When Apple and Google updated their operating systems to include an exposure notification API, they mandated a privacy-first approach for any governments that wanted to access the framework. Those that do not comply can still make use of basic tech on the phones, but it is fraught with technical challenges. If you’re a virologist or epidemiologist arguing that you need data to fight the spread of infection inside your country, you’re out of luck. Apple and Google have said no.
Australia has now rejected the Apple and Google framework embedded in the latest versions of Android and iOS, deciding to keep its COVIDSafe app independent. The reason is simple, the Apple/Google model “fundamentally changes the locus of control and takes out the middle person,” Australia’s Deputy Chief Medical Officer Nick Coatsworth complains. That middle person is critical—it’s the manual contact tracer, the expert, “the people who have kept us safe,” as Coatsworth puts it.
COVIDSafe has technical challenges given its lack of access to the technology that Google and Apple control. But the government has judged that this is better than the data compromises involved in toeing the U.S. giants’ line. That’s a powerful statement. The population is inevitably less safe given the standoff.
France has always insisted on a sovereign contact tracing app, snubbing the Apple and Google alternative. It claims to have made the technology work, despite the decision to go it alone. Unfortunately, just as France has snubbed Apple and Google, so the French population have snubbed the app. Take-up is always a challenge for apps that need a WhatsApp-size install base to be effective. But in France, the take-up is woeful, and, worse, many of those that have installed the app are now deleting it.
Earlier this month, the U.K. government made headlines when it seemed to be abandoning its own digital contact tracing app for the Apple/Google alternative. But that’s not what happened at all. The U.K. has rejected the privacy-first approach mandated by the U.S. tech giants, it wants a more expansive Australia-style system. But with Apple and Google restrictions it cannot make this work. And so it has essentially deprioritized its tracing app in favour of manual alternatives.
A much more notable rejection of Apple/Google has come from Singapore. Let’s remember, it was Singapore that initiated privacy-friendly Bluetooth contact tracing in the first place. Its Trace Together scheme came first and was the first to encounter the limitations of such schemes—lack of take-up and compliance, and more critically a lack of data for the virologists and epidemiologists to work with, to fight the virus.
Even compliant Singapore couldn’t make it work. And so the city state has now expanded its program to be much more invasive than it was before, a far cry from the decentralized, anonymized, arms length approach mandated by Apple and Google.
First came SafeEntry, a check-in scheme for Singapore’s citizens to provide their identification when they visit locations including workplaces, schools, retail outlets, hotels and even healthcare facilities. There are penalties for businesses failing to enforce the scheme. It is a complete rejection of anonymized digital tracing as an effective means by which coronavirus infections can be contained.
Now Singapore has gone another step further, adding Bluetooth tokens to its Trace Together scheme. These are designed to fill the gap in take-up, where citizens do not have capable smartphones—especially the elderly and vulnerable. The government assures that data captured by the devices will be encrypted and kept for only 25 days, that the tokens cannot record GPS locations or transmit data. But it is a government issued device outside the privacy-first Apple/Google framework.
You can see where this is going. It’s yet another initiative that has been introduced in the real world, but which is a world away from the fantasyland where 80% of smartphone owners install and comply with a decentralized app that does not provide the health authorities with any context or modelling data, and which precludes any form of monitoring or compliance.
Ironically, the Trace Together tokens sound more dystopian than they actually are. They carry no more of a privacy threat than smartphone apps. But they are hugely symbolic of a real-world deployment of digital contact tracing where lessons have been learned and technology has been adapted. And, ultimately, the real failure of the Apple/Google mandate is that there is no room for debate, the rules have been laid down, and governments have lost the room to manoeuvre as they see fit.
It would not have been difficult to create a centralized, cloud-based framework that did enable data to be collected and modelled, that provided the ability for some levels of monitoring and even some forms of mandatory compliance if needed. This could have been open-source, outside the purview of those regimes whose surveillance aspirations pushed the privacy-first, decentralized model in the first place.
That hasn’t happened. I live in the U.K., where the first wave of coronavirus caused chaos. The digital contact tracing app was seen as a significant safety measure to help the country safely back to its new normal. Now those plans are in tatters, and so the country is emerging from its lockdown with no such safety measure in place. Apple and Google may have safeguarded the world’s population from the purely theoretical risk of a COVID-19 surveillance nightmare, but at what cost?