Sens. Probe Privacy, Cybersecurity of Apple COVID-19 Screening Tools

April 06, 2020 - Apple recently announced the launch of a new COVID-19 screening app and website based on guidance from the Centers for Disease Control and Prevention. In response, a group of Senators are looking into the tech giant’s cybersecurity and privacy practices given its data collection efforts.

The screening tool was designed in partnership with the CDC, the White House Coronavirus Task Force, and FEMA and aims to keep US citizens informed with the latest CDC resources and reduce the spread of the virus.

The app will provide users with answers to frequently asked questions, as well as find ways to connect with telehealth platforms if they are concerned they have Coronavirus symptoms.

However, Sens. Bob Menendez, D-New Jersey, Richard Blumenthal, D-Connecticut, Kamala Harris, D-California, and Cory Booker, D-New Jersey, are concerned about the data collection practices outlined in Apple’s announcement that noted it would collect some user data – but did not outline just what data that would entail.

“While we acknowledge Apple’s statements regarding user privacy and that the questionnaire tools ‘do not require a sign-in or association with a user’s Apple ID, and users’ individual responses will not be sent to Apple or any government organization,’ we are nonetheless concerned for the safety and security of Americans’ private health data,” the Senators wrote to Apple CEO Tim Cook.

“Although, the use of technological innovations and collaboration with the private sector is a necessary component to combating COVID-19, Americans should not have to trade their privacy at the expense of public health needs,” they added.

The concern is that users are asked to fill in a questionnaire about their health and exposure before they are directed to the applicable CDC resources, as well as detailed feedback on whether it’s recommended they should seek out care for COVID-19 symptoms.

Apple has stressed that it won’t collect personal data through the app, it will be collecting “some information” to improve the site. But it did not identify just what information the app will collect from its users.

The Senators are concerned that data collected through the Apple screening tools could be used for commercial purposes in the future and stressed the data must remain confidential. Further, they stressed Apple must clearly explain whether the data collection complies with HIPAA.

It’s important to note that third-party apps chosen by patients for healthcare purposes are not covered by the HIPAA, as the Department of Health and Human Services clarified in April 2019.

The Senators are also seeking details on Apple’s security practices around the data collection, including how it’s protecting against nation-state actors and other potential hacking attempts. Apple is being asked to address these concerns by providing the Senators with insights into its privacy and security practices.

Apple needs to provider the specific terms of its agreement between the company and the federal government, as well as state governments. The tech giant must also outlined its specific data retention policies on all data entered into the website and app.

The Senators are also asking whether the app and screening site are governed by HIPAA, and if not, Apple must share the reason. They also ask whether individuals will be allowed to access and monitor the data collected by Apple, as well as the implemented cybersecurity safeguards on the app and website.

They also ask Apple to commit to refraining from using the data collected through its screening tools for commercial purposes, along with refraining from sharing or selling the data to third parties. Apple must also explain whether these tools are accessible to those with disabilities.

Apple must provide the Senators with responses to the inquiry by April 10, 2020.

The inquiry is the latest in ongoing privacy concerns with technology vendors during the COVID-19 crisis. Zoom has come under fire for its privacy practices, as researchers have disclosed multiple vulnerabilities and hackers continue to target the platform for malicious purposes. Google’s Verily has received Congressional scrutiny over its privacy practices, as well.