Republican Senator Josh Hawley has sent a letter to Apple CEO Tim Cook and Google CEO Sundar Pichai calling for them to be “personally liable” for user privacy and data in its joint COVID-19 contact tracing API. He writes in a letter,
Your recently announced project to respond to COVID–19 by tracking when and where Americans interact with each other raises serious concerns. Especially because of Google’s poor record on privacy, I fear that your project could pave the way for something much more dire. The possible implications this project could have for privacy are alarming. For example, your materials state that the data necessary for this project will be anonymized. But anonymity in data is notoriously unstable. Data typically can be reidentified simply by cross-referencing it with another data set. Pairing the data from this project with the GPS data that both your companies already collect could readily reveal individual identities.
He points to both of the companies current collaboration with user data, saying that adding the data it already collects with that from the contact tracing API could spell harm for users:
Even if this project were to prove helpful for the current crisis, how can Americans be sure that you will not change the interface after the pandemic subsides? Once downloaded onto millions of phones, the interface easily could be edited to eliminate previous privacy protections. And any privacy protection that is baked into the interface will do little good if the apps that are developed to access the interface also choose to collect other information, like real-time geolocation data.
The Senator says Google’s track record on privacy is “not exactly reassuring” and says that the success of this current project could harm the company in the long run. He doesn’t mention anything on Apple’s privacy track record.
What the Senator wants both CEO’s to do is absurd, to be held “personally liable” for a project is not possible. Additionally, Google and Apple have already extensively provided reassurances to the public on the safety of their data, saying in a joint document the following:
- Explicit user consent required
- Doesn’t collect personally identifiable information or user location data
- List of people you’ve been in contact with never leaves your phone
- People who test positive are not identified to other users, Google or Apple
- Will only be used for contact tracing by public health authorities for COVID-19 pandemic management
- Doesn’t matter if you have an Android phone or an iPhone – works across both
Apple and Google continue to face unjustified questioning over their contact tracing API, where in reality, both companies have been as transparent as possible about it.