The US’s draft law on contact tracing apps is a step behind Apple and Google

American legislators have outlined a plan to regulate digital contact tracing apps to protect people’s privacy. But the bill, unveiled on June 1 with bipartisan support, largely recommends measures already built in to a technology provided by Silicon Valley giants Apple and Google.

The Exposure Notification Privacy Act is a proposal to prevent potential abuses by the apps, which aim to alert users who might have been exposed to covid-19. Among other things, it would require anyone who operates an exposure notification service to “collaborate” with public health authorities; make usage of the app voluntary; and block the commercial use of any data it might collect.

The bill is being led by senators Maria Cantwell of Washington, Bill Cassidy of Louisiana, and Amy Klobuchar of Minnesota. It is the first visible attempt at national leadership around digital contact tracing, despite the fact that America has been the center of the pandemic for weeks. The Centers for Disease Control has been offering limited guidance to states producing their own apps, but the White House has remained largely silent as the death toll has risen to more than 100,000 people.

While America’s rollout of contact tracing has lagged behind many other countries, MIT Technology Review’s Covid Tracing Tracker—a global database of contact tracing apps—has now started tracking activity within the US. Early apps have been documented in Alabama, South Carolina, Utah, South Dakota, and North Dakota, with more expected to arrive in the coming weeks.

‘Dictating terms’

However, while the bill steps into a void left by federal agencies, many of the proposed rules are actually already part of the policies enacted by Apple and Google.

The two Silicon Valley companies joined forces in April to develop and deploy an exposure noThe two Silicon Valley companies joined forces in April to develop and deploy an exposure notification system, which most states are planning to use as the underlying framework for their apps. Their rules mean that many of the legislative suggestions in the Senate bill are, in fact, already de facto standards. For example, only apps with support from national or state-level health authorities are currently granted access to Apple and Google’s technology, and they cannot use it if they make the download of such a program mandatory. 

Jeffrey Kahn, director of the Johns Hopkins Berman Institute of Bioethics, says that Apple and Google have already been effectively setting national policy through their decisions.

“There’s a vacuum, and they do control access through the technology,” he says. “I guess it’s not surprising, but they’re definitely dictating terms.”

Kahn and a group of colleagues recently published a book of proposals and commentaries on the ethics of digital contact tracing services. In that book they highlighted Apple and Google’s outsized role in the process—and the lack of legislative control over a vital public health function.

This is partly because the speed and scale of the pandemic has taken everybody by surprise, including politicians and experts. But it has also been complicated by the confusing political messages and misinformation around covid-19. And while Kahn says privacy concerns are very important, and an obvious focus for the likes of Apple and Google, he adds that there are also other factors that must be balanced against each other.

“The public has values, too, which includes privacy, but not only privacy,” he says. “This needs to be driven by public health, which may or may not be the same as what Apple and Google have decided are the terms of contact.”

For example, says Kahn, the technology companies have placed a premium on minimizing the app’s battery usage. This may make it more palatable to users—and therefore better for Google and Apple—but also means it may be harder to detect people nearby: a product decision that may reduce, rather than improve, the public health impact.

“We’re pushing back pretty hard on that,” he says. “I can’t think of another time when we’ve been under such pressure to figure out solutions where we have to figure this stuff out on the fly. And they are very complicated, and in a very politically charged context.”

Outside the US

America’s patchwork approach to rolling out official tracing apps—leaving each state to make its own decisions and build its own systems—makes the deployment of such services uniquely complicated. Elsewhere around the world, governments and technologists have been working in close cooperation for several months to develop and roll out digital contact tracing systems. While the Covid Tracing Tracker details the different approaches taken in various places—including India’s partly mandatory system and Iceland’s popular but largely uninfluential app—most countries have adopted the same process nationwide.

In Europe, existing consumer privacy legislation such as the GDPR, or General Data Protection Regulation, has meant that governments have largely developed and adopted these apps—including the Apple-Google protocols—without needing to write new laws to protect citizens.

Danny Weitzner, director of the MIT Internet Policy Research Initiative and former digital privacy czar in the Obama administration, said in an interview on Technology Review’s Radio Corona that European law has allowed for a range of approaches under a single umbrella.

“Different countries have chosen different approaches. Some—like the UK, France, Belgium and a few others—have taken a centralized approach: they’ve decided to take a lot of the information directly i“Different countries have chosen different approaches. Some—like the UK, France, Belgium, and a few others—have taken a centralized approach: they’ve decided to take a lot of the information directly into government systems and then disperse out what they think people need,” he says. “That’s acceptable under the GDPR, providing the governments follow appropriate safeguards and limit the usage of the information to just public health purposes. Other countries—Germany, Italy, Switzerland, Austria—have taken a more decentralized approach. But neither one has any claim to being better in any respect under the GDPR yet.”