cigarettes a day.