By Stephen Nellis and Paresh Dave
SAN FRANCISCO (Reuters) – U.S. states promoting apps that could prove essential to ending the coronavirus lockdown may be headed for a showdown with the two Silicon Valley companies that control key software on 99% of smartphones over the collection of sensitive GPS location data.
Apple Inc and Alphabet Inc’s Google plan to release technology jointly in the coming weeks for digital contact tracing through Bluetooth sensors on phones. Public health authorities have determined that the technology is crucial to apps that will alert people when they have been close to people who have tested positive for the novel coronavirus.
For contact tracing apps to work, however, millions of people must be willing to use them without fear their locations and other personal data is being tracked and stored.
Google and Apple have sought to build public trust by emphasizing that the changes they are making to Bluetooth to allow the tracing apps to work will not tap phones’ GPS sensors, which privacy activists see as too intrusive.
But the states pioneering the apps – North and South Dakota, and Utah – say allowing public health authorities to use GPS in tandem with Bluetooth is key to making the system viable.
The Bluetooth technology will enable users to be notified if they crossed paths with a coronavirus carrier, but will not specify where the encounter happened, information crucial to authorities who want to identify hotspots for virus transmission and move fast to stop outbreaks.
Apple and Google said on Friday that they still have not decided how to proceed.
“I would encourage them to go for the ‘and’ and not the ‘or’ solution,” North Dakota Governor Doug Burgum said of Apple and Google in an interview late Thursday.
“During this new normal, there is a place for having solutions that protect privacy and enable more efficient contact tracing,” said Burgum, himself a former software executive who sold a company to Microsoft Corp for more than $1 billion in 2001.
APPS AT WORK
Anonymized GPS location data is already playing a key role in an early version of Care19, an app that about 40,000 people have signed up for in North and South Dakota.
Authorities currently ask Care19 users to give them permission for timestamped GPS location data, which allows officials to manually call places where users could have spread the virus and ask for names and numbers of others who may have been there at the same time.
This laborious process will no longer be necessary with the Bluetooth technology coming from Apple and Google, which will automatically catalog encounters between users and enable carriers to anonymously convey to others potentially infected that they should get tested. Without the changes the two companies are working on, iPhone users would have to keep their phone unlocked and app open at all times.
Utah’s Healthy Together contact tracing app, which launched on Wednesday, for now is using a workaround that only catalogs some encounters. Healthy Together also collects location data and its developers hope Apple and Google do not force them to drop that functionality to adopt the more comprehensive Bluetooth technology.
“What Utah wanted to understand is not just who is spreading [the virus] to whom but also location zones,” said Jared Allgood, chief strategy officer for Twenty, the startup which developed Utah’s app for an initial $1.75 million.
GPS location data allows authorities to decide which businesses may need to be closed because the virus is spreading there, and prioritize which contacts of diagnosed patients to test.
“Is it happening in a park, a Costco or a Walmart? They are trying to make policy decisions that move our economy from a broad-based ‘everything is shut down’ to a more targeted approach,” Allgood said in an interview on Friday.
Privacy experts have warned that any cache of location data related to health issues could make businesses and individuals vulnerable to being ostracized if the data are exposed.
But Tim Brookins, a principal engineer at Microsoft who previously worked for Burgum and developed Care19 independently of his employer, said location data is stored on a Microsoft Azure server that he rents and to which only he and one other person have the keys. North Dakota is paying about $9,000 to license Care19 for six months, he said.
Allgood said the Utah app asks users for their phone number, but location data is stored anonymously in a server rented from Amazon Web Services.
“We don’t see a reason why Apple or Google would not allow us to participate in their tools,” said Diesel Peltz, Twenty’s CEO.
Brookins and Burgum expressed confidence the two tech giants would allow for location data collection after seeing the safeguards Care19 has put in place, including not asking for users’ names, phone numbers or email addresses.
“Some people are completely opposed to an intrusion on privacy but there’s a younger generation sharing their location on dozens of apps,” Burgum said.
“There may be a set of people highly social, young and going out to bars who may see this tool as fantastic.”
(Reporting by Paresh Dave and Stephen Nellis; Editing by Sonya Hepinstall)
