Apps Versus APIs washingtonpost.com

Craig Timberg, Drew Harwell, and Alauna Safarpour, Washington Post:

Nearly 3 in 5 Americans say they are either unable or unwilling to use the infection-alert system under development by Google and Apple, suggesting that it will be difficult to persuade enough people to use the app to make it effective against the coronavirus pandemic, a Washington Post-University of Maryland poll finds.

[…]

Among the 82 percent of Americans who do have smartphones, willingness to use an infection-tracing app is split evenly, with 50 percent saying they definitely or probably would use such an app and an equal percentage saying they probably or definitely would not. Willingness runs highest among Democrats and people reporting they are worried about a covid-19 infection making them seriously ill. Resistance is higher among Republicans and people reporting a lower level of personal worry about getting the virus.

Despite reservations about the technology, 59 percent of smartphone users said they would “be comfortable” using such an app, if they tested positive for covid-19, to anonymously alert others that they may have been exposed and should seek testing.

It is good to hear that people are skeptical of the privacy bonafides of major tech companies. But there are two problems with this study:

  1. The question that was asked of those polled was phrased inaccurately (emphasis mine):

    Apple and Google have proposed creating a smartphone app that would tell users whether they have been physically close to someone who has been diagnosed with the coronavirus. The app would rely on people anonymously reporting if they have been diagnosed in the app. If this smartphone app were available today, would you definitely use it, probably use it, probably not use it or definitely not use it?

    They have not proposed creating an app; they have proposed a framework that would allow a special category of app to be built on top of.

  2. The followup question of whether respondents would self-report made reference to the same hypothetical Apple-and-Google-developed app.

To be clear, the poll asked whether people would use an app made by Apple and Google to get notifications about possible exposure — even though they are not making an app — and the Post concluded that the underlying reporting system would not be used by a majority of Americans, even though that’s not what they asked about. It is not fair to expect people to understand the difference between an app and APIs for developers, but it is a critical factor in deciding what this poll reports.

The good news is that only public health agencies will be allowed to use the exposure API that is currently in the developer beta, and the eventual system-integrated framework. 57% of individuals polled by the Washington Post and University of Maryland responded that they trusted those agencies compared to 43% for tech companies. Users will associate the apps with those agencies, not with the big tech API that powers them.

Via Shoshana Wodinsky of Gizmodo:

That 41 percent of folks in the do-not-adopt category have every reason to be skeptical. Between the potential for Google to share covid-19 consumer health data to private pharmaceutical firms through its dedicated coronavirus site, Apple’s dragnet of consumer health data, and the sheer fact that most of what we think of as “health data” is entirely exempt from U.S. privacy laws, well, it just doesn’t sound pretty. But the sheer fact of the matter is that these companies (and many others) are doing what they can to snag people’s health data, whether they download one of these exposure notification apps or not.

It’s important that Wodinsky pointed out how much information is exempt from the U.S.’s already paltry laws protecting individual privacy rights in commercial contexts.

However, calling Apple’s Health app a “dragnet” is an exaggeration: it is only a central database for individual apps to tap into; if you are not using any other health apps or fitness devices, it serves only as a glorified pedometer; and, most importantly, all of that data is encrypted at the same standard as the most sensitive stuff on your iPhone. It is not, by any stretch, “Apple’s dragnet of consumer health data” any more than iCloud Keychain is “Apple’s dragnet of user passwords”.