In April 2020 Google and Apple announced a joint project under whose constraints countries could develop proximity tracing apps, called Exposure Notifications (EN). By using this framework, proximity tracking apps could notify individuals that they were in close contact with someone who was diagnosed with COVID-19. The system operates through Bluetooth Low Energy technology, using the strength of the Bluetooth signal as a proxy for close contact.
EN was advertised to the general public as a system that would guarantee individual control over the information processed. First, the system could be enabled and disabled on a voluntary basis; second, data would be processed on device (and therefore Google and Apple would not access it); third, cryptographic functions were embedded to avoid tracking and enhance unlinkability; and fourth, Goggle and Apple would only engage with national health authorities and finally the system would only be used to notify individuals that they were exposed to COVID-19 (which would reduce the probability of repurposing it).
However, can we take for granted that individual control is sufficient to ensure legal protection?
On 24 June, PhD researcher Tatiana Duarte delivered a presentation at the Annual Privacy Forum (23-24 June, Kozminski University, Warsaw), where she pointed out that EN encloses a control paradox between individual and democratic control.
EN was designed to guarantee that Google and Apple decide which countries participate in it, what data is processed and the paradigm under which proximity tracking apps should be designed. In her presentation, Duarte pointed out that EN is predicated on three forms of control: platform power, control over data processing and the imposition of a contestable interpretative paradigm (enforced as incontestable). Legal protection requires both individual and democratic control – and the latter seems not to be granted by EN.
For slides, click here.