PRIVACY BEAT: What surveillance might be possible with Apple and Google backing Bluetooth ‘contact tracking’?

Privacy Beat

Your weekly privacy news update.

VIEW IN YOUR BROWSER

COVID-19 AND PRIVACY

What surveillance might be possible in the future with Apple and Google backing of Bluetooth ‘contact tracking’ as their part in curbing COVID-19 spread?

Your smartphone may soon include new technology that could someday allow you to invite marketers to reach you with offers, or the government to seek data on where you’ve been — the result of today’s urgent desire to curb COVID-19.

Apple and Google said on Friday they will both adopt an open specification in their phone operating systems that will use Bluetooth signals to take note of other participating phones that recently passed within a few feet of you. 

“Contact tracing” has been around for a while, but the two tech giants said they would adapt it as a method for health authorities to alert people have been near a person who turns out to be infected with COVID-19.  But it is not hard to imagine other uses for the technology, once it is embedded — starting as early as summer — in every major phone operating system.

The design is based on open-source code developed by volunteers at a project called COVID-Watch, which says it is affiliated with Stanford University. Its website lists at least 16 contributors, by name. An FAQ page explains who they are and defines contact tracing. They say they are beta-testing an app.

Here’s how the Apple-published spec says it works, if you agree to turn it on:

  1. Your phone keeps an encrypted record of every similarly-enabled phone that you pass close to — say 6-10 feet. 

  2. If the owner of one of those phones is subsequently diagnosed with COVID-19, and agrees to have their health provider alert the system,  the system pings every participating phone, including yours.

  3. If your phone finds a match in its stored database inside your phone of phones that have been near you, you get a message warning you may have been COVID-19 exposed, and what to do. 

Simple enough for that application.  But what else could it be used for? Imagine if rather than a person’s phone leaving a data point that you have passed near each other, that instead, a particular location sent a contact record.

  • A store you’ve been near in the past could send you an offer 

  • A government agency could seek authority to learn where you’ve been and when 

The joint Apple-Google news release, and related specifications (1), (2), (3),  described complicated methods of timing-out, rotating and encrypting phone IDs to enhance privacy. So, in theory, such uses would be impossible without end-user consent.

In their story on The Verge, Russell Brandom and Adi Robertson write that the contract-tracing method has potential weaknesses. “In crowded areas, it could flag people in adjacent rooms who aren’t actually sharing space with the user, making people worry unnecessarily,” they write. “It may also not capture the nuance of how long someone was exposed…”

Prior to the Apple-Google announcement, the American Civil Liberties Union published a white paper raising concerns about contract tracing.  And the Electronic Frontier Foundation has a current primer on it, too.

RELATED COVID LINKS:

NEWS AND COVID-19 (See QUOTE OF WEEK, below)

Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

CCPA WEEK FIFTEEN

By April 21, CCPA ver. 2.0 must have 623,000 valid signatures; a deep-dive look by Protocol at the politics of privacy shows what’s at stake for Mactaggert

A deadline of April 21 is looming that could have a huge impact on privacy regulation in California and the United States. That’s the date by which supporters have to show they have at least 623,000 valid signatures on petitions to put a proposed California Privacy Enforcement Act on the November ballot in that state. (Annotated version)

A lengthy story by the news website Protocol provides an unusually detailed look at the lobbying and deal-making  the fresh initiative on the California ballot in November to change the California Consumer Privacy Act (CCPA) just months after it takes effect. The new initiative is 51 pages.

The story by Issie Lapowski, published Feb. 6, quotes CCPA initiator Alastair Mactaggert and says that he is being courted by Google, Facebook, Microsoft, the advertising industry, and others seeking changes in CCPA. Entitled, “Inside the closed-door campaigns to rewrite California privacy law, again,” Lapowski says one thing Mactaggert is unyielding on — the idea of consent.

“A whole bunch of businesses didn’t love our definition of ‘consent’ because now consent really means you actually want to give your consent. Too bad. We kept it in,” said Mactaggert of the ballot initiative.

The reason Mactaggert has leverage is this — with the original CCPA in 2019 Mactaggert’s ballot initiative so freaked out data brokers and the ad-tech world that they agreed instead to support legislative passage and enactment of a privacy-weaker CCPA in exchange for Mactaggert agreeing to withdraw the privacy-intense ballot initiative.  Mactaggert said at the time he didn’t want to go through a bruising, multi-million-dollar public lobbying campaign over the initiative.

Mactaggert has the same leverage this time — because polls show an overwhelming majority of California voters would approve a privacy-focused ballot initiative. Once the April 21 signature deadline is passed, Mactaggert can horse-trade again until June 25 — the deadline after which the initiative could not be pulled from the November ballot.

MORE CCPA

SURVEILLANCE AND PRIVACY

PRIVACY BUSINESS


ADVERTISING AND TECH 

Three accounts detail why Twitter made a bad choice on privacy — it was costing serious advertising dollars 

Twitter isn’t commenting in detail on a fresh change it’s made to boost advertising revenue at the expense of consumer privacy choice. An Aug. 5, 2019, change Twitter made in settings — relatively obscure to users — apparently had a big effect on the platform’s advertisers. This week, two stories and a blog post by the Electronic Frontier Foundation, explain.

“Twitter has removed a privacy feature that allowed all users to stop sharing some private information with advertisers,” writes Jacob Kastrenakes at The Verge. Twitter said the change helps it to “continue operating as a free server” by helping prove to advertisers that its ads are being seen.  “The availability of ad data has had a big impact on Twitter’s earnings in the past,” Kastrenakes wrote.

Twitter’s privacy practices on this point will now give European Union residents more privacy than in the United States and the rest of the world, because of the General Data Protection Regulation (GDPR), wrote Garrett Sloane, at Advertising Age. 

The 2019 change, a bug fix, wasn’t appreciated by advertisers, wrote Bennett Cypers, of the Electronic Frontier Foundation. “And Twitter announced a substantial hit to its revenues after fixing the bugs,”

MORE AD TECH

Public email list discussion about user privacy signaling now involves NY Times, Wash Post engineers; may become formal W3C topic

A Privacy Community Group of the World Wide Web Consortium (W3C) may be asked to take up a discussion of whether web sites should be required to honor a “do not sell my information” signal sent automatically by a consumer’s device.  Advertisers don’t want to have to do so (See Privacy Beat, April 3).

A public mailing-list discussion among technologists for the Interactive Advertising Bureau Tech Lab (IAB), the Washington Post and a computer-science professor at Wesleyan University is underway at the W3C Privacy Community Group. Another key issue under discussion is whether first-party cookies can be used to store and understand the privacy signals sent by consumers. “Instead, an HTTP header-based solution (similar to “Do Not Track”), may be a better alternative, writes Wesleyan’s Sebastian Zimmeck. “One could also think more broadly of a privacy registry, similar to the “Do-Not-Call registry.”

With all the email back and forth, Zimmeck wrote this week that he will probably propose the starting of a formal “standards” discussion as part of the W3C’s Privacy Community Group.

An ad-engineering director for the Washington Post offers in another post to talk about the privacy-signaling ideas they are considering. “We’re very interested in the CCPA conversation and have been pushing for a browser-level signal that works with the IAB’s proposed approach, as the law calls for such a signal to be supported,” writes Aram Zucker-Scharff, the Post engineer.

A data-governance standards engineer at The New York Times, is also engaged in the W3C mailing-list discussion. The engineer, Robin Berjon, says “third-party data controllers are a thing of the past,” adding, “The idea that we had third parties able to covertly observe and recognise users across contexts, and furthermore make independent use of that data for their own purposes is a bug that goes against the interests of both users and publishers, and to the extent that browsers supported that they were failing to honour the priority of constituencies.” Berjon suggests a three-tiered approach to privacy.

PERSONAL PRIVACY

WASHINGTON WATCH

STATEHOUSE WATCH

EUROPE AND THE WORLD

 

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

QUOTE OF THE WEEK

“Community-specific news has never been more important to ensuring people’s well-being”

“Community-specific news has never been more important to ensuring people’s well-being, yet many outlets will not survive COVID-19 without immediate economic help. Since the onset of the coronavirus pandemic, local news outlets have been providing indispensable, real-time updates on information imperative to safeguarding America’s communities. Fact-based reporting on local “shelter-in-place” orders, business closures, testing sites, school policies, government aid and health services are just a few of the areas in which national media coverage cannot replace community reporting.”

– Excerpt from April 8, 2020, letter sent to congressional leaders signed by 45 free-press groups

ABOUT PRIVACY BEAT

Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org

Share Share

Tweet Tweet

Share Share

Forward Forward

Facebook

Twitter

Website

Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp