The new opt-in COVID-19 Exposure Notifications Express systems included in Apple’s iOS & available on Android need privacy guardrails, say privacy advocates.
The Electronic Frontier Foundation is echoing lawmaker concerns that California is not taking privacy seriously enough as state legislators mull launching a Covid-19 exposure-notification app based on Apple & Google’s smartphone technology.
The US non-profit, aimed at protecting citizens’ privacy & free speech, criticised the state’s lack of any privacy standards for state COVID-19 mobile tracking apps, or for contracts California may enter to roll-out such programs.
Although California has not yet announced a program similar to ones other US states already have launched that use mobile technology, or apps, to help people keep track of COVID-19 exposure in their local area, there are plans in the works, comments a blog post by Electronic Frontier Foundation’s (EFF) Hayley Tsukayama, a legislative activist.
Those plans have a lack of consideration for privacy, however, she observed, backing concerns made in a letter to California Governor Gavin Newsom written by t3 state lawmakers–Assembly Privacy & Consumer Protection Chair Ed Chau, Senate Judiciary Chair Hannah-Beth Jackson & Assembly Speaker Anthony Rendon.
In referencing discussions for a pilot program in California that includes a “contact-tracing application,” the legislators “articulated concerns about the lack of privacy considerations that have accompanied those plans,” Tsukyama wrote.
“The Administration has not fully considered many important implications of implementing” a state-wide app, lawmakers said in the letter.
They also cautioned that California should be careful of the suggestion that Google & Apple may be willing to create a pilot program for California “free of charge,” maintaining that there could be hidden fees in how the companies use the sensitive personal data collected.
The most recent program, launched in Colorado, uses the Exposure Notifications Express (ESE) system, which Apple recently added to iOS & which also soon on Google’s Android operating system.
The technology for the system was jointly developed by the 2 companies, to allow tech users to opt-in to a public health program, that lets them if they have been exposed to COVID-19 without requiring them to download a separate app.
“It is likely to become the easiest path for most smartphone users to participate in exposure notification systems,” Tsukyama noted.
Other US state COVID-19-notification systems already launched include North Dakota Care19, Wyoming Care19 Alert, Alabama Guidesafe, Nevada COVID Trace, & Virginia Covidwise, the last of which has got good reviews for privacy & security, suggests the EFF.
Any similar system California decides to implement must not be implemented without having some very clear privacy rules, she warned, calling on Gov. Newsom “to place basic privacy guardrails on any contact-tracing program run by or with the state.”
Two bills toward this that the EFF supported already have been rejected in California‘s legislature, Tsukyama noted, actions that were “a disappointing failure to protect the privacy of Californians & thereby advance public health” as “the need for these protections is only growing.”
Data Minimisation Law
Rules regarding citizen privacy in contact-tracing apps should include a data minimisation law that ensures that the data collected only serves a public health purpose, & a guarantee that the information not be used for any other purpose, such as for commercial use.
The EFF also is asking for an assurance that those who choose to participate–or not, do not face discrimination, & protections for people who cannot or do not want to participate in a data collection program. They also oppose California making participation in the program compulsory.
Any program should also include a requirement to purge data from such programs when it is no longer needed, requesting a 30-day retention period with 1 “narrowly crafted” exception possible in terms of demographic data, Tsukyama wrote.
This criticism is not the 1st time the EFF has expressed concern over COVID-19 contact-tracing technology.
In April, the organisation asked developers to proceed cautiously as they, Apple & Google’s jointly developed developer platform for building COVID-19 tracking mobile apps, warning against the potential for cybercriminal use & exploitation.
“Privacy protections are necessary to public health programs, particularly when a program needs high levels of participation to be effective,” Tsukyama concluded. “People will not use applications they can’t trust.”