On April 22, Utah Governor Gary Herbert announced the beta release of an app that will help the state trace the contacts of those infected with Covid-19. Known as Healthy Together, the app will also allow Utahns to track their symptoms and find their nearest testing center—a strategy called “test and trace.” People with symptoms get directed to the nearest health clinic for a coronavirus test. If a person tests positive, public health officials will be able to access a list of all the people who came into close contact with that person.
But the app’s methodology—using GPS, location data, and Bluetooth to identify contacts—goes beyond what both tech companies and civil rights groups like ACLU and the Electronic Frontier Foundation think is necessary for effective contact tracing.
The government of Utah partnered with Twenty, a social network, which built the platform for the app. Both would have access to app users’ personally identifiable information. “Public health officials and a limited number of development employees with Twenty Holdings, Inc. will have access to your name, phone number, and location data for COVID-19 tracing purposes only,” states Utah’s website.
In May, Apple and Google plan to release an application programming interface (API) that public health authorities can use to build similar apps. But they chose to use Bluetooth only, which, while not perfectly secure, can allow for anonymized tracing based on two phones’ proximity rather than a single user’s location. According to the tech companies’ draft guidance, they will strictly limit the information that public authorities can see, attempting to protect the identities of those who test positive. The amount of information requested by Healthy Together, by comparison, steps outside that guidance.
“These apps should not collect personally identifiable information about users, such as name or phone number,” wrote Adam Schwartz, a senior staff attorney at EFF, in an email to Quartz. “To the greatest extent possible, these apps should store the information they collect on the user’s own device, and not on servers run by the government or the app developer. Tracking apps that collect and share too much private information will be used by fewer members of the public, which will diminish the effectiveness of such apps.”
Under a frequently asked questions section on its website, Utah justified its decision to release a contact tracing app that would go beyond Apple and Google’s guidelines. Location and GPS data, it says, would help officials build maps of “transmission zones” that could paint a picture of how and where the disease is spreading. “Bluetooth on its own gives a less accurate picture than Bluetooth and GPS location data. The goal of Healthy Together is to allow public health officials to understand how the disease spreads through the vector of people and places, and both location and Bluetooth data are needed to accomplish that,” the website says.
One major contact tracing platform being built in the US uses a mix of Bluetooth and GPS data as well. MIT’s SafePaths Private Kit uses a hybrid to create heat maps. But it restricts government agencies from viewing an individual person’s location trails, and has other privacy protections in place.
Since Healthy Together isn’t using Google and Apple’s (as yet nonexistent) API, it’s under no obligation to follow the companies’ guidance. And given that Healthy Together asks users for permission to use their location data, it’s unlikely Google and Apple will boot the app from their platforms. But the tech firms can restrict Healthy Together from running Bluetooth in the background. Meanwhile, iOS and Android gives users control on how often apps can access location data in the background.
“Any implementation that doesn’t use (…Apple’s) framework on iOS is likely not going to accurately work and potentially miss many contacts between people,” wrote Quentin Zervaas, an iOS developer, in a message to Quartz.
Utah isn’t the only government that wants more data than Google and Apple are willing to share for the sake of tracking the Covid-19 pandemic. Some public authorities believe that Google and Apple’s privacy-focused intentions will keep them from understanding how the virus spreads. Officials won’t be able to see a list of each person an infected person comes in contact with, or view the data in the aggregate to get a better understanding of high-risk areas. Both NHS in the UK and the government of France have both built apps that don’t follow the companies’ protocols, and are currently sparring with the tech firms.
A press spokesman for Twenty confirmed that its platform is only being used by Utah, but the Healthy Together website has a section named “For States”, implying that the platform is looking to roll out its app in other states.