This is a follow-up to a story we reported a few days ago about Google and Apple’s COVID-19 proposed contact-tracing project.
As you may recall, our article discussed US tech giants Google and Apple’s joint program to bring an anonymized COVID-19 contact-tracing app to iOS and Android. In our analysis of the companies’ plan, we highlighted some of the strengths and flaws of the proposed anonymizing mechanism, which we considered relevant for users, lawmakers, technology partners, and public officials to consider. While the program seems generally solid, we did identify a possible vulnerability: A reliance, at least temporarily, on some potentially identifiable user data being stored in health department databases between the testing stage and the contact notification stage.
The News: It seems that the European Commission is conducting a review of the Google-Apple COVID-19 contact-tracing proposal that encompasses this concern.
Bloomberg reported late this week that on a call with Google and YouTube CEOs Sundar Pichai and Susan Wojcicki, EU Industry Commissioner Thierry Breton reiterated “the need for all digital actors to develop apps to trace the spread of the virus in full respect of the privacy of individuals and ensuring interoperability and security of communications.”
Specifically, EU regulations guiding COVID-19 mobile apps require them to be “voluntary, approved by national health authorities, preserve users’ privacy and should be dismantled as soon as they are no longer needed.” With regard to that final item, the EU’s guidelines deliberately incorporate an off switch for the time when member states move beyond pandemic mitigation measures like lockdowns and testing. Read more at Bloomberg.
Analyst Take: How EU regulators, Google, and Apple will have to put past differences aside to accelerate Europe’s post-COVID-19 economic recovery
Given that testing and contact-tracing are vital to enabling a speedy and safe economic recovery across Europe’s member states, we note three major challenges that Google, Apple, and the EU may struggle with in the coming weeks and months as they search for regulatory common ground.
- The EU’s institutional suspicion of “big” US tech could get in the way of helping EU member states get their economies going again. Because Google, Apple, and other US tech giants find themselves in Brussels’ regulatory and political crosshairs on a regular basis, the relationship between American tech companies and European officials isn’t exactly based on trust and goodwill. US tech giants are often accused by EU antitrust regulators of abusing their market power to gain an unfair advantage in Europe (generally at the expense of smaller European-based tech competitors). Google has also been investigated by data protection regulators in Europe over concerns that its data collection schemes may violate the EU’s rigid user-centric privacy rules.
In the EU’s defense, both companies have already been fined for legitimate infractions which, one could argue, haven’t exactly improved their image as trustworthy and responsible technology partners to the EU public. On the other hand, EU regulators’ animosity towards US tech giants can often be misplaced, ideological, and counterproductive, and one could also argue that the EC sometimes comes dangerously close to throwing the proverbial baby out with the bathwater by following its protectionist instincts too far. While the EU has legitimate concerns about data privacy abuses and the monopolistic tendencies of US tech giants, I would caution that the history of suspicion of and animosity towards US tech giants by European regulators runs the risk of interfering with Google and Apple’s mission to ultimately help save lives and accelerate European member states’ economic reboots. This is as good a time as any to point out that while no one should rush to make a decision in either decision, time is nonetheless of the essence, and too much deliberation and hesitation can ultimately do more harm than good.
- Too many contact-tracing apps in the marketplace may be counterproductive. As noted by EU officials, a proliferation of contact-tracing solutions in the mobile marketplace could work against member states’ combined efforts to make contact-tracing as effective and reliable as possible. While the EU’s concerns seems to be targeted at eventual cross-compatibility hurdles between apps and operating systems, to say nothing of protecting hypothetical European contact-tracing apps from the specter of a Google Apple contact-tracing app “monopoly,” my concern focuses more on the counterproductive impact of diluting COVID-19 contact-tracing information across a dozen or more apps, whose effectiveness would be predicated on widespread adoption and use.
My reasoning here is simple: If the Google-Apple COVID-19 contact-tracing app, which should work equally well on Android and iOS devices, is the main contact-tracing app that most people use, the likelihood that individuals will notify the app of their positive status and the likelihood that users will be notified of having come in contact with a positive individual are significantly higher than if the population’s notification channels are diluted across many different apps. In this instance, because this entire exercise is meant to serve a public health purpose, competition is likely to hinder the overall effectiveness of the program.
A solution to the conundrum of pitting the overall effectiveness of the program against the need to protect competition in the app store marketplace may be for public health officials and EU regulators to think of COVID-19 contact-tracing apps as a single-solution model — one in which the European Commissioners select one product from one vendor as Europe’s official, certified contact-tracing app for all member states. Whether that contact-tracing app turns out to be the one proposed by Google and Apple, or a European app (that may ultimately just license Google and Apple’s contact-tracing IP), isn’t less relevant to this discussion as the decision to consolidate app adoption and contact-tracing notifications to a single app.
- Despite improvements in blockchain and encryption solutions, data privacy is somehow still a stumbling block, even in this instance. Here’s the conundrum when it comes to privacy concerns as they relate to data security: On the one hand, the COVID-19 contact-tracing app can pull data from public health databases, and keep that data from being collected (and more importantly matched to users) by Apple and Google. The risk with that option is that public health databases may not be as secure against hostile and criminal agents as they ought to be, and deanonymized COVID-19 status data may be accessed by hackers. On the other hand, allowing Google and Apple to manage and curate that user information would likely make it more secure, but by doing so, EU regulators may be handing both US tech companies more access to private user data than they feel comfortable with, to say nothing of possibly running afoul of EU data privacy rules.
As a fix, Google and Apple may need to provide EU regulators with a compromise, most likely in the form of an end-to-end data anonymization solution built into the contact-tracing program. Easier said than done, but for the sake of expediency, such a solution would go a long way toward assuaging concerns about both user privacy and data security vulnerabilities.
While the first two challenges listed above fall mostly to European regulators to sort out among themselves, the third falls to Google and Apple — or whatever tech company can quickly and effectively offer the EU a safe, secure, effective COVID-19 contact-tracing app that will work across all member states and function on iOS and Android devices — to figure out.
A fourth issue that did not require its own analysis but is nonetheless worthy of mention is the EU’s plan to have the contact-tracing app ecosystem “dismantled” once the COVID-19 crisis is over. In all likelihood, the COVID-19 crisis will continue to linger and ripple for a year, maybe two, or at least until we have distributed a vaccine in enough quantities that any resurgence of the illness will be easily suppressed. Secondly, the same contact-tracing app-based infrastructure built for COVID-19 may need to be dusted off and re-tasked when the next pandemic strikes, meaning that Europe should consider that the “off” switch it wants to build into this program will also likely need to be an “on” switch for its unfortunate future use.
That being said, time, as I mentioned earlier, is of the essence here, and neither vendors nor European regulators have the luxury of taking six months to work on building the ideal solution to this problem. The urgency of the situation, driven by the need to begin safely but quickly restarting the global economy, may require EU regulators to select a solution that they are not entirely comfortable with, in order to start working toward that goal in the next month. The Google Apple contact-tracing project may be the best option for Europe, or it might not, but right now, given obvious time constraints, it appears to be.
To be continued.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.