The challenge platform companies face in managing the balance between privacy and security is a perennial issue for the tech industry. Nowhere is this challenge more immediate or stark, however, than in what we see unfolding with Covid-19 digital contact tracing.
There is a clear choice to make. Contact tracing capabilities can be built in a way that preserve user privacy but are less effective in preventing deaths. Or there is a way to build highly effective capabilities that threaten privacy and trust.
So far in the Covid-19 crisis, I think Google and Apple have done a masterful job of managing the technology and policy around contact tracing technology. Faced with a difficult set of choices, to date it seems they have come out ahead with policies that give users privacy and preserve trust, while also offering incremental functionality that could help save lives.
The next several months are going to be increasingly challenging for Google and Apple to come out ahead of the game. Different countries will look to different strategies to open up their economies, and the fundamental trade-off between lives and privacy will become more overt.
No matter which path technology platform owners choose, they will be blamed. If they choose privacy, people will rightly point out that they are withholding tools that could save lives. If they choose to leverage technology to save people, they will be criticized for imperiling privacy and trust.
Tech companies might ultimately control their technical implementations, but they won’t be making these decisions alone and they will face all sorts of powerful external pressure. They have major exposure, in particular, to the sovereign governments around the world who have degrees of control over revenue and network access technology companies need.
As a result, one of the unexpected long-term legacies of the Covid-19 period may well be a reevaluation of the borders of technology and national sovereignty.
The Response So Far
From a corporate exposure and response perspective, Google and Apple have to date managed their Covid-19 digital contact response nearly perfectly.
The first smart thing they did was decide to team up rather than operating separately. These are not two companies that normally coordinate so amicably, but in choosing to present a unified front they accomplished several things. By coordinating efforts, given that digital contact tracing only works with very broad coverage, they look like they are going beyond business interests and doing what is right for the world.
Teaming up also means they present a unified front to regulators globally as the “tech position,” rather than showing any gap in policy that sovereign governments could use to negotiate with them. Finally, they prevent competition over privacy in the context of Covid-19. If, in theory, one of the two major platforms had more of a bias toward saving lives and away from privacy, that would have created a lot of noise in the press (both about who was more pro-privacy and who was trying to save lives). That is a fight neither company needs right now.
The second smart thing the companies did was move very quickly to release a set of policies and an API spec ahead of overt regulatory demand. The technology companies got to set the terms of what they offered and control the narrative of what they were doing, rather than getting stuck in the position of disappointing countries that want ideas biased more toward safety and less toward privacy.
Third, there are the technical and policy decisions Apple and Google have made. From my perspective, the contact tracing tools they offer prioritize user privacy. They could in theory have made their Bluetooth solution opt out, opt in, or even mandatory for everyone. They made it opt in. They could have given governments identity-linking data, which would have been very useful for matching records across systems—but they chose privacy instead. They chose to make the data decentralized, which gives the individual user and not the society overall data sovereignty. They even held back a kill switch on when to turn their services off, which feels unnecessary given the level of user control in their system but is yet another nod to privacy.
Finally, these companies were very smart to provide core APIs but not build their own contact tracing applications. This allows them to avoid being the brand of digital contact tracing (which they easily could have become). It means that the ultimate success and failure of the effort to save lives via digital contact tracing will lie not with the tech platforms, but with the governments and NGOs working with the provided APIs.
What the technology platforms ultimately achieved in this first inning of technological contact tracing debates felt like a full victory. They were lauded for offering something new to the fight against Covid with their APIs, presented a plan that even strident privacy advocates have a hard time taking issue with, and moved quickly and in coordination to get ahead of global pushback.
The Challenge Ahead
Unfortunately for the two major platform companies, the debate about what technology should and shouldn’t be used to save lives is only just getting started. The next chapter will be much harder on the tech narrative.
First, there is the opt-in versus opt-out question. Everyone is waking up to the fact that digital contact tracing only works if there is broad or even universal coverage, where everyone is using it. In technology, many people like to say “the defaults are the law” in different contexts. In this case, the platform choice to turn contact tracing off by default rather than on greatly diminishes the value and impact of any contact tracing application. Without broad enough deployment, the solutions don’t do much good. And the fact that technology platforms have the power to choose to make tracking opt out makes them a party to any issues of undermeasurement.
Second, there is the identity question. Identity-linked contact tracing presents huge potential privacy issues. But there is also no question that it would open up avenues for more safety and integration between different health and alerting systems.
Finally, there is simply the issue of national choice, as different communities and cultures would choose to use technology differently if left to their own devices. We see this already starting to happen as countries including the UK and Australia are not using Google and Apple’s contact tracing routes, instead trying to go it alone with their own methods, while countries like Germany are adopting the tech companies’ tools.
At some point, there will be a backlash where, at least in certain countries and cultures, people start asserting that it is the tech companies’ fault that people are dying. The argument will be that they could have done more to make tech-enabled contact tracing effective had they been willing to trade away some privacy. Different countries will claim that the tech platforms’ unwillingness to let them default to tracing on, link records and make other possible technical choices about the deployment of contact tracing for their societies makes them blameworthy for deaths and economic issues. This will especially be true if we see second and third waves of Covid without a cure, and if China—which has gone the pro-safety and no-privacy route—does dramatically better than other nations in managing the pandemic, which seems likely.
The Tech’s Global Platform Power as a Liability
If we had been facing the Covid crisis even just a few decades ago, none of this conversation would have even been relevant—because technology was so much more regional.
Each sovereign country could have—and would have—considered the full set of technology and tools at its disposal, and made decisions about what to do (and not do) and how to balance the privacy of its citizens with the effectiveness of its response.
Today, with global technology platforms, we face a different world. Sovereign countries are forced to work within the bounds of the technology and rules established by the tech platforms. They have to work with what they are given, within the constraints of tech companies trying to balance their global interests and the interests of citizens across the world.
This isn’t an enviable position for tech companies. It puts them in a nearly impossible position in terms of almost always absorbing blame no matter what they do whenever the choices are hard.
The question is whether Covid-19, and the visceral reality of the trade-offs between saving lives, the economy and privacy, push this old debate in a new direction.
It is possible this episode will push countries to assert their sovereignty over technology more aggressively, as in the Chinese model.
You could also imagine that the debate inside technology companies over protecting users from governments versus giving communities self-determination on platforms might evolve. Some people inside the technology companies will certainly advocate for sacrificing privacy to save more lives in this case (just as has been the case with terrorism, child pornography and human trafficking over a longer period of time).
When we look back in a few hundred years and study this period of human history, the question of how technology changed and perhaps limited traditional sovereignty will be a major theme. With enough distance, the Covid-19 era might ultimately be studied as a key event as much for this theme as for anything else.