Apple and Google create contact tracing API that preserves privacy to fight COVID-19

Apple and Google have been working together for the last few months on a not-so-secret project to combat the COVID-19 pandemic which uses LE Bluetooth for contact tracing while still preserving privacy. The project has been codenamed Project Bubble. According to an article on this monumental project released by CNBC citing sources from within both companies, this project has been largely pushed forward by Yul Kwon and Ronald Ho at Google and Myoung Cha, Dr. Guy Tribble, and Ron Huang of Apple – along with other like minded individuals at both companies. As a result of their hard work Google and Apple have simply created an API that will be used by apps released by healthcare departments of governments around the world. These contact tracing apps will likely hit the app stores in mid May. The contact tracing API may have been created with privacy in mind but it remains to be seen just how privacy conscious the contact tracing apps that utilize it will be.

Will Google and Apple’s contact tracing API preserve privacy?

Plans to use bluetooth based contact tracing have been in the works around the world for months to combat the COVID-19 pandemic. Simultaneously, privacy conscious experts rushed to develop ways to do contact tracing without violating privacy. One such open source project, Decentralised Privacy-Preserving Proximity Tracing (DP-3T), had many of its recommendations taken into consideration by Apple and Google.

Burke specifically noted that Project Bubble drew inspiration from DP-3T, telling TechCrunch that it:

“gives the best privacy preserving aspects of the contacts tracing service.”

Google and Apple’s Project Bubble will push for contact tracing that doesn’t use a centralized database and instead favors a more decentralized approach. Some countries, such as the UK, have rejected the  jointly developed contact tracing API because it doesn’t load all the data on a centralized server. Considering the UK’s privacy track record, this isn’t surprising.

It’s important to note that it is possible that privacy invasion can or will happen above the API – and those that choose to use the apps should keep that in mind. However, it’s also important to recognize that Google and Apple have created their API system to not invade privacy from the get go – whether this is out of altruism or to limit liability or publicity blowback doesn’t really matter. The buck has passed to the governments that will use this technology given to them by big tech.

It remains to be seen if the forthcoming contact tracing apps maintain this privacy preservation

Some governments asked big tech for location tracking information which could then be used by the government for other purposes, the biggest tech companies are putting their foot down and saying that just won’t do. it now seems like the basis of the future of contact tracing apps will be privacy preserving; however, it’s important to note again that governments can still add privacy breaking features to the contact tracing apps that utilize this contact tracing API built by Google and Apple.

There are many ways that privacy can still be violated by contact tracing apps – but we now know that it won’t be at the API level. As a currently hypothetical example, if the government’s app that uses Google and Apple’s contact tracing API sends logs of the cryptographic keys used before they’re deleted, or store IP addresses, or location data, or email addresses associated with the app store account used to download the contact tracing app in the first place – privacy can be violated. Don’t be surprised when it is revealed that a government has snuck these privacy defeating “features” into a contact tracing app. We’ve already seen official COVID-19 apps by the government contain malware in Iran. Google and Apple can’t do anything in such an instance besides remove that app from the app store. Just because an app can’t be found in the app store doesn’t mean that a government won’t force you to download it, though – just ask the Chinese citizens that have been forced to download the Jingwang app.

Let’s take a step back and appreciate what has happened with Project Bubble

It isn’t every day that Google and Apple work together on something. Marcel Salathé, a Swiss epidemiologist, tweeted that both the privacy preserving nature of Project Bubble and the participants are surprising – and a welcome respite from governments who are using COVID-19 as a reason to expand location tracking in privacy defeating ways. Salathé tweeted:

“I’ve made a few correct predictions about Covid, but I would not in a 100 years have predicted this: U.S. tech companies provide a privacy-preserving framework to do digital contact tracing, and some European countries are lobbying them to lower the standards.”

It’s up to us as privacy conscious technology users to condemn any attempts to lower the standard of privacy in the contact tracing apps that we opt-in to use. Anything less will be a slide on the slippery slope. While privacy erosion has historically happened both from big tech companies and from governments, as we’ve seen from the COVID-19 pandemic it seems that the latter are more suspect in this particular instance. Stay safe.