University Operating Status

Technology giants Apple and Google have come together on a platform to support contact tracing in the wake of COVID-19. The collaboration has raised privacy concerns not only about the operating system, dubbed “Gapple,” but the role technology should play in personal data collection. Rutgers Today connected with Rutgers Law School professor Ellen P. Goodman, who specializes in information policy law, for a conversation on the matter.

Apple and Google are implementing a common platform through an operating system update, dubbed "Gapple," to aid in contact tracing. What is significant about this technology and the collaboration?

“I think it is very important to note that the Apple/Google technology is not contact tracing, but rather proximity notification. Contact tracing is a public health term. It not only informs you of exposure but what you need to do and what services you should avail yourself of. It involves context on how you may have been exposed. This application will ‘ping’ you when your phone has been in proximity to someone else who has reported to the app that they have tested positive.

What is significant about the partnership is that it is, I believe, the first one they’ve ever had, and that it covers all the phones, both iPhone and Android, and that it is very privacy protected."

How does Apple/Google's proximity notification technology work and protect user privacy?

“It is a low-power radio frequency via background Bluetooth, with everything living on the phone. It generates random numbers as you move through the world and its use is voluntary, so far. The user would download an app, perhaps from the public health department, that relies upon the phone’s technology. If you tested positive, you would voluntarily notify the app. That information is not going to be gathered anywhere, but it will activate the randomly generated numbers that the device came into contact with. If another individual who has downloaded the app has one of those same generated numbers, their phone will ‘ping.’ There is no data collection of who you are, where you were, or who the infected person is. It is all about the numbers speaking to each other.”

Is this digital approach effective in a public health arena that historically relies on collecting and tested data in a more analog manner?

“The argument for it is that it is very privacy protected and provides information that can be very useful to a user. That said, a person may not get ‘pinged,’ and that does not mean that they have not been close to an infected individual, it just means that no one has reported. From that perspective, it could create a false sense of security. You may never get pinged, but could have been near someone asymptomatic, symptomatic but never reported or did not have the app. Secondly, I think they have worked hard not to create a lot of false positives. In the beginning, there was a lot of speculation that could create anxiety and fear unnecessarily. I have a feeling they have corrected some of that. A third problem is, assuming the notifications are appropriate and correct, what do you do with this information? Traditional contact tracing would help with this important question, as it typically offers a social work component.

With rumors circulating on social media, how can users be confident that the Apple/Google technology will not access their contacts without their permission?

“I am inclined to smile when I see this, because they probably already know everything about you. They already have your contacts and location because of all the other apps you have on your phone. Right now, this is not designed to utilize GPS or cell phone tower triangularization the way other location applications do – however that could change. I am not sure that the incremental data gathering this enables for them is that worrisome. But I do understand and agree with people who are concerned about the government gaining access, because they do not necessarily have this information already.”

What is your biggest takeaway about the concerns over Gapple?

“Privacy is understandably a big concern for consumers, but there is a whole other basket of concerns that we should have about tech. What does tech replace that we really need to invest in? Politico has reported on how European countries have looked at alternatives to the Gapple, but Apple and Google responded in a heavy-handed way that they were not going to help with solutions other than their own. So, it is valuable to them. That is also a form of tech dominance over our public institutions, which worries me. It is not so much this particular application, but their dominance and whether or not it prevents us from doing what we should be doing. The ‘analog’ contact tracing should have a tech component, but it cannot only be tech. My fear is that once health departments have this, and people download this to their phone, they are going to be done with it and it is not nearly enough.”

Are there any resources regarding privacy concerns related to technology?

"There are some non-profits that the public can reference, such as the Center for Democracy and Technology, the Electronic Frontier Foundation and the Electronic Privacy Information Center."

Professor Goodman specializes in information policy law. Her research interests include smart cities, algorithmic governance, freedom of expression, platform policies, communications architectures, media and advertising law, and transparency policy. She is codirector and cofounder of the Rutgers Institute for Information Policy & Law (RIIPL). She blogs at riipl.rutgers.edu and at medium.com, and has written for The Guardian, Protego Press, Democracy, and Slate.