NY Attorney General warns Apple, Google to police COVID-19 tracing apps in their souks – or she will herself

The Attorney General of New York has warned Apple and Google she expects the tech giants to keep an eye on an upcoming crop of coronavirus contact-tracing apps, particularly when it comes to the accumulation of personal data.

In letters sent Tuesday to the mega-corp pair, Letitia James makes it plain she is concerned that a wave of Bluetooth-based track-and-trace apps are about to appear on the shelves of software stores for iPhone and Android devices. The fear is that many of them may use anxiety over the coronavirus, and public willingness to help, to suck personal information out of people.

“Apps can play an important role in helping stop the spread of COVID-19, but more needs to be done to protect consumers’ personal information and to minimize consumer confusion,” James wrote [PDF].

“It is imperative that apps that use sensitive health information be developed only by public health agencies, to ensure that appropriate protections are in place and to provide accountability. It is also critical that app developers provide clear disclosures that enable users to understand the differences between the two types of COVID-19 apps, so they can provide informed consent before downloading and using them.”

There will be two types of apps: those using an API designed by Apple and Google to allow people to discover whether they've come in contact with someone who is infected, while keeping their personal details – including location – private; and those that offer some kind of centralized COVID-19 tracking system.

Apple and Google have committed to only allowing a single public health authority per state to produce an app that uses their special API, and to ensure that the app does not allow for personally identifiable information to be exchanged through the application. The letter reaffirms those commitments for the record.

However, some developers, states, and even nations are going to build, or have built, apps that snub the pro-privacy, battery-lite Apple-Google API, and market them via Apple and Google's online bazaars, and James wants to preemptively ensure that the tech giants keep a clean shop.

These include requiring those apps to tell users that they are not using the official API interface, prevent them from transmitting personal health information, check on the identity of the developers, and bar them from using the app to identify people, or introduce advertising or in-app sales into it. James also wants Apple and Google to require any such apps to delete user data on a rolling 14-day basis.

The letter comes as authorities across the world start rolling out COVID-19 contact-tracing apps in an effort to curb the spread of the virus while also allowing economies to open up.

What's Norwegian for humph?

This week saw the the Norwegian coronavirus-tracing app pulled and all the information gathered deleted after its data regulator, Datatilsynet, found it was not adequately protecting personal records.

Norwegian public health body (FHI) was told to stop all collection of data through its Smittestopp (Infection Stop) app because it could “no longer be regarded as a proportionate encroachment on users' basic privacy rights.” Its main issue was with the fact that the app asked users to share their location data and did not give them a way to opt-out of providing it.

It also said that low uptake of the app – just 14 per cent of the population had downloaded it – meant that “it is difficult to validate that it alerts the right people.”

The Norwegian health authority was not happy about the decision, complaining, “we do not agree with the Norwegian Data Protection Agency's assessment,” and that the notice would “weaken an important part of our preparedness for increased spread of infection, because we lose time in developing and testing the app.”

But it agreed to delete the app and pulled it from being downloaded. “We hope it will be possible to find a solution so that infection notification and analysis of infection control measures can be introduced in the long term,” said FHI director Camilla Stoltenberg. ®