Last month, after Apple and Google announced some changes to their forthcoming attempt to track the spread of COVID-19, I noted the surprising degree to which tech giants are setting the terms of the pandemic response. They own the hardware, they own the software, and national governments who would use it to find new cases of COVID-19 have to do it on the companies’ terms.
This week, that process began to accelerate. But first, a bit of background.
The Apple-Google collaboration will ask you to opt in to a system that causes your phone to emit Bluetooth signals to other phones around you. When you are in close proximity to another person for an extended period of time — more than five minutes, typically — both of your phones record the interaction. When a person tests positive for COVID-19, they will have the option of anonymously notifying other phones that they may have been exposed to the virus and encouraging their contacts to self-quarantine or seek treatment.
A sticking point between the tech giants and nation states has been who will process the exposure notifications. Apple and Google want to process the notifications on users’ phones without storing them on a central server, to preserve the maximum degree of privacy possible. Some European countries, meanwhile, have sought to process notifications on a central server, in the hopes that having more detailed information will help them identify additional exposures and more rapidly contain the spread of the virus. (MIT Tech Review has a great tracker that looks at how countries are building these apps, including whether or not they’ve adopted the Apple-Google approach.)
This put France, whose politicians have regularly upbraided Silicon Valley for perceived data privacy lapses, in the very funny position of begging Apple and Google to lower their privacy standards. Germany, whose scientists had helped devise Europe’s (deep breath) proposed Pan-European Privacy-Preserving Proximity Tracing project, decided to throw in with Apple and Google after it became clear that was not going to happen.
Until now, the United Kingdom has held holding firm in its commitment to building its own exposure notification app, even though it will have limited access to the Bluetooth notifications necessary for it to work. James Vincent explained why this is a problem this week at The Verge:
Both Google and Apple restrict how apps can use Bluetooth in iOS and Android. They don’t allow developers to constantly broadcast Bluetooth signals, as that sort of background broadcast has been exploited in the past for targeted advertising. As The Register reports, iOS apps can only send Bluetooth signals when the app is running in the foreground. If your iPhone is locked or you’re not looking at the app, then there’s no signal. The latest versions of Android have similar restrictions, only allowing Bluetooth signals to be sent out for a few minutes after an app has closed. Such restrictions will block devices from pinging one another in close quarters, drastically reducing the effectiveness of any contact-tracing app.
Google and Apple can rewrite these rules for their own contact-tracing API because they control the operating systems. But for countries trying to go it alone, like the UK, the restrictions could literally be fatal. iPhone users with the app installed could interact with someone who is later diagnosed with COVID-19 and never know it, if their phone doesn’t keep a log of their interaction.
Now it seems that all of this has dawned on the UK’s National Health Service, which has asked the consulting firm charged with building its app to investigate switching over to the Apple-Google model. Here are Alex Hern and Kate Proctor today in the Guardian:
With growing questions over that approach, it emerged that the Swiss-based consultancy Zühlke Engineering has been hired to undertake a two-week “technical spike” to investigate implementing Apple and Google’s system “within the existing proximity mobile application and platform”. [...]
The prime minister’s official spokesman left open the possibility that a change could be made, telling reporters: “We’ve set out our plans for a centralised model and that’s what we are taking forwards but we will keep all options under review to make sure the app is as effective as possible.”
Right now, it’s unclear how an app that only works when every citizen in the United Kingdom has the app downloaded, open, and running in the foreground at all times is going to be “as effective as possible.” As of today, I’d be surprised if the UK hadn’t adopted the Apple-Google approach by the end of this month.
It’s a fascinating tension: corporations trying to do right by their users versus countries trying to do right by their citizens. As Sam Lessin notes in The Information, this is an uncomfortable place for a tech giant to be. “This isn’t an enviable position for tech companies,” he writes. “It puts them in a nearly impossible position in terms of almost always absorbing blame no matter what they do whenever the choices are hard.”
Elsewhere, India is learning that the privacy concerns around exposure notification apps and contact tracing are not merely abstract. Aarogya Setu, the country’s own homegrown exposure notification app, has significant privacy flaws, Andy Greenberg reported this week at Wired:
Independent security researcher Baptiste Robert published a blog post today sounding that warning about India’s Health Bridge app, or Aarogya Setu, created by the government’s National Informatics Centre. Robert found that one feature of the app, designed to let users check if there are infected people nearby, instead allows users to spoof their GPS location and learn how many people reported themselves as infected within any 500-meter radius. In areas that have relatively sparse reports of infections, Robert says hackers could even use a so-called triangulation attack to confirm the diagnosis of someone they suspect to be positive.
“The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area,” says Robert, a French researcher known in part for finding security vulnerabilities in the Indian national ID system known as Aadhaar. “With triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app.”
On one hand, privacy has never been the prime directive for a contact tracing scheme. The whole point is to find out people’s real names, phone numbers, and locations so you can tell them that they’re sick before they infect anyone else. At the same time, tech giants are understandably wary of building a tool that could be misused by law enforcement, oppressive governments, or the sorts of bad actors that Robert describes in India. For the moment, it’s the giants’ argument that has carried the day — and done so, at least for now, with remarkably little resistance.
Correction, 2:48 p.m.: This article has been updated to clarify that the NHSX app will be available to the entire United Kingdom, not just England.
Today in news that could affect public perception of the big tech platforms.
🔼 Trending up: Apple announced it’s giving $10 million to COPAN Diagnostics, a company that produces COVID-19 testing kits. The funding will help COPAN vastly scale up its production. (Chaim Gartenberg / The Verge)
🔼 Trending up: Facebook is giving $16 million in grants to more than 200 newsrooms through the Facebook Journalism Project. The grants are meant to help local newsrooms stay afloat during the pandemic. (And give Facebook something shiny to point to so that governments like Australia’s don’t tax them for more.)
⬇️ Trending down: Amazon workers in Southern California say the company’s policies are forcing sick employees to work. They also say warehouses are refusing to comply with a state paid sick leave law meant to prevent Covid-19 outbreaks. (Sam Levin / The Guardian)
Total cases in the US: More than 1,243,000
Total deaths in the US: At least 74,100
Reported cases in California: 61,111
Total test results (positive and negative) in California: 809,036
Reported cases in New York: 329,405
Total test results (positive and negative) in New York: 1,028,899
Reported cases in New Jersey: 131,890
Total test results (positive and negative) in New Jersey: 288,920
Reported cases in Massachusetts: 72,025
Total test results (positive and negative) in Massachusetts: 339,639
⭐ Democratic senators including Elizabeth Warren sent a letter to Amazon questioning whether the retail giant retaliated against whistle-blowers. Amazon recently fired four employees who raised concerns about the spread of coronavirus in the company’s warehouses. Here’s Kate Conger at The New York Times:
“In order to understand how the termination of employees that raised concerns about health and safety conditions did not constitute retaliation for whistle-blowing, we are requesting information about Amazon’s policies regarding grounds for employee discipline and termination,” the letter said. [...]
The letter increased pressure on Amazon and its chief executive, Jeff Bezos, who has been called to testify before Congress in an antitrust investigation and has been a frequent target for criticism from President Trump. A number of senators and representatives have already written to Mr. Bezos expressing concern about warehouse safety.
The Trump administration shelved a step-by-step guide from the Centers for Disease Control on how and when to reopen restaurants and other public places during the coronavirus outbreak. Agency scientists were told the guidance “would never see the light of day,” according to a CDC official. (Jason Dearen and Mike Stobbe / Associated Press)
Here’s how Joe Biden could defeat Donald Trump in a mostly digital campaign, according to Pete Buttigieg’s former campaign manager. “If he can win the battle for our screens, he can benefit from the death of the traditional presidential campaign,” she says. (Lis Smith / The New York Times)
Tech billionaires including Bill Gates and Eric Schmidt are mounting a pressure campaign to prevent the next pandemic. They’re pushing overseas governments to more fully fund international institutions like the World Health Organization. (Theodore Schleifer / Recode)
Out of every 10 people trying to file for unemployment, three to four can’t get through the system to make a claim. Applicants say they are dealing with an array of technical failures, including glitchy websites, laborious phone verification processes, and call wait times of six to eight hours. (Colin Lecher and Mia Sato / The Markup)
The New York Times published a visualization of what types of businesses might be the riskiest to visit if they reopen during the ongoing pandemic. But the authors used aggregated anonymized phone location data from April 2019, which tells us very little about the current situation, this piece argues. (Adi Robertson / The Verge)
COVID-19 conspiracy theorists are still getting millions of views on YouTube. They’re using collaborations and interviews to skirt YouTube’s attempts to crack down on health misinformation. (We’ll be talking about the viral “Plandemic” video next week if you want to do some homework over the weekend.) (Abby Ohlheiser / MIT Technology Review)
Clearview AI — the controversial face-tracking company known for scraping more than 3 billion photos from platforms like Facebook and Twitter — has ended its relationships with private companies. The news comes amid intense regulatory scrutiny and several potential class action lawsuits. (Ryan Mac, Caroline Haskins and Logan McDonald / BuzzFeed)
Lyft is now requiring drivers and riders to wear face masks during rides. The company also said it will begin giving cleaning supplies and masks to drivers as part of a new health initiative. (Megan Rose Dickey / TechCrunch)
A new cyberattack tool called Aria-body has been traced to the Chinese military. It’s been used against governments and state-owned companies in Australia and Southeast Asia. (Ronen Bergman and Steven Lee Myers / The New York Times)
⭐ Zoom acquired Keybase, an encryption and security service meant to serve as a secure home for your online identities. The acquisition will quickly add a team of security-focused developers to Zoom, which has been widely criticized in recent weeks over its lapses in security. Jacob Kastrenakes at The Verge has the story:
The Keybase team is supposed to help Zoom build end-to-end encryption for its videoconferences “that can reach current Zoom scalability.” Zoom has been working on building true end-to-end encryption for videoconferences since coming under criticism over the last month for making its calls incorrectly appear to be fully encrypted. The company plans to publish encryption designs on May 22nd, but there’s no specific timeline for when the feature will be finished.
New York City is allowing schools to use Zoom for remote learning after the company agreed to create a customized version of the platform specifically for the city’s education department. The city had previously banned the software due to security concerns. (Alex Zimmerman and Christina Veiga / Chalkbeat)
Also: Zoom, Xoom, Züm: why does every startup sound so fast now? (Erin Griffith / The New York Times)
Facebook is letting most employees work from home through end of 2020. Employees who need to come in to do their jobs will be able to do so starting on July 6th. (Salvador Rodriguez / CNBC)
Related: Facebook is also suspending promotions for corporate employees for the rest of the year. The news comes a week after the company announced a “steep decrease” in ad sales during March. (Alex Heath / The Information)
Google affiliate Sidewalk Labs pulled out of Toronto’s smart city development project due to economic concerns brought on by the current pandemic. The news comes after two and a half years of controversy over the project’s origins, overreach, and privacy and financial implications.
Popular iOS apps from major companies like DoorDash, Spotify, TikTok, and Venmo suddenly starting crashing yesterday due to an issue with the software development kit (SDK) from Facebook. The problem, which Facebook quickly fixed, illustrates the scope of the social network’s platform. Also it broke Spotify on my Sonos system for like 12 hours! (Nick Statt / The Verge)
A glitch on Instagram’s iOS app allowed people to post extra-long images to their feeds. Instagram normally limits portrait photos to roughly the size of your screen. The company has sadly now fixed the issue. (Jacob Kastrenakes / The Verge)
Google added a new feature to Google Lens, its multipurpose object recognition tool. You can now copy and paste handwritten notes from your phone to your computer, though it only works if your handwriting is neat enough. So, not mine, probably. (James Vincent / The Verge)
Google is unifying all of its messaging and communication apps under a single team. Last year, the company hired Javier Soltero to be the VP and GM of G Suite, its set of office apps, as well as Google Meet and Google Chat. Soltero built a well liked email app called Accompli that was acquired by Microsoft, after which he turned it into the company’s Outlook app. If anyone can fix Google’s communications products, it’s him. (Dieter Bohn / The Verge)
Twitch is developing talk shows and dating programs for gamers. The company plans to fund a slate of original, unscripted series that would be live and interactive, airing two to three times a week. (Lucas Shaw / Bloomberg)
The pandemic-induced nostalgia for Turntable.fm may hint at what could be a new normal for gathering together online. Unless it’s a passing fad. (Jack Denton / Vice)
The Tumblr aesthetic of 2014 is all over the internet. Thank god! (Rebecca Jennings / Vox)
Tinder is now testing live in-app trivia. The test will be rolling out to an undisclosed percentage of users and is designed to help Tinder experiment with live video while also matching people up. It beats the app’s current user experience of just trading “hey” back and forth with a match until both of you die. (Ashley Carman / The Verge)
Things to do
Stuff to occupy you online during the quarantine.