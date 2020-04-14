Last week several senators from the United States sent a letter to Apple asking about the privacy and security of the personal data that Apple collected on its website and app about COVID-19. Apple’s response, unsurprisingly, has been simple: we do not collect any.

Neither identifications nor data collection

As Apple indicates in response to the senators’ letter, both the web and the app have been designed with privacy as a priority. As we can verify the use of the tool ourselves, it does not require any identification or login process that is associated with any Apple ID and the responses not sent to Apple or any entity. Apple states it in the following terms:

Consistent with Apple’s strong dedication to user privacy, the COVID-19 application and website were built to protect the privacy and security of user data. As you can see, using the tools does not require a login or association with the user’s Apple ID, and individual user responses are not sent to Apple or any government organization. Access to important information and guidance related to the health of people or their loved ones should not compel people to compromise their right to privacy. Rather, it is at times like this that our commitment to protecting those rights is most important. Our COVID-19 application and our website were designed with that in mind.

Confirmation, the contact notification API key

At the end of last week, Apple announced, through an official statement, a cooperation with Google to create an API that COVID-19 prevention apps can use to notify users of contacts with people who have tested positive.

This API is designed to offer apps from research entities and governments the possibility of alert users having been in contact with a person with a positive virus test. The operation, broadly speaking, is as follows:

Our device emits a random code, and that does not identify us in any way, through bluetooth that changes every 15 minutes. These codes are stored in our device for a maximum of 14 days.

When we are in contact with a person, within a radius of approximately one meter, for a period of more than 10 minutes our telephone save the other person’s random code.

If later this person, through a test, tests positive for the virus, always with their consent, all random codes are uploaded to the cloud that you have used for the past 14 days.

Our app regularly downloads this data and locally checks whether in our contact record we have stored some matching code with those belonging to positive people. If so, we would receive a notice.

As the system is designed, it is not possible to know, at any time, who tests positive, to know any location, nothing. The only thing that allows, and of course the most important thing, is to alert the interested parties. Neither the authorities, nor the developers of the app, nor Google nor Apple have access to the information.

Within this system, which is clearly designed with privacy as a priority, Apple has clarified the only point that, until now, seemed weak: false positives. According to the example that Apple has provided a solution would be having to scan a QR code on the result sheet to confirm the positive. Although final implementation is still in progress, Apple has reported that verifications will be carried out by external entities and will vary by region.

As the two examples in this article show, it is more than possible to combat the spread of contagious diseases without jeopardizing the privacy and security of citizens, it is not one or the other, we can have both.

