Why are Google and Apple dictating how European democracies fight coronavirus? | Ieva Ilves

By Ieva Ilves

The Covid-19 pandemic has led to a rush by governments, private companies and digital startups to harness and develop the latest technologies in the fight against the spread of the virus.

To best meet public health needs, digital technology should be able to trace the spread of the virus, identify dangerous Covid-19 clusters and limit further transmission. The essential goal is to register contacts between potential carriers and those who might be infected. This has led to tech solutions using smartphones to perform the otherwise arduous and labour-intensive task of “contact tracing” – determining who has come into contact with a disease carrier and what should be done when a person has had that contact.

Latvia has some of the lowest Covid-19 infection and mortality rates in the EU, thanks to aggressive and intensive manual contact tracing. Latvia ranks high for smartphone use, so it was natural that we would leap at the opportunity to reduce the manual workload with the help of a smartphone app. 

Yet when it came to transferring our successful manual tracing methods to the digital realm, we ran into a brick wall. As a member of the team that built our contact-tracing app, I represent the Latvian government in discussions with Apple and Google, whose technology the app uses. In negotiations I have come to realise that much of the public discussion on contact tracing has been oversimplified, with major implications for our health and for health institutions fighting the virus.

A debate has been raging as to where the data from contacts is stored – either on the user’s phone, presumably guaranteeing privacy, or with the national health authority once a user tests positive for coronavirus and might have exposed others to it. This distinction has been labelled a conflict between centralised versus decentralised storage of contact information.

This is the wrong debate. The misconception comes with the term centralised, as if all interactions and contacts between app users were going to be stored in a government-associated server. This has never been the case. What governments need an app to do is to mirror what public health authorities do anyway in the analogue world: manually trace contacts between infected individuals and people with whom they come into contact.

In the manual version authorities do not reveal the identity of the infected person, be they a bus driver or a secret lover, nor do they explore the nature of the contact. The same approach ensuring privacy and data security can be achieved in the digital world. It does not have to be a binary choice. The data collected and used for a limited time by the national disease-control body in a democratic country does not have to be shared with law enforcement or sold to a third-party advertiser – as is true for all data gathered manually. 

Testers in Riga check Latvia’s Stop Covid app
Testers in Riga check Latvia’s Stop Covid app. Photograph: Ints Kalniņš/Reuters

The two real issues with contact-tracing apps are whether a digital app can be used to do what many governments do in the real world and, even more important, who decides what public health experts can do with an app. 

Governments in Europe currently have no say if they wish to access top-notch technology or ensure its best interoperability. Google and Apple, two US companies headquartered 10 miles apart in Silicon Valley have designed a well-intentioned framework – an application programming interface (API). This ensures the exchange of a Bluetooth signal and records the contacts that can later be translated into Covid-19 exposure notifications, should a carrier test positive.

Acknowledging the intrusive power of the tool, and the potential for malicious abuse of it, Apple and Google have set preconditions for accessing its contact-tracing framework. The companies will allow only one app per country, approved by its government or its national health authority, but they will not allow a country’s disease-control authority to connect the dots that are critical for analysing data. Manually Latvia’s disease-control authority will call a coronavirus-positive patient, query their contacts to determine the potential exposure, inform those people of a risk, follow up on further developments and build “the tree” of virus spread. The Google-Apple approach will not allow the sole and official “national app” to establish the connection between contacts and carrier.

Do Google or Apple get to tell a democratically elected government or its public health institutions what they may or may not have on an app? 

This becomes a serious issue in two respects – one epidemiological, the other financial and political. Epidemiologically, without knowing the nature of the contact it is not possible to build a model of contacts, whether they are serious spreaders or those who have tested positive yet are asymptomatic. The absence of transmission data limits the scope of analysis, which might, in the future, give freedom to people who can work, travel and socialise, while more precisely targeting others who risk spreading the virus. 

The economic and political issue has to do with the real situation on the ground when an app notifies the user of a potential contact. Should that person quarantine themselves for two weeks and bear the financial consequences of not going to work? Should someone potentially exposed to the virus be directed to immediate and government paid-for testing or be asked just to monitor symptoms?  Without knowing the nature of the contact, an automatic quarantine becomes an enormous financial burden on social security agencies and ultimately on the government that has approved the app. Had Google and Apple aimed merely to provide an information tool that anyone could develop for their safety, rather then asking governments or health authorities to validate and own one app per country, there would be no expectation about making the tool conform to national health requirements.

From the user perspective there is also the problem of informed consent. Will anyone seriously quarantine themselves for two weeks based on an app notification? Without a firm understanding of the nature of the contact that put them at risk, it is unlikely. According to the experience of Latvia’s disease-control authorities, most people exposed to the virus are willing to cooperate and seek the best solution, but this requires an informed conversation.

The immediate goal for governments and tech companies is to strike the right balance between privacy and the effectiveness of an application to limit the spread of Covid-19. This requires continuous collaboration between the two with the private sector, learning from the experience of national health authorities and adjusting accordingly. Latvia, together with the rest of Europe, stands firm in defending privacy, and is committed to respecting both the individual’s right to privacy and health while applying its own solutions to combat Covid-19.

In the long run, however, this poses a far more fundamental question: how much can the decisions of sovereign democratic countries be overruled by technology companies?

The Covid-19 pandemic has brought this question to the fore for the first time. It will not be the last.

Ieva Ilves is an adviser to the president of Latvia on information and digital policy