AGS Urge Apple, Google to Ensure Privacy of COVID-19 Contact Tracing

June 17, 2020 - Following reports that showed the majority of consumers would not opt into using COVID-19 contact tracing apps, 39 bipartisan members of the National Association of Attorneys General (NAAG) are urging Apple and Google to ensure the privacy and security of their APIs.

Avira recently surveyed 2,000 US individuals and found that 71 percent of respondents said they do not plan to download or use a COVID-19 contact tracing app due to digital privacy concerns.

What’s more, consumers between the ages of 25 and 44 ranked contact tracing apps as the biggest threat to digital privacy in 2020, viewing those apps as a bigger threat than identity theft or cybercrime.

Those who work in the government and healthcare sectors are the least likely to download the apps, with 84 percent of respondents, while individuals over the age of 55 are the least likely to use the apps with 88 percent of respondents.

Just 32 percent said they would trust Google and Apple to keep their data secure and private.

As noted by industry stakeholders, the effectiveness of these apps is contingent upon individuals opting into their use. Google and Apple have previously addressed some potential privacy and security concerns, but that has not fully assuaged public fears.

In response, NAAG sent a letter to Google CEO Sundar Pichai and Apple CEO Tim Cook, detailing the concerns about their developed API -- designed for public health authorities to use in their own contact tracing apps.

The APIs are meant to be leveraged to decentralize exposure notification of contact tracing apps leveraging Bluetooth technology. To NAAG, the primary concern is that the apps on their platforms will not sufficiently protect the personal information of consumers.

While the apps are meant for public health authorities, other proposed contact tracing apps on the Google Play and App Store contain advertisements or in-app purchases and are not affiliated with any public health authority or another legitimate health authority.

“Digital contact tracing may provide a valuable tool to understand the spread of COVID-19 and assist the public health response to the pandemic,” NAAG leaders wrote. “However, such technology also poses a risk to consumers’ personally identifiable information, including sensitive health information, that could continue long after the present public health emergency ends. “

“As public health authorities release apps built with your APIs, there’s likely to be increased media and consumer attention on exposure notification and contact tracing apps,” they added. “Other developers may take advantage of the situation by placing new contact tracing apps on your platforms that do not adequately safeguard consumers’ personal information.”

To address these concerns, the NAAG attorneys’ general are urging Apple and Google to verify that every app labeled or marketed as related to COVID-19 contact tracing apps is connected to a municipal, county, state, or federal public health authority, or a US university or hospital working with a public health authority.

Further, Google and Apple are asked to remove any app that cannot be verified with those restrictions. NAAG also urged the tech giants to pledge to remove all of the contact tracing apps, including those leveraging the Google and Apple API, once the COVID-19 pandemic has ended.

Lastly, NAAG asked for written confirmation once the apps are removed or an explanation as to “why the removal of a particular app or apps would impair the public health authorities affiliated with each app.”

“Implementing these limited measures could help protect the personally identifiable information and sensitive health data of millions of consumers during this crisis,” NAAG concluded.

The letter joins an earlier inquiry from four Democratic Senators, which probed Apple’s involvement with contact tracing apps and its privacy and security policies. Congress has also proposed several pieces of legislation that take aim at the apps, as HIPAA does not cover third-party health apps not promoted or tied to covered entities and requested by patients.

Healthcare covered entities can also review recent guidance published by the American Medical Association, designed to empower patients with more control over their data.