Many users are noticing or just starting to hear about Google and Apple’s initiative to work with local governments to provide an easy way to help users prevent getting infected with COVID-19. The idea is that, if a local or state government wanted to build an app for users that would tell them if people nearby have been tested positive for COVID-19, they would get a notification on their phone.
This, of course, raises many questions and concerns about privacy, but a lot of people are being warned that this has been forced onto their phones already, and that just simply isn’t the case. Let’s take a look.
Every so often, an update or change to some major software that everyone uses causes a big stir on social media. For example, several years ago when the Facebook app on Android requested access to use your smartphone’s camera, some people on social media had a lot to say about it. As it turns out, Facebook lets you take pictures directly from the app, so of course you would need to give Facebook permission to your camera if you wanted to use it for that.
A lot of these shifts in technology and privacy are concerning, but they often get mixed in with a lot of misinformation. We’re not saying you shouldn’t be concerned over the giant tech companies and the data that they collect on you every day - you should, and typically do, have some control over what is gathered. The point is, we’re seeing a very similar reaction to Apple and Google’s recent COVID-19 contact tracing app framework.
No. They didn’t. Not technically. Google and Apple worked together to build a framework that app developers can use for apps that track COVID-19 cases. They didn’t sneak a COVID-19 app onto your phone without your consent.
Why are folks worried? A big part is due to social media sensationalism. We’ve seen some posts going around Facebook that read like this example:
**VERY IMPORTANT ALERT!***
A COVID-19 sensor has been secretly installed into every phone.
Apparently, when everyone was having “phone disruption” over the weekend, they were adding COVID-19 Tracker [SIC] to our phones!
If you have an Android phone, go under settings, then look for google settings and you will find it installed there.
If you are using an iPhone, go under settings, privacy, then health. It is there but not yet functional.
The App can notify you if you’ve been near someone who has been reported having COVID-19.
The post above is pretty misleading. There is no new “sensor” that Google or Apple secretly installed. Instead, during recent security updates, the two companies added a setting to enable the use of Google and Apple’s COVID-19 Exposure Notification system. This means that when official apps are developed, you not only need to install the app and set it up, but you also have to opt in to tell either Google or Apple that you want to participate.
This update is essentially two things - it gives local governments and the health industry in general the ability to use a secure, singular framework to build COVID-19 apps on, and it gives users the choice whether or not they want to opt in at all.
I can’t reiterate this enough, unless you installed something, your Android or iPhone isn’t just going to start tracking you and your friends and family to see if you have COVID-19. If you go into your settings as mentioned in the above Facebook post, you’ll see that you either need to install or finish setting up a participating app before the notifications can even be turned on.
In a joint statement from Apple and Google (which doesn’t happen very often!), they state that “What we’ve built is not an app - rather public agencies will incorporate the API into their own apps that people install.”
To explain this, an API stands for Application Programming Interface. Basically, Google and Apple have laid some groundwork that these apps can use. It also makes it much easier for users to opt in and out.
Ironically, the system won’t work if users don’t adopt it - if half of all users decide they won’t use the COVID-19 notification system, the system might not be reliable enough to work for those that do use it.
The system is still in its infancy, and it’s really up to state and local governments to deploy the official apps themselves. The platform that Google and Apple have built allow it to be decentralized and secure.
To put it simply, when you opt in and use one of these apps, a random ID is generated and exchanged between your phone and nearby phones within Bluetooth range. These random, anonymous IDs are stored on your phone. Basically, your phone keeps a tally of other phones it has been near.
If someone is diagnosed with COVID-19 and manually shares that information with one of the official contact tracing apps, all of the random IDs your phone has collected over the past 14 days are uploaded (with your permission) and the users of those IDs are notified that they may have been exposed. The system doesn’t track your location, or share other users’ identities within the app, or even with Google or Apple. On top of that, the random ID that your phone generates is changed every 10 to 20 minutes. According to Google, the apps are not allowed to use your phone’s location or track your location in the background.
In other words, it is safe, anonymous, and if you don’t want to opt in, you simply shouldn’t install any official (or unofficial) COVID-19 tracking apps.
Since this question is undoubtedly going to come up, we figured we’d answer it here. As mentioned, because this API isn’t actually an app, you can’t uninstall it. It’s built into Android and iOS’s operating systems and pushed through recent security updates.
There are walkthroughs on the Internet that will walk users through rolling back their phone or other risky procedures, but that only puts your phone at risk for other threats. There is nothing to uninstall, and rolling back your phone and preventing future security updates from ever getting installed is a very bad idea.
You don’t need to worry about the API being there. It’s just a setting, and by default, you are opted out. If you are worried about it, both Apple and Google state that by simply not installing a COVID-19 Exposure Notification app, or uninstalling one if you did install one, is all it takes to not participate.
DO NOT FOLLOW ANY INSTRUCTIONS ONLINE THAT WALK YOU THROUGH ROLLING BACK YOUR PHONE AND OPTING OUT OF SECURITY UPDATES.
If you are that serious about your privacy, you are only putting your privacy and data at more risk.
After reading and understanding the technology behind the COVID-19 Exposure Notification system, it does sound like they are taking every step to make the system secure and anonymous. After all, it does need to comply with healthcare regulations, which many of our clients know are very strict when it comes to data privacy.
The decision to opt in or out of the COVID-19 Exposure Notification system is yours and yours alone, but Google and Apple appear to be doing all the right things to ensure that the system is safe and secure, without violating anyone’s privacy.