Buzz
We all recognize that this is a massive overstatement of what's really happening. Still, this doesn't stop some from sharing wildly inaccurate information on social platforms. Here's an example of how the post usually reads:
Just a heads up: there's a claim going around that a hidden ‘COVID-19 sensor’ has been secretly embedded in every smartphone. Apparently, during the phone disruptions earlier this week, they were quietly installing a COVID-19 tracker into our devices.
If you own an Android device, go to your settings, navigate to Google settings, and check if it's there.
If you're using an iPhone, head to settings, privacy, and then health. You'll find it there, though it's not yet fully operational. The app can alert you if you've been close to someone who has reported having COVID-19.
Don’t activate it, as you'll be tracked wherever you go. However, after updating your phone, this feature will be automatically enabled on your device.
Let’s start with the most obvious advice: If you're worried about companies tracking your location, I have unfortunate news. Your device, its apps, and services are specifically designed to track your movements, actions, and use that information to show you more personalized ads and content. This has been discussed extensively, and it’s widely recognized that companies employ various methods to determine who you are, where you are, and what you're doing on your device—or even online. This is the price you pay for using free services.
If privacy is your main concern, your focus shouldn't be on things like coronavirus-related apps. You might want to consider switching to a simpler phone, or at the very least, take steps to limit how much personal information you share through your device’s settings. Although this won’t completely stop companies from collecting data on you, it will minimize what they can access and, at the very least, offer you some peace of mind.
How the Exposure Notifications API truly functions.
Let’s return to the topic of COVID-19. No, your smartphone doesn't come with a COVID sensor or a built-in COVID tracker. However, what it may have, through updates to its operating system, is a new API for exposure notifications. And if you have this feature enabled, and only this feature, your privacy hasn't really changed since before the pandemic.
Let's dive a little deeper. To use the Exposure Notifications API, your device needs to run at least iOS version 1 or Android Marshmallow (version 6). On its own, it’s harmless. Google and Apple aren't using it to determine if you’ve contracted the coronavirus through your texts, health data, emails, or any other conspiracy theories floating around. Likewise, the government isn't using your phone to monitor your health or track your precise movements. (At least, I hope not.)
To actually use the Exposure Notifications API, you'd have to download an app that accesses it. Without this, the API does nothing by default. Right now, only a limited number of these apps are available in the U.S., and they’re region-specific. In other words, it won’t do much for you in California if you, say, download and install Virginia’s app that utilizes the API.
Even if you did download the app for your area, you still need to opt-in and grant it access to the API. Once you do that, your phone can notify you when other users of the API are nearby. That may sound a bit like “omg scary location tracking ahhghuhgh1!1!,” I know, but let’s break down what that really means. As Google explains:
“This technology only works if you choose to opt-in. And if you change your mind, you can disable it at any time.
The Exposure Notifications System doesn't track or use your device's location. Instead, it uses Bluetooth technology, which can detect when two devices are nearby—without disclosing the location of either device.
All the Exposure Notification matching happens directly on your device. The system does not share your identity with anyone, including other users, Apple, or Google. If public health authorities need to contact you for further guidance, they may request additional information, such as a phone number.
Only apps from public health authorities will be granted access to the technology. These apps must meet strict standards for privacy, security, and data usage.
Naturally, those spreading misinformation on social media probably aren’t interested in hearing directly from the companies behind the exposure-notification API about how it actually works—given how conspiracy theories tend to spread. But that’s exactly how it functions.
Downloading an app that uses the API doesn't send your location to a vast database used for tracking your movements; there won't be any armed doctors showing up at your door to force-feed you hydroxychloroquine. Your health insurance rates won't mysteriously increase because somehow, somewhere, someone discovered you’ve had contact with someone who tested positive for coronavirus.
What happens when someone gets COVID-19, including you.
If you're in contact with someone who has COVID-19, here's how you’ll be notified and what data may be shared:
“Once you opt-in to the Exposure Notifications System, your device will generate random IDs. To enhance privacy, these random IDs change every 10-20 minutes on your phone.
Your phone runs in the background, sharing these random IDs through Bluetooth with other devices that also have Exposure Notifications enabled. When your phone detects a random ID from another device, it saves and records the ID on your phone.
If someone reports having COVID-19 and their ID is stored on your device, your app will notify you with instructions on the next steps to take.”
“Public health authorities determine the factors that could indicate possible exposure.
If your app detects that you've been in contact with someone who reports themselves as having COVID-19, the system may share details with the app, such as:
The date the contact took place.
The duration of the contact.
The Bluetooth signal strength during that contact.
Your public health authority app is restricted from accessing your phone's location.
The Exposure Notifications System doesn’t track your location or share personal information with the app, Google, or Apple.
If you happen to be infected, it is your responsibility to report this status in the app you're using. You can choose not to say anything, uninstall the app, or do whatever you feel is best. Ultimately, it's about your personal ethics—your health provider won’t disclose your status or send your real-time location data to others using your state’s contact-tracing app.
(It might sound far-fetched, but I’m anticipating the “they’re spying on meeeee” crowd.)
And self-reporting your status isn’t as simple as just tapping a button to declare 'I have COVID'—at least, not in apps that care about being genuinely useful to the public. As Virginia’s COVIDWISE states:
“Laboratory results for individuals who test positive for COVID-19 are sent to [Virginia’s Department of Health]. This process is separate from the app. Our team follows up with those reported as positive, based on the details in the laboratory report. As a courtesy to all app users, VDH will confirm positive tests and assign a personal identification number (PIN) to COVIDWISE users. You must use this PIN to report a positive result to the app. This prevents individuals from falsely reporting positive results, which could lead to misleading exposure notifications. VDH wants all app users to trust that any exposure notification received through the app is a legitimate event.”
Most people probably won't use contact tracing on their phones anyway.
So, that’s about it. While there are valid concerns around smartphone privacy, I don’t believe the Exposure Notifications API is the major issue to focus on. Also, I don’t think this will become that significant going forward, as there’s no universal requirement for everyone to use their phones to help reduce COVID-19 exposure.
But even that leads to a tricky privacy dilemma. While I'd love it if Google and Apple made this API mandatory on all phones and even launched a corresponding (privacy-conscious) app on everyone's devices during this ongoing pandemic, that could raise concerns. Although the intention would be for the common good, it might still feel like an intrusion. I’d understand a collective worry, even one rooted in a misunderstanding of how the technology works, about mandatory digital tracking to fight extreme coronavirus stupidity.
Of course, we allow all kinds of apps to collect data from our devices on a regular basis, and most people don't seem too concerned about it. Maybe I’m being overly cautious, and a contact-tracing API and app wouldn’t be any more worrisome than a new social network or trendy game. If those don't raise privacy alarms, why would you be so concerned about something designed to keep you safe and healthy?
