There’s a growing problem with Apple’s role in the contact-tracing apps that countries are developing to help fight the coronavirus pandemic. This has been underlined by the UK’s announcement that its long-awaited NHSx app is being parked in favour of a different model recommended by Apple and Google.
Apple is effectively dictating to governments the privacy levels that their contact-tracing apps must meet. Unless apps meet Apple’s requirements, they can’t get access to Bluetooth in the background on users’ phones, which is essential for the apps to work properly (Google takes a more laissez-faire approach, without these restrictions).
Apple’s approach arguably fits a wider narrative about the company being heavy-handed in determining what apps are allowed on iPhones. The company has just been made the subject of an EU antitrust investigation for similar reasons. There are also limitations to the alternative Apple/Google model that could make contact-tracing apps less effective.
What Apple wants …
Contact-tracing apps aim to prevent the spread of the coronavirus by monitoring who a person comes into contact with. If any contact is likely to be infected, the app triggers a warning telling the user to self-isolate and get tested. Such apps have already launched in numerous countries.
The UK’s approach had been to hold the data used by the app to determine who is probably infected in a central database. But this fell foul of Apple’s restrictions, which favour keeping the data on people’s phones instead – the so-called decentralised model.
As UK Health Secretary Matt Hancock said, the NHSx app might have worked but for Apple’s unwillingness to negotiate on the restrictions. Developers also have to contend with a special addendum to the App Store’s standard legal agreement.
Apple did not reply to requests for comment in time for publication. Google welcomed the UK announcement and said that its approach had been developed “based on consultation with public health experts around the world, including in the UK, to ensure that our efforts are useful to authorities as they build their own apps to limit the spread of COVID-19, while ensuring privacy and security are central to the design”.
Apple’s restrictions have meant that the UK’s intended app could only recognise around 4% of iPhones in some circumstances. Google supports the same decentralised approach, but only Apple insists on it by preventing users from installing apps on an iPhone unless they come from the App Store. Absent the same restrictions on Android phones, the app was recognising users around 75% of the time.
Google and Apple have justified their restrictions as being to protect user privacy. And, indeed, privacy advocates favour their model. Privacy is certainly pivotal to user confidence in contact-tracing apps, but it’s less clear where the line should be drawn.
There are important limitations to the Apple/Google approach. For one thing, it doesn’t allow apps to share the type of phone each person uses. The NHSx app used this to more accurately estimate the distance between people, to reduce false-positive alerts. The decentralised system sends alerts only after a user has reported that they have tested positive for the virus. Unlike centralised apps, it can’t base alerts on factors like the modelled risk from an infectious individual, which draws on information about symptoms users have been reporting through the app.
Waiting on a confirmed test result might well be too late to prevent the virus from spreading. The virus is believed to have a median incubation time of around 5.1 days, and scientists believe that people may be contagious from around two days before they experience symptoms, and at their most contagious before symptoms begin.
The bigger picture
For a tech company to be telling a government what to do is an interesting sign of our times. France, too, clashed with the iPhone operating system maker. In the end, it launched a centralised app earlier in June that destroys all information held after 14 days. The French app doesn’t have access to Apple’ background Bluetooth system either, despite their attempts, so we will see how well it performs.
Privacy is undoubtedly important, but this situation raises wider questions about tech companies in modern life. Much of the EU’s new anti-trust investigation into Apple relates to how the company charges a cut of up to 30% for payments on the App Store to the third-party apps it carries. These compete with apps that Apple itself makes, on the platform whose rules it sets.
With contact-tracing apps, Apple won’t be charging developers for access or really making any money from them. But like with third-party apps more generally on the App Store, Apple acts as a gatekeeper. If you want to make an app available to the 51% of UK smartphone users with iPhones, you have to do what Apple says. Even if you’re an elected government amid a pandemic.
There has been much discontent among app developers about Apple’s level of control over access to the App Store, and what some perceive as subjective and inconsistent application of the rules. Much recent focus has centred on an email service called Hey, which drew attention to these issues after being threatened with removal from the store.
In the end, the situation has been resolved after Basecamp launched a free “lite” version of Hey on iPhones, which encourages Mac users to download a paid-for version from the company’s website. This chimes with how many providers, notably Spotify and Netflix, get around the Apple payments rule by not allowing customers to either make orders or sign up for paid services on the iPhone app.
Dictating terms to companies is one thing; dictating to countries during a global pandemic is another. Apple’s position may be about preserving users’ privacy, but the timing is unfortunate when some of its restrictions on third-party apps are to be investigated by the EU.
The UK government says it will try to work with Apple and Google to improve their model of tracing, with an app now potentially only coming in winter. But given some of the inherent limitations of the decentralised model compared to the NHSx approach, it remains to be seen how effective this will be – especially if some key advantages are lost through requiring coronavirus tests, and not being able to model the risk to individual users to make alerts more accurate.
Greig Paul is a member of the UK 5G Security Group.