Pull up Facebook, assuming you still use it, and type “COVID-19 sensor” into the search bar. This should show you a list of public posts where people — a not-so-small number of people, mind you — swear up and down that their phones were recently updated with a “COVID-19 tracker” that can tell them when they’ve been near an infected person.
We all know that’s a pretty big exaggeration of what’s actually happening, but that never stopped anyone from posting something stupid on social media, so here we go. The full text of the copy-and-paste job tends to look like this:
FYI: Do you know that a ‘COVID-19′ sensor has been inserted secretly into every phone. Apparently when every one was having a phone disruption earlier this week, they were adding COVID -19 tracker to our phones
If you have an android phone, go under settings, then look for Google settings and see if it’s there.
If you are using an IPhone, go under settings, privacy, then health, it’s there but not yet functional. The app can notify you if you’ve been near someone that have reported having COVID-19.
Don’t turn it on because you will be tracked everywhere you go but once you update your phone, it will automatically be turned on on our phones.
Where to begin. I think I’ll start with the most obvious advice: If you’re concerned about companies tracking your whereabouts, I have bad news for you. Your device, your apps, and your services are explicitly designed to figure out where you are, what you’re doing, and how that can be used to serve you more relevant advertising and content. We’ve covered this extensively, and it’s well-known that companies have a variety of tools at their disposal to get a rough sense of who you are, where you are, and what you like to do on your device — if not the internet at-large. That’s the price you pay for all the free services you enjoy.
So, if you’re super-concerned about privacy, your first thoughts shouldn’t turn to all things coronavirus. You should probably switch to a dumber phone or, at the very least, do everything you can to lock down your device’s settings so you’re sharing as little about yourself to these companies. That won’t stop them from still gleaning information about you, but it’ll at least lessen what they can do and, if nothing else, make you feel a little bit better.
How the Exposure Notifications API really works
Now, back to COVID-19. No, your smartphone doesn’t have a COVID sensor or a built-in COVID tracker. What it could have, via updates to the operating system, is a new API for exposure notifications. And if you have that on your phone, and only that, nothing has really changed about your privacy between now and pre-pandemic times.
Let’s dig a bit deeper. The Exposure Notifications API requires your device to run at least iOS version 13.5 or Android Marshmallow (version 6). It’s innocent by itself. Google and Apple aren’t using it to sleuth out if you’ve been infected by the coronavirus — via your texts, your health information, your email, or whatever other conspiracy theory is out there. Nor is the government tapping into your phone to learn about your health or track your precise movements. (I hope.)
To make use of said Exposure Notifications API, you would need to download an app that taps into it. Otherwise, the API doesn’t do anything by default. Right now, only a handful of these apps are available in the U.S., and they’re all tied to specific geographies. In other words, it won’t do your California self very much good to, say, download and install Virginia’s app that makes use of the API.
But even if you did download an app for your location, you still have to opt-in to grant said app access to the API. If or when you do, then your phone will be able to notify you when others using the API are nearby. That sounds a bit like “omg scary location tracking ahhghuhgh1!1!,” I realise, so let’s unpack what that means. As Google describes:
- “This technology only works if you decide to opt-in. If you change your mind, you can turn it off at any time.
- The Exposure Notifications System does not collect or use the location from your device. It uses Bluetooth, which can be used to detect if two devices are near each other — without revealing where the devices are.
- All of the Exposure Notification matching happens on your device. The system does not share your identity with other users, Apple, or Google. Public health authorities may ask you for additional information, such as a phone number, to contact you with additional guidance.
- Access to the technology will be granted only to apps from public health authorities. Their apps must meet specific criteria around privacy, security, and data use.”
Of course, people posting junk science on social media probably aren’t interested in hearing one of the very companies responsible for the exposure-notification API talk about how it works — conspiracy theories being what they are. But that is, indeed, how it works.
Installing an app that uses the API doesn’t suddenly send your location to a giant database that is then used to track your whereabouts; armed doctors won’t kick down your door and shove hydroxychloroquine pills down your throat. Your health insurance won’t suddenly spike your rates because somehow, mysteriously, they found out that you have, or have been exposed to, coronavirus.
What happens when someone has COVID-19, including you
If you come into contact with someone who has COVID-19, here’s how you’ll be notified and what data might get shared:
“Once you opt-in to the Exposure Notifications System, it will generate random IDs on your device. To help prevent tracking, your phone’s random ID changes every 10-20 minutes.
Your phone works in the background to share these random IDs via Bluetooth with the phones around you that also have Exposure Notifications on. When your phone detects a random ID from another device, it records and stores the ID on your device.
If someone reports having COVID-19 and their ID is stored on your phone, your app will notify you of next steps to take.”
“Government public health authorities determine which factors might indicate exposure.
If your app learns that you’ve come in contact with someone who reports themself as having COVID-19, the system may share information with the app, including:
- The day the contact happened.
- How long the contact lasted.
- The Bluetooth signal strength of that contact.
Your public health authority app is not allowed to use your phone’s location.
The Exposure Notifications System itself does not use your location or share other users’ identities with the app, Google, or Apple.”
If you are infected, you’ll be responsible for self-reporting this status in whatever app you’re using. You can be a jerk and say nothing; you can uninstall the app outright. You can do whatever you want. It’s only your personal sense of right and wrong that’s at stake — your health provider isn’t going to rat you out and send all of your information, including your real-time location, to everyone else using whatever contract-tracing app your state provides.
(That sounds silly, I know, but I’m just getting ahead of the “spying on meeeee” crowd.)
And self-reporting your status isn’t just a “tap a button and now I have COVID” kind of a deal — at least, not for apps that give a shit about being useful tools for the general public. As Virginia’s COVIDWISE describes:
“Laboratory results for all persons who test positive for COVID-19 are sent to [Virginia’s Department of Health]. This is not associated with the app. Our staff follows up with persons reported as positive, based on information provided within the laboratory report. As a courtesy to all app users, VDH will verify positive tests and then provide COVIDWISE users a personal identifying number (PIN). You must use that PIN in order to report a positive result to the app. This prevents people from falsely reporting positive results, which could generate false exposure notifications. VDH wants all app users to feel confident that when a possible COVID-19 exposure is received via the app, that it is a real event.”
Most people won’t use contract tracing on their phone anyway
So, that’s it. While there’s much to worry about with smartphone privacy, I don’t think the Exposure Notifications API is the hill you want to die on. I also don’t think this is going to be that big of a deal going forward, as there’s simply not enough of a universal mandate for everyone to use their phones to help combat COVID-19 exposure.
But even that gets us into an awkward privacy trade-off. While I would absolutely love it if Google and Apple mandated the use of this API on all phones, and even activated a corresponding (privacy-focused) app on everyone’s devices while we’re in the middle of this annoying pandemic, that would be a concern. Even though the move would be done in the interest of the common good, it would still feel like an overreach. And I would understand a collective concern, even one based on a complete misunderstanding of how the technology works, surrounding mandated digital tracking to combat extreme coronavirus stupidity.
Of course, we let all kinds of apps siphon data from our devices regularly, and that doesn’t seem to really bother most people. Maybe I’m thinking too cautiously, and a contact-tracing API and app wouldn’t be any more a worry than a brand-new social network or popular game. If those don’t give you the privacy scares, why would you be so worried about something that’s trying to keep you healthy and safe?