3

Many thoughts have been spent on creating the decentralised, minimum-knowledge contact tracing approach DP-3T. This has been implemented in contact tracing apps of several countries, e. g. the German Corona-Warn-App. Following this approach, there is no central instance that can identify users' contact history.

However, as the apps depend on specialised APIs provided by the Google Play Services (Android) and amended iOS features, my question is:

Can Apple and Google, e. g. by logging the API usage, bypass the decentralised approach? In effect, can they create contact history profiles?

Please note: This is a theoretical question about the implementation that I do not understand. I do not imply that there is any abuse of this kind; I just wonder if it would be possible technically.

edfrank
  • 31
  • 1
  • Are Google and Apple actually using DP-3T, or is it actually a similar protocol that was influenced by DP-3T? – reed Jun 17 '20 at 13:33
  • 1
    @reed Indeed. Apple and google can do whatever they want on their OS, subject to potential litigation if they are ever found to be operating contrary to privacy expectations. This is not much different than asking, "Can my son leave a mess when he borrows my car, even though I told him he can't?" – Conor Mancone Jun 17 '20 at 13:49
  • In fact I would say that it, were there business motivation to the contrary, it is only the threat of legal action that keeps such companies from tracking and correlating whatever data they desire. As a result the potential presence of what amounts to a "loop hole" in DP-3T is much less relevant than the relative benefit they expect to receive from exploiting said loophole compared to the potential cost in litigation/loss of brand trust. If there was such a loophole and they exploited it, "We were just following DP-3T" won't save them from multi-billion dollar GDPR fines. – Conor Mancone Jun 17 '20 at 13:53
  • @reed The API of Apple and Google is based on DP-3T, but the project has developed further since. However, the DP-3T SDK has changed to the Apple / Google API, so it seems to be accepted as a suitable implementation by the project's participants: https://github.com/DP-3T/dp3t-sdk-android/blob/master-alpha/README.md – edfrank Jun 17 '20 at 13:55
  • @ConorMancone Viewed from this perspective, it would be quite interesting if there actually could be fines – or if the standard Android / iOS terms and conditions + privacy policy are written in a way so broad that this data collection would be "accepted" by the user. – edfrank Jun 17 '20 at 14:01
  • @edfrank There absolutely could be fines. Especially in Europe, it doesn't matter if they abide by their own terms and conditions if their actions violate GDPR. GDPR in particular allows for fines up to 4% of global revenue of the parent organization. In 2019 Alphabet (the parent company of Google) had ~$150 billion in revenue. Therefore a severe violation of GDPR (and I'm guessing that is how Europe would view it if they started doing contract tracing in the background) could cost them upwards of $6 billion. – Conor Mancone Jun 17 '20 at 14:31
  • Although to be clear, I'm not saying that therefore, "Don't worry about it, it's fine". I'm seriously considering ditching Android and iOS over this. Not because of the current proposed standards, but because of what this likely can morph into over the next decade... but then again I probably err a little bit on the side of conspiracy theorist... – Conor Mancone Jun 17 '20 at 14:32
  • Rule #1: don't trust apple or google, Rule #2: don't trust apple or google – Pedro Lobito Jun 18 '20 at 04:11

0 Answers0