Personal-symptom trackers, digital contact-tracing and exposure-notification tools are under development in the United States and around the world — their adoption could help healthcare workers mitigate the impact of further waves of COVID-19. These technologies also have significant privacy and security issues. The COVID Tech Task Force has a conference scheduled in 10 days to discuss the key issues related to COVID technologies.
As part of our work preparing for that conference, we collected and reviewed the leading apps in the U.S. With the goal of helping the public, and state and local governments, better understand the privacy and security features of leading applications, we’re sharing the information and demos we gathered from the teams building these applications.
We have sorted the demos into three broad categories: (1) contact-tracing/exposure-notification applications using Google/Apple API, (2) contact-tracing/exposure-notification applications not using Google/Apple API, and (3) personal-symptom-tracking applications.
We surveyed teams regarding privacy, security and commercialization of personal data. We’ve made the results of the surveys available here. We encourage you to look through the responses and share your thoughts on how different applications have approached these important issues.
The applications featured in this article were to be demoed at the Contact Tracing and Technology Conference originally scheduled for this week — in light of the significant conversations around racial injustice and police brutality against Black Americans we rescheduled it to ensure we are not taking up unnecessary space. The conference is now rescheduled or June 17th — if you RSVP’d, we look forward to seeing you there; if you haven’t, please do!
The conference will be hosted by the COVID Tech Task Force, in collaboration with TechCrunch, Harvard’s Berkman Klein Center, NYU’s Alliance for Public Interest Technology, Betaworks Studios and Hangar. The COVID Tech Task Force is composed of a group of volunteers who came together in March to help convene a forum for state and local governments and the tech community to work together to mitigate the impact of COVID-19.
Google and Apple have collaborated to create development tools in order to provide a cross-platform way for public health agencies to notify individuals of a potential exposure.
SafePaths is developing free, open-source, privacy-by-design tools for individuals, public health officials and larger communities to flatten the curve of COVID-19, reduce fear and prevent a surveillance-state response to the pandemic.
If you want further information, reach out to email@example.com.
CoEpi is an open-source project developing a decentralized, privacy-first app for anonymous Bluetooth-based exposure notification based on symptom sharing. Communities of close contacts can begin protecting themselves with CoEpi without requiring widespread adoption among the general population; there is no scale required to achieve benefit to small user groups. CoEpi helps you anonymously alert the people with whom you interact about symptoms of a contagious illness, or alert you if you might have been exposed in an interaction.
If you want further information, reach out to Dana+CoEpi@OpenAPS.org.
COVID Shield is a free exposure notification solution built with privacy as its top priority. It was built by a group of volunteers, many from Shopify, in order to help Canadians and the rest of the world safely return to work.
If you want further information, reach out to firstname.lastname@example.org.
The team consists of a group of public health officials, doctors, researchers and engineers based out of the University of Washington and Microsoft who are working together to keep the public safe and to help public health systems in managing the outbreak.
If you want further information, reach out to email@example.com.
COVID Trace is a nonprofit offering a COVID-19 exposure-notification app for iOS and Android using the Apple/Google exposure-notification APIs. People using COVID Trace can expect privacy and simplicity. With COVID Trace, health departments get an app and metrics that are an extension of their efforts. COVID Trace is ready to be used today.
If you want further information, reach out to firstname.lastname@example.org.
Zero is a citizen-led nonprofit that leverages technology for pandemic response, focused on facilitating safe social behavior and peace of mind. Their goal is to stem the spread of COVID-19 and give citizens the information they need to feel safe and confident engaging with their local economy.
If you want further information, reach out to email@example.com.
COVID Watch uses the Apple/Google GAEN protocol, which it claims its developers explained to Apple how to build based on their original TCN protocol. The Covid Watch team was founded by researchers from Stanford and Waterloo and claims to be the first in the world to invent, develop and open-source a decentralized Bluetooth exposure alert protocol in early March.
If you want further information, reach out to firstname.lastname@example.org.
Note that some of these organizations have indicated they might use the Google/Apple API in the future. Some of them intend to and are waiting on confirmation from Google/Apple.
NOVID claims to be the first (and currently only) completely anonymous contact-tracing app published in the USA that uses no personal information. No GPS, no phone number, no email — it’s completely anonymous. The app utilizes ultrasound to provide extremely accurate measurements of interaction distance, overcoming the known inaccuracies of Bluetooth. The team is led by Carnegie Mellon professor and internationally renowned mathematician, Po-Shen Loh.
If you want further information, reach out to email@example.com.
Healthy Together is an end-to-end COVID-19 response platform that is fully integrated into public health and the enterprise. Launched in April for the State of Utah, Healthy Together’s mobile applications support self-assessment, COVID-19 testing access and results, and augmented contact tracing, as well as enterprise contact tracing, workflow tools, data integrations and visualizations. Leveraging existing technology that has scaled to millions of users and informed by public health experts, Healthy Together will soon be announcing additional states and enterprise customers that are using the platform to protect the health of residents and employees.
If you want further information, reach out to firstname.lastname@example.org.
Sharetrace is a health passport and contact-tracing application that’s privacy-preserving by design. Built on user-owned personal data accounts, pioneering personal data privacy technology, it can safely use sensitive data without the risk of sovereign surveillance by either companies or governments. Sharetrace is a collaboration between U.K. and U.S. universities, including Case Western Reserve University in Ohio. Learn more online at sharetrace.org.
If you want further information, reach out to email@example.com.
Coalition Network is a nonprofit whose founders and team have been building and implementing decentralized, Bluetooth-based network solutions on mobile for the past decade. Coalition’s open source Whisper Tracing Protocol has been peer reviewed by cryptographers at MIT, Stanford, USC and Oxford, and adopted by the government of Senegal.
If you want further information, reach out to firstname.lastname@example.org.
Safe2 is a COVID-19 exposure warning system for smarter social distancing. The mobile app uses anonymized data from GPS and Bluetooth technology to privately share real-time exposure alerts to help prevent community spread of the virus. Safe2 was founded by Jamison D. Day, Ph.D., data scientist and expert in disaster relief, with an international team specializing in global health, technology and crisis management, with a focus on improving health, economic well-being and privacy.
If you want further information, reach out to email@example.com.
VIRI is a contact-tracing platform driven by the ethos of privacy and anonymity, on a mission to allow cross-entity contact tracing without the need to share any personal identifying information. It can be incorporated into an existing enterprise app as an API seamlessly allowing compatibility between enterprises and institutions at a global scale while letting the entities adhere to various healthcare-data regulations. VIRI deploys a hybrid back-end architecture that leverages permissive blockchain technology.
If you want further information, reach out to firstname.lastname@example.org.
COVID Near You, a crowdsourced COVID-19 symptom tracker, was created by epidemiologists and software developers within the Innovation and Digital Health Accelerator at Boston Children’s Hospital. The Boston Children’s Hospital team has background and expertise in developing platforms in infectious disease surveillance, and provides technical capacity in building visualization-based tools for public health response efforts. The COVID Near You team aims to support public health surveillance measures of COVID-19 and conduct research using the self-reported data to better understand the impact of this disease across North America.
If you want further information, reach out to email@example.com.
How We Feel lets you self-report your age, sex, ZIP code and any health symptoms you experience. The app was built by an independent, nonprofit organization called The How We Feel Project. Their tech team includes Ben Silbermann, CEO of Pinterest, and a volunteer group of current and former Pinterest employees. They are working with scientists, doctors and public health professionals from leading institutions including, the Harvard T.H. Chan School of Public Health, the McGovern Institute for Brain Research at MIT, Broad Institute of MIT and Harvard, Howard Hughes Medical Institute, University of Pennsylvania, Stanford University, University of Maryland School of Medicine and the Weizmann Institute of Science.
If you want further information, reach out to firstname.lastname@example.org.
As humans get used to working at a distance from each other, a startup in Massachusetts is providing sensors that bring industrial robots in close — centimeters away, in fact. The same technology may support future social distancing efforts on commutes, in a pilot application to allow more subway trains to run on a single track.
Humatics, an MIT spinout backed by Lockheed Martin and Airbus, makes sensors that enable fast-moving and powerful robots to work alongside humans without accidents. If daily work and personal travel to work ever go back to normal, the company believes the same precision can improve aging and crowded infrastructure, enabling trains and buses to run closer together, even as we all may have to get used to working further apart.
This is the emerging field of microlocation robotics — devices and software that help people and machines navigate collaboratively. Humatics has been testing its technology with New York’s MTA since 2018, and today is tracking five miles of a New York subway, showing the transportation authority where six of its trains are, down to the centimeter.
Image Credits: Humatics (opens in a new window)
Humatics’ technology in the MTA pilot uses ultrawide band (UWB) radio frequencies, which are less failure-prone than Wi-Fi, GPS and cameras.
“A good example of a harsh environment is a subway tunnel,” said David Mindell, co-founder of Humatics and professor of engineering and aerospace at MIT. “They are full of dust, the temperatures can range from subzero to 100 degrees, and there is the risk of animals or people tampering with devices. Working inside these tunnels is difficult and potentially dangerous for crews, also.”
Humatics has sold more than 10,000 UWB radio beacons, the base unit for their real-time tracking system, to manufacturers of sensor systems, the company says. They pinpoint the location of hundreds of RFID tags at a range of 500 meters, using multiple tags on an object to measure orientation.
Well that didn’t last long.
Apple has patched a security vulnerability that allowed hackers to build a jailbreak tool allowing deep access to the iPhone software.
In a security advisory, Apple acknowledged that it had fixed the vulnerability in iOS 13.5.1, posted Monday. The technology giant credited the unc0ver team, which released the jailbreak just last week, for finding the vulnerability.
Although details of the vulnerability are not yet public, Apple typically works quickly to patch vulnerabilities that allow jailbreaks, fearing that the same vulnerability could also be abused by malicious hackers.
In a tweet, one of the lead jailbreakers confirmed that updating to iOS 13.5.1 will close the vulnerability and render the jailbreak useless.
I can confirm the new *OS updates have patched the kernel vulnerability used by the #unc0ver jailbreak.
If you are on iOS 13.5, stay and save blobs.
If you are not on iOS 13.5, update to it with the IPSW using a computer while it is still being signed and save blobs.
— @Pwn20wnd (@Pwn20wnd) June 1, 2020
Jailbreaking is a popular way to allow users to break free from Apple’s “jail” — hence the term — that prevents deep access to an iPhone’s operating system. Apple has does this to improve device security and to reduce the surface area in which hackers can attack the software. But jailbreakers say breaking through those restrictions allows them greater customization over their iPhones in a way that most Android users are already used to.
Security experts typically advise against jailbreaking as it can expose a device owner to a greater range of attacks, while advising users to install their devices and software as soon as update become available.
Apple said iOS 13.5.1 also comes with new Memoji stickers and other bug fixes and improvements.
Update today. If security isn’t your thing, at least do it for the Memoji stickers.
On Sunday, a fourth night of protests erupted around the country, spurred on by the May 25 death of George Floyd at the hands of the Minneapolis police. The movement is a response to wide-ranging and systematic inequality that has seen a disproportionate number of black Americans suffer a similar fate, with Floyd’s desperate gasping “I can’t breathe” echoing Eric Garner’s death some six years prior.
Violence broke out over the weekend, with photos and videos emerging of bloodied protesters, bystanders and journalists tasked with covering the events. It takes a lot for an event to dominate headlines in a country suffering from far and away the world’s largest number of COVID-19 deaths, but wide scale movements in Minneapolis, New York, D.C., L.A., Chicago and beyond seem destined to remain top of mind in an already deeply divided nation.
Tech companies and CEOs have begun to weigh in on what amounts to a rather delicate topic for corporations not accustom to rocking the boat on these manner of social issues. Tim Cook, who has a history of publicly addressing social issues, said the company draws strength from its diversity. He also told staff that now is the time to listen,
This is a moment when many people may want nothing more than a return to normalcy, or to a status quo that is only comfortable if we avert our gaze from injustice. As difficult as it may be to admit, that desire is itself a sign of privilege. George Floyd’s death is shocking and tragic proof that we must aim far higher than a “normal” future, and build one that lives up to the highest ideals of equality and justice.
The Apple CEO says the company will be making unspecified donations to the Equal Justice Initiative and other non-profits. It will also be matching two-for-one on all employee donations for June.
Racism does not adhere to social distancing.
Amid the already growing fear and uncertainty around the pandemic, this week has again brought attention to something perhaps more pervasive: the long-standing racism and injustices faced by Black and Brown people on a daily basis. pic.twitter.com/8zKPlDnacY
— Twitter Together (@TwitterTogether) May 29, 2020
Twitter, meanwhile, swapped its standard logo for a black and white version, adding a Black Lives Matter hashtag to its bio. Its diversity account Twitter Together offered the following statement (via tweet, naturally),
Racism does not adhere to social distancing. Amid the already growing fear and uncertainty around the pandemic, this week has again brought attention to something perhaps more pervasive: the long-standing racism and injustices faced by Black and Brown people on a daily basis.
Amazon also took to Twitter, offering the following statement,
The inequitable and brutal treatment of Black people in our country must stop. Together we stand in solidarity with the Black community — our employees, customers, and partners — in the fight against systematic racism and injustice.
AWS head Andy Jassy added on his own account,
*What* will it take for us to refuse to accept these unjust killings of black people? How many people must die, how many generations must endure, how much eyewitness video is required? What else do we need? We need better than what we’re getting from courts and political leaders.
Many were quick to condemn Amazon for perceived hypocrisy. Among the issues here are longstanding complaints over worker treatment, as well as Amazon Web Service’s technologies like facial recognition, which have been utilized by law enforcement.
Cool tweet. Will you commit to stop selling face recognition surveillance technology that supercharges police abuse? https://t.co/DfnAhyw2PW
— ACLU (@ACLU) May 31, 2020
The ACLU responded rather bluntly,
Cool tweet. Will you commit to stop selling face recognition surveillance technology that supercharges police abuse?
Amazon does not appear to have responded to this most recent question from the organization.
Facebook’s response has also been a mixed bag. Staff have began vocal about their anger around Mark Zuckerberg’s decision to break with Twitter by leaving Trump’s “when the looting starts, the shooting starts” statement in tact. More recently, however, the CEO commitment $10 million to relevant non-profits, adding in a post,
To help in this fight, I know Facebook needs to do more to support equality and safety for the Black community through our platforms. As hard as it was to watch, I’m grateful that Darnella Frazier posted on Facebook her video of George Floyd’s murder because we all needed to see that. We need to know George Floyd’s name. But it’s clear Facebook also has more work to do to keep people safe and ensure our systems don’t amplify bias.
Remarks from Microsoft CEO Satya Nadella posted to LinkedIn briefly touch upon the events in Minneapolis, as well as the recent problematic encounter in Central in which the police were called on birder Christian Cooper,
Our identity, our very existence is rooted in empowering everyone on the planet. So, therefore, it’s incumbent upon us to use our platforms, our resources, to drive that systemic change, right? That’s the real challenge here. It’s not just any one incident, but it’s all the things that have led to the incident that absolutely need to change.
Meanwhile, Snap CEO Evan Spiegel sent a lengthy letter to staff on Sunday, writing,
Of course, the same Founding Fathers who espoused the values of freedom, equality, and justice for all – were predominantly slave owners. Their powerful vision of a nation created by the people, for the people was built on a foundation of prejudice, injustice, and racism. Without addressing this rotten foundation and its ongoing failures to create opportunity for all, we are holding ourselves back from realizing our true capacity for human progress – and we will continue to fall short of the bold vision of freedom, equality, and justice for all.
Spiegel’s letter focuses on his work to understand the struggles as a “young, white, educated male [who] got really, really lucky,” as well as proposals for financial methods for addressing inequality. Specifically, he calls for the establishment of a non-partisan Commission on Truth, Reconciliation and Reparations, as well as an investment in housing, healthcare and education.
More dismal numbers confirm what we already knew: Q1 2020 was real rough for an already struggling smartphone category. Gartner’s latest report puts the global market at a 20.2% slide versus the same time last year, thanks in large part to fallout from the COVID-19 pandemic.
Every single one of the global top-five manufactures saw large declines for the quarter, save for Xiaomi, which saw a slight uptick of 1.4%. The Chinese handset maker got a surprise bump, courtesy of international sales. Samsung and Huawei and Oppo all saw double-digit drop-offs at 22.7%, 27.3% and 19.1%, while Apple declined 8.2%. Other companies combined for a sizable 24.2% loss for Q1.
The reasons are ones we’ve gone over several times before, nearly all pertaining to the global pandemic. Chief among them are global stay at home orders and general economic uncertainly. Issues with the global supply chain have no doubt been a factor, as well, as Asia was the first to get hit with the virus.
All of this comes in addition to an already plateauing/declining smartphone market. Analysts had expected that the arrival of 5G would help stem the tide a bit — but, well, some stuff happened in there. Notably, Apple’s slide wasn’t as bad as it might have been thanks to a strong start to the year.
“If COVID-19 did not happen, the vendor would have likely seen its iPhone sales reached record level in the quarter. Supply chain disruptions and declining consumer spending put a halt to this positive trend in February,” Gartner’s Annette Zimmermann said in a release. “Apple’s ability to serve clients via its online stores and its production returning to near normal levels at the end of March helped recover some of the early positive momentum.”
Overall, I suspect that recovery won’t be instantaneous for the market. The future of COVID-19 still feels largely uncertain as countries have begun the process of reopening, and a pricey investment still may not be in the cards for many who are struggling to make ends meet.
Welcome back to This Week in Apps, the Extra Crunch series that recaps the latest OS news, the applications they support and the money that flows through it all.
The app industry is as hot as ever, with a record 204 billion downloads and $120 billion in consumer spending in 2019. People are now spending three hours and 40 minutes per day using apps, rivaling TV. Apps aren’t just a way to pass idle hours — they’re a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus.
In this Extra Crunch series, we help you keep up with the latest news from the world of apps, delivered on a weekly basis.
This week we’re continuing to look at how the coronavirus outbreak is impacting the world of mobile applications, with fresh data from App Annie about trends playing out across app categories benefiting from the pandemic, lockdowns and societal changes. We’re also keeping up with the COVID-19 contact-tracing apps making headlines, and delving into the week’s other news.
We saw a few notable new apps launch this week, including HBO’s new streaming service HBO Max, plus three new app experiments from Facebook’s R&D group. Android Studio 4.0 also launched this week. Instagram is getting better AR tools and IGTV is getting ads. TikTok got spammed in India.
Meanwhile, what is going on with app review? A shady app rises to the top of the iPhone App Store. Google cracks down on conspiracy theory-spreading apps. And a TikTok clone uses a pyramid scheme-powered invite system to rise up the charts.
Gone are the days of not having enough time to catch up on all of those movies and TV shows you’ve been meaning to get around to. For the foreseeable future, at least, many of us have nowhere to go and nothing but time on our hands.
We’ve already offered a few suggestions for ways to spend your newfound downtime, but there’s a more pragmatic question at-hand. With this week’s arrival of HBO Max, an overcrowded streaming market becomes even more competitive, particularly here in the United States. Gone are the days of Netflix’s streaming supremacy (at least from a content perspective). There’s a streaming service for virtually every need and nearly every one is best at something (with the possible exception of Apple TV+ with its fairly sparse selection, and whatever is going on with Quibi).
In a perfect world, we would all be able to subscribe to every service and never have to leave the house again. But those $5-$15/month fees add up pretty quickly when you’re not looking. For most of us, choosing the right service or service requires a bit of strategic spending. As such, we’re going to make life a bit easier on you and your wallet by designating the top services across 10 key categories.
Again, this is a U.S.-focused list, since that’s where we’re based. But may of these services are available outside the States, or will be in the next year or two.
The best service for … Prestige TV
Winner: HBO Max
The debate about the best TV show of all time always seems to wind up on HBO. The premium cable network has transformed expectations around what television can and should do, with shows like “The Sopranos” and “The Wire” regularly cited at the top of the list of all-time greats. And then there’s “Westworld,” “Game of Thrones,” newcomers like “Succession” and top-tier comedy like “Curb Your Enthusiasm,” “Eastbound and Down” and “The Larry Sanders Show.” Not every series has been a slam-dunk, but as far as prestige episodic television is concerned, you’re not going to do any better than HBO. (B.H.)
The best service for … Blockbusters
Disney has dominated the theatrical box office for the past decade, thanks to its acquisitions of Pixar, Marvel and Lucasfilm/Star Wars — not to mention the continued popularity of its animated films and live-action remakes. Disney+ is where you can catch up with almost all those big-budget hits, and it will be the streaming home for future Marvel blockbusters. (A.H.)
The best service for … Classics
Winner: Criterion Channel/HBO Max
While Criterion’s reputation can seem forbiddingly arty (see below) — and of course, some art films are stone cold movie classics — the service also offers plenty of classic Hollywood titles, like a recent retrospective showcasing Columbia noir. And if you’re a kaiju fan, it also has nearly every old-schoool Godzilla movie in its library. That said, it isn’t the only place you can find classic titles. HBO Max, in particular, is the streaming home to Turner Classic Movies, with some of the best films of all time, including “Casablanca” and “Citizen Kane.” And it has a deal to offer some Criterion titles, too. (A.H.)
The best service for … Documentaries
Winner: HBO Max/CuriosityStream
As with its drama and comedy series, there’s really no one out there who can touch HBO’s documentary output. The network has consistently racked up Emmy wins since the late ’90s. It’s had some added competition from Netflix in recent years, but HBO continues to deliver, including last year’s heart-wrenching ‘Leaving Neverland.’ If you like your documentaries served with a side of more documentaries, however, there’s always CuriosityStream. $20/year will get you a boatload of original docs, broken down by category. (B.H.)
The best service for … Kids
All the big streaming services have a selection of movies and shows for kids, but it’s hard to beat the titles in Disney’s library — all their animated classics, plus Pixar, plus Disney Channel hits like “The Suite Life of Zack and Cody,” “Hannah Montana” and “High School Musical.” HBO Max is a strong runner-up with Sesame Street and the full Studio Ghibli library, but if your kid wants to sing along to “Frozen” over and over again, this is where they can do it. (A.H.)
The best service for … Indies
Winner: Hulu/Criterion Channel
Most streaming services (save for Apple TV+ and Disney+) have a pretty sizable selection of indies. The quality of the films varies greatly from service to service and film to film, but nearly all of them have some hidden gems for when you’re looking to spend a bit of time outside of the studio system. As far as the mainstream ones go, I was surprised to discover during this quarantine that Hulu has the best selections of the bunch, courtesy of deals with top notch indie distributors. If you want a straight shot of the stuff, however, the Criterion Channel is your best bet — and the supplementary content is unmatched by other services. (B.H.)
The best service for … Free stuff
To be honest, I had no idea Tubi existed until recently. I was searching for a Korean movie about a baseball playing gorilla (it’s real, seriously), and landed on the site, where it was streaming for free with ad breaks. You would probably end up banging your head against the wall if you relied on Tubi as your sole streaming service, but its selection is surprisingly solid. There are genuinely good films in there, in amongst the dregs. There are also plenty of dregs there, if that’s your thing. Also check out Walmart’s Vudu. In addition to your standard rentals, the service also has a decent selection of free films. (B.H.)
The best service for … Star Trek
Winner: CBS All Access
It might seem silly to build an entire streaming service around a single entertainment franchise, but a) Have you met Star Trek fans? And b) That was clearly the strategy behind CBS All Access, which has already released two Trek spinoffs, “Discovery” and “Picard.” Although the newly remerged ViacomCBS seems to have broader streaming plans, Star Trek still seems like a centerpiece of that strategy, with a whole bunch of new Trek content being developed under the supervision of Alex Kurtzman. (That said, Netflix, Hulu and Amazon are sufficient if you just want to rewatch The Original Series or The Next Generation.) (A.H.)
The best service for … Arthouse
Winner: Criterion Channel
Been missing trips to the local arthouse theater? With places like the Anthology Film Archives, Museum of the Moving Image and Angelika temporarily shut down here in New York, I’ve been finding some respite in the Criterion Collection’s truly excellent curated selection of films. While it’s true that sometimes the best thing for the pandemic is a little mindless movie watching, if you want to take in some culture without leaving the house, Criterion’s got you covered. (B.H.)
The best service for … a lot of everything
You may be wondering why we’ve barely mentioned the streaming world’s biggest player. That’s because Netflix isn’t actually the best in any one category — at least in our view. Instead, it’s pretty good in a whole bunch of categories, whether that’s older TV shows, classic films, original series like “The Crown” and “Stranger Things,” reality hits like “Tiger King” and original movies like “The Irishman.” So if you want a single service that scratches a whole bunch of different itches, Netflix is still your best bet.
Apple has now resolved the bug that was plaguing iPhone and iPad apps over the weekend, causing some apps to not launch at all. The issue was related to a bug with Apple’s Family Sharing system, it appears, as users reported error messages which said “This app is no longer shared with you,” and directed them to buy the app from the App Store in order to still use it.
Following this issue, users on Sunday said they were seeing dozens of pending app updates for their iOS devices, some of which even went back to the app’s last update from well over a week ago. Users reported in forums seeing as many as 10, 20, 50 or even 100-plus new updates to install. This indicated a fix was in the works, as these were not brand-new updates — the apps were already up to date. Instead, these reissued updates seem to have been part of the fix for the Family Sharing problem, as afterward the bug was resolved.
Apple confirmed the issue has been now resolved for all affected customers.
Apple-focused news sites, including MacRumors, 9to5Mac, Appleinsider and others, previously reported on the news of the bug and the following deluge of app updates. 9to5Mac also offered a plausible explanation for what happened, saying it was likely due to a signing issue of some kind. Apps were essentially behaving as if they were paid downloads and the right to use the app had been removed from the iCloud family circle, the site explained.
Some users discovered they could delete the troubled app then re-download it to resolve the problem. That’s what the forced app updates did, too — they overwrote the parts of the apps causing the issue. Had Apple not reissued the app updates, many iOS users would have likely assumed it was the app developer’s fault. And they may have then left unfair complaints and one-star reviews on the app’s App Store page as a result.
Apple has not shared any additional details about why the problem occurred in the first place, but if you happened to notice a significant increase in app updates on Sunday, that’s why.
A renowned iPhone hacking team has released a new “jailbreak” tool that unlocks every iPhone, even the most recent models running the latest iOS 13.5.
For as long as Apple has kept up its “walled garden” approach to iPhones by only allowing apps and customizations that it approves, hackers have tried to break free from what they call the “jail,” hence the name “jailbreak.” Hackers do this by finding a previously undisclosed vulnerability in iOS that break through some of the many restrictions that Apple puts in place to prevent access to the underlying software. Apple says it does this for security. But jailbreakers say breaking through those restrictions allows them to customize their iPhones more than they would otherwise, in a way that most Android users are already accustomed to.
Details of the vulnerability that the hackers used to build the jailbreak aren’t known, but it’s not expected to last forever. Just as jailbreakers work to find a way in, Apple works fast to patch the flaws and close the jailbreak.
Security experts typically advise iPhone users against jailbreaking their devices because breaking out of the walled garden allows users to download apps from third-party stores, vastly increasing the surface area for new vulnerabilities to exist and to be found.
The jailbreak comes at a time where the shine is wearing off of Apple’s typically strong security image. Last week, Zerodium, a broker for exploits, said it would no longer buy certain iPhone vulnerabilities because there were too many of them. It comes as Motherboard reports that hackers got their hands on a pre-release version of the upcoming iOS 14 release several months ago.
The debate over encryption continues to drag on without end.
In recent months, the discourse has largely swung away from encrypted smartphones to focus instead on end-to-end encrypted messaging. But a recent press conference by the heads of the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) showed that the debate over device encryption isn’t dead, it was merely resting. And it just won’t go away.
At the presser, Attorney General William Barr and FBI Director Chris Wray announced that after months of work, FBI technicians had succeeded in unlocking the two iPhones used by the Saudi military officer who carried out a terrorist shooting at the Pensacola Naval Air Station in Florida in December 2019. The shooter died in the attack, which was quickly claimed by Al Qaeda in the Arabian Peninsula.
Early this year — a solid month after the shooting — Barr had asked Apple to help unlock the phones (one of which was damaged by a bullet), which were older iPhone 5 and 7 models. Apple provided “gigabytes of information” to investigators, including “iCloud backups, account information and transactional data for multiple accounts,” but drew the line at assisting with the devices. The situation threatened to revive the 2016 “Apple versus FBI” showdown over another locked iPhone following the San Bernardino terror attack.
After the government went to federal court to try to dragoon Apple into doing investigators’ job for them, the dispute ended anticlimactically when the government got into the phone itself after purchasing an exploit from an outside vendor the government refused to identify. The Pensacola case culminated much the same way, except that the FBI apparently used an in-house solution instead of a third party’s exploit.
You’d think the FBI’s success at a tricky task (remember, one of the phones had been shot) would be good news for the Bureau. Yet an unmistakable note of bitterness tinged the laudatory remarks at the press conference for the technicians who made it happen. Despite the Bureau’s impressive achievement, and despite the gobs of data Apple had provided, Barr and Wray devoted much of their remarks to maligning Apple, with Wray going so far as to say the government “received effectively no help” from the company.
This diversion tactic worked: in news stories covering the press conference, headline after headline after headline highlighted the FBI’s slam against Apple instead of focusing on what the press conference was nominally about: the fact that federal law enforcement agencies can get into locked iPhones without Apple’s assistance.
That should be the headline news, because it’s important. That inconvenient truth undercuts the agencies’ longstanding claim that they’re helpless in the face of Apple’s encryption and thus the company should be legally forced to weaken its device encryption for law enforcement access. No wonder Wray and Barr are so mad that their employees keep being good at their jobs.
By reviving the old blame-Apple routine, the two officials managed to evade a number of questions that their press conference left unanswered. What exactly are the FBI’s capabilities when it comes to accessing locked, encrypted smartphones? Wray claimed the technique developed by FBI technicians is “of pretty limited application” beyond the Pensacola iPhones. How limited? What other phone-cracking techniques does the FBI have, and which handset models and which mobile OS versions do those techniques reliably work on? In what kinds of cases, for what kinds of crimes, are these tools being used?
We also don’t know what’s changed internally at the Bureau since that damning 2018 Inspector General postmortem on the San Bernardino affair. Whatever happened with the FBI’s plans, announced in the IG report, to lower the barrier within the agency to using national security tools and techniques in criminal cases? Did that change come to pass, and did it play a role in the Pensacola success? Is the FBI cracking into criminal suspects’ phones using classified techniques from the national security context that might not pass muster in a court proceeding (were their use to be acknowledged at all)?
Further, how do the FBI’s in-house capabilities complement the larger ecosystem of tools and techniques for law enforcement to access locked phones? Those include third-party vendors GrayShift and Cellebrite’s devices, which, in addition to the FBI, count numerous U.S. state and local police departments and federal immigration authorities among their clients. When plugged into a locked phone, these devices can bypass the phone’s encryption to yield up its contents, and (in the case of GrayShift) can plant spyware on an iPhone to log its passcode when police trick a phone’s owner into entering it. These devices work on very recent iPhone models: Cellebrite claims it can unlock any iPhone for law enforcement, and the FBI has unlocked an iPhone 11 Pro Max using GrayShift’s GrayKey device.
In addition to Cellebrite and GrayShift, which have a well-established U.S. customer base, the ecosystem of third-party phone-hacking companies includes entities that market remote-access phone-hacking software to governments around the world. Perhaps the most notorious example is the Israel-based NSO Group, whose Pegasus software has been used by foreign governments against dissidents, journalists, lawyers and human rights activists. The company’s U.S. arm has attempted to market Pegasus domestically to American police departments under another name. Which third-party vendors are supplying phone-hacking solutions to the FBI, and at what price?
Finally, who else besides the FBI will be the beneficiary of the technique that worked on the Pensacola phones? Does the FBI share the vendor tools it purchases, or its own home-rolled ones, with other agencies (federal, state, tribal or local)? Which tools, which agencies and for what kinds of cases? Even if it doesn’t share the techniques directly, will it use them to unlock phones for other agencies, as it did for a state prosecutor soon after purchasing the exploit for the San Bernardino iPhone?
We have little idea of the answers to any of these questions, because the FBI’s capabilities are a closely held secret. What advances and breakthroughs it has achieved, and which vendors it has paid, we (who provide the taxpayer dollars to fund this work) aren’t allowed to know. And the agency refuses to answer questions about encryption’s impact on its investigations even from members of Congress, who can be privy to confidential information denied to the general public.
The only public information coming out of the FBI’s phone-hacking black box is nothingburgers like the recent press conference. At an event all about the FBI’s phone-hacking capabilities, Director Wray and AG Barr cunningly managed to deflect the press’s attention onto Apple, dodging any difficult questions, such as what the FBI’s abilities mean for Americans’ privacy, civil liberties and data security, or even basic questions like how much the Pensacola phone-cracking operation cost.
As the recent PR spectacle demonstrated, a press conference isn’t oversight. And instead of exerting its oversight power, mandating more transparency, or requiring an accounting and cost/benefit analysis of the FBI’s phone-hacking expenditures — instead of demanding a straight and conclusive answer to the eternal question of whether, in light of the agency’s continually-evolving capabilities, there’s really any need to force smartphone makers to weaken their device encryption — Congress is instead coming up with dangerous legislation such as the EARN IT Act, which risks undermining encryption right when a population forced by COVID-19 to do everything online from home can least afford it.
The best–case scenario now is that the federal agency that proved its untrustworthiness by lying to the Foreign Intelligence Surveillance Court can crack into our smartphones, but maybe not all of them; that maybe it isn’t sharing its toys with state and local police departments (which are rife with domestic abusers who’d love to get access to their victims’ phones); that unlike third-party vendor devices, maybe the FBI’s tools won’t end up on eBay where criminals can buy them; and that hopefully it hasn’t paid taxpayer money to the spyware company whose best-known government customer murdered and dismembered a journalist.
The worst-case scenario would be that, between in-house and third-party tools, pretty much any law enforcement agency can now reliably crack into everybody’s phones, and yet nevertheless this turns out to be the year they finally get their legislative victory over encryption anyway. I can’t wait to see what else 2020 has in store.
The lead data regulator for much of big tech in Europe is moving inexorably towards issuing its first major cross-border GDPR decision — saying today it’s submitted a draft decision related to Twitter’s business to its fellow EU watchdogs for review.
“The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR,” said the Irish Data Protection Commission (DPC) in a statement.
Europe’s General Data Protection Regulation came into application two years ago, as an update to the European Union’s long-standing data protection framework which bakes in supersized fines for compliance violations. More interestingly, regulators have the power to order that violating data processing cease. While, in many EU countries, third parties such as consumer rights groups can file complaints on behalf of individuals.
Since GDPR begun being applied, there have been thousands of complaints filed across the bloc, targeting companies large and small — alongside a rising clamour around a lack of enforcement in major cross-border cases pertaining to big tech.
So the timing of the DPC’s announcement on reaching a draft decision in its Twitter probe is likely no accident. (GDPR’s actual anniversary of application is May 25.)
The draft decision relates to an inquiry the regulator instigated itself, in November 2018, after the social network had reported a data breach — as data controllers are required to do promptly under GDPR, risking penalties should they fail to do so.
Other interested EU watchdogs (all of them in this case) will now have one month to consider the decision — and lodge “reasoned and relevant objections” should they disagree with the DPC’s reasoning, per the GDPR’s one-stop-shop mechanism which enables EU regulators to liaise on cross-border inquiries.
In instances where there is disagreement between DPAs on a decision the regulation contains a dispute resolution mechanism (Article 65) — which loops in the European Data Protection Board (EDPB) to make a final decision on a majority basis.
On the Twitter decision, the DPC told us it’s hopeful this can be finalized in July.
Commissioner Helen Dixon has previously said the first cross border decisions would be coming “early” in 2020. However the complexity of working through new processes — such as the one-stop-shop — appear to have taken EU regulators longer than hoped.
The DPC is also dealing with a massive case load at this point, with more than 20 cross border investigations related to complaints and/or inquiries still pending decisions — with active probes into the data processing habits of a large number of tech giants; including Apple, Facebook, Google, Instagram, LinkedIn, Tinder, Verizon (TechCrunch’s parent company) and WhatsApp — in addition to its domestic caseload (operating with a budget that’s considerably less than it requested from the Irish government).
The scope of some of these major cross-border inquiries may also have bogged Ireland’s regulator down.
But — two years in — there are signs of momentum picking up, with the DPC’s deputy commissioner, Graham Doyle, pointing today to developments on four additional investigations from the cross-border pile — all of which concern Facebook owned platforms.
The furthest along of these is a probe into the level of transparency the tech giant provides about how user data is shared between its WhatsApp and Facebook services.
“We have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also for Article 60 purposes,” said Doyle in a statement on that. “The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.”
The other three cases the DPC said it’s making progress on relate to GDPR consent complaints filed back in May 2018 by the EU privacy rights not-for-profit, noyb.
noyb argues that Facebook uses a strategy of “forced consent” to continue processing individuals’ personal data — when the standard required by EU law is for users to be given a free choice unless consent is strictly necessary for provision of the service. (And noyb argues that microtargeted ads are not core to the provision of a social networking service; contextual ads could instead be served, for example.)
Per its statement today, the DPC said it has now completed the investigation phase of this complaint-based inquiry which it said is focused on “Facebook Ireland’s obligations to establish a lawful basis for personal data processing”.
“This inquiry is now in the decision-making phase at the DPC,” it added.
In further related developments it said it’s sent draft inquiry reports to the complainants and companies concerned for the same set of complaints for (Facebook owned) Instagram and WhatsApp.
Doyle declined to give any firm timeline for when any of these additional inquiries might yield final decisions. But a summer date would, presumably, be the very earliest timeframe possible.
The regulator’s hope looks to be that once the first cross-border decision has made it through the GDPR’s one-stop-shop mechanism — and yielded something all DPAs can sign up to — it will grease the tracks for the next tranche of decisions.
That said, not all inquiries and decisions are equal clearly. And what exactly the DPC decides in such high profile probes will be key to whether or not there’s disagreement from other data protection agencies. Different EU DPAs can take a harder or softer line on applying the bloc’s rules, with some considerably more ‘business friendly‘ than others. Albeit, the GDPR was intended to try to shrink differences of application.
If there is disagreement among regulators on major cross border cases, such as the Facebook ones, the GDPR’s one-stop-shop mechanism will require more time to work through to find consensus. So critics of the regulation are likely to have plenty of attack area still.
Some of the inquiries the DPC is leading are also likely to set standards which could have major implications for many platforms and digital businesses so there will be vested interests seeking to influence outcomes on all sides. But with GDPR hitting its second birthday — and still hardly any decision-shaped lumps taken out of big tech — the regional pressure for enforcements to get flowing is massive.
Given the blistering pace of tech developments — and the market muscle of big tech being applied to steamroller individual rights — EU regulators have to be able to close the gap between investigation and enforcement or watch their flagship framework derided as a paper tiger…
Just in time for the 2nd anniversary of the #GDPR the @DPCIreland dropped publicly that it *will* issue the first GDPR fine — not against Facebook, WhatsApp, Apple, LinkedIn, Instagram (…), but against the state child care agency.. #Enforcewhat?https://t.co/jbjZYYqSXg
— Max Schrems (@maxschrems) May 18, 2020
Summer is also shaping up to be an interesting time for privacy watchers for another reason, with a landmark decision due from Europe’s top court on July 16 on the so called ‘Schrems II’ case (named for the Austrian lawyer, privacy rights campaigner and noyb founder, Max Schrems, who lodged the original complaint) — which relates to the legality of Standard Contractual Clauses (SCC) as a mechanism for personal data transfers out of the EU.
The DPC’s statement today makes a point of flagging this looming decision, with the regulator writing: “The case concerns proceedings initiated and pursued in the Irish High Court by the DPC which raised a number of significant questions about the regulation of international data transfers under EU data protection law. The judgement from the CJEU on foot of the reference made arising from these proceedings is anticipated to bring much needed clarity to aspects of the law and to represent a milestone in the law on international transfers.”
A legal opinion issued at the end of last year by an influential advisor to the court emphasized that EU data protection authorities have an obligation to step in and suspend data transfers by SCC if they are being used to send citizens’ data to a place where their information cannot be adequately protected.
Should the court hold to that view, all EU DPAs will have an obligation to consider the legality of SCC transfers to the US “on a case-by-case basis”, per Doyle.
“It will be in every single case you’d have to go and look at the set of circumstances in every single case to make a judgement whether to instruct them to cease doing it. There won’t be just a one size fits all,” he told TechCrunch. “It’s an extremely significant ruling.”
(If you’re curious about ‘Schrems I’, read this from 2015.)
Apple is facing fresh questions from its lead data protection regulator in Europe following a public complaint by a former contractor who revealed last year that workers doing quality grading for Siri were routinely overhearing sensitive user data.
Earlier this week the former Apple contractor, Thomas le Bonniec, sent a letter to European regulators laying out his concern at the lack of enforcement on the issue — in which he wrote: “I am extremely concerned that big tech companies are basically wiretapping entire populations despite European citizens being told the EU has one of the strongest data protection laws in the world. Passing a law is not good enough: it needs to be enforced upon privacy offenders.”
The timing of the letter comes as Europe’s updated data protection framework, the GDPR, reaches its two-year anniversary — facing ongoing questions around the lack of enforcement related to a string of cross-border complaints.
Ireland’s Data Protection Commission (DPC) has been taking the brunt of criticism over whether the General Data Protection Regulation is functioning as intended — as a result of how many tech giants locate their regional headquarters on its soil (Apple included).
Responding to the latest Apple complaint from le Bonniec, the DPC’s deputy commissioner, Graham Doyle, told TechCrunch: “The DPC engaged with Apple on this issue when it first arose last summer and Apple has since made some changes. However, we have followed up again with Apple following the release of this public statement and await responses.”
At the time of writing Apple had not responded to a request for comment.
The Irish DPC is currently handling more than 20 major cross-border cases, as lead data protection agency — probing the data processing activities of companies including Apple, Facebook, Google and Twitter. So le Bonniec’s letter adds to the pile of pressure on commissioner Helen Dixon to begin issuing decisions vis-à-vis cross-border GDPR complaints. (Some of which are now a full two years old.)
Last year Dixon said the first decisions for these cross-border cases would be coming “early” in 2020.
At issue is that if Europe’s recently updated flagship data protection regime isn’t seen to be functioning well two years in — and is still saddled with a bottleneck of high-profile cases, rather than having a string of major decisions to its name — it will be increasingly difficult for the region’s lawmakers to sell it as a success.
At the same time the existence of a pan-EU data protection regime — and the attention paid to contravention, by both media and regulators — has had a tangible impact on certain practices.
Apple suspended human review of Siri snippets globally last August, after The Guardian had reported that contractors it employed to review audio recordings of users of its voice assistant tech — for quality grading purposes — regularly listened in to sensitive content such as medical information and even recordings of couples having sex.
Later the same month it made changes to the grading program, switching audio review to an explicitly opt-in process. It also brought the work in house — meaning only Apple employees have since been reviewing Siri users’ opt-in audio.
The tech giant also apologized, but did not appear to face any specific regulatory sanction for practices that do look to have been incompatible with Europe’s laws — owing to the lack of transparency and explicit consent around the human review program. Hence le Bonniec’s letter of complaint now.
A number of other tech giants also made changes to their own human grading programs around the same time.
Doyle also pointed out that guidance for EU regulators on voice AI tech is in the works, saying: “It should be noted that the European Data Protection Board is working on the production of guidance in the area of voice assistant technologies.”
We’ve reached out to the European Data Protection Board for comment.
There are a number of different technologies both proposed and in development to help smooth the reopening of parts of the economy even as the threat of the COVID-19 pandemic continues. One such tech solution launching today comes from Brian McClendon, co-founder of Keyhole, the company that Google purchased in 2004 that would form the basis of Google Earth and Google Maps. McClendon’s new CVKey Project is a registered nonprofit that is launching with an app for symptom self-assessment that generates a temporary QR code, which will work with participating community facilities as a kind of health “pass” on an opt-in basis.
Ultimately, CVKey Project hopes to launch an entire suite of apps dedicated to making it easier to reopen public spaces safely. Apple and Google recently launched an exposure notification API that would allow CVKey to include those notifications in its apps. CVKey also plans to provide information about facilities open under current government guidelines and their policies to prevent the spread of COVID-19 as much as possible.
The core element of CVKey Project’s approach, however, is the use of a QR code generated by its app that essentially acts as a verification that you’re “safe” to enter one of these shared spaces. The system is designed with user privacy in mind, according to McClendon. Any identity or health data exists only on a user’s individual device — no date is ever uploaded to a cloud server or shared without a user’s consent. Information is also provided about what that sharing entails. Users voluntarily offer their health info, and the app never asks for location information. Most of what it does can be done without an internet connection at all, McClendon explains.
When you generate and scan a QR code at a participating location, a simple binary display (based on the location’s policies) indicates whether you’re cleared to pass. The location won’t see any specifics about your health information. The code simply transmits the particulars of shown symptoms (which ones and how recently, for instance), and then that is matched against the public space’s policy. The app then provides a “go”/”no-go” response.
McClendon created CVKey Project with former Google Earth, Google Maps and Uber co-workers Manik Gupt and Waleed Kadous, as well as Dr. Marci Nielsen, a public health specialist with a long history of public and private institution leadership.
The apps created by CVKey Project will be available soon, and the nonprofit is looking for potential partners to participate in its program. Like just about everything else designed to address the COVID-19 crisis, it’s not a simple fix, but it could form part of a larger strategy that provides a path forward for dealing with the pandemic.
When Apple added the ability to export transactions via spreadsheet to its credit card, Matthew hit up the folks at Copilot, asking whether they planned to support the feature. The answer was essentially “not yet, but soon.” This week, however, it’s finally official.
The makers of the personal finance tracking app announced that users can now import the Apple Card’s CSV spreadsheet into Copilot. The app will then go to work categorizing the transactions into topics, like transportation, subscription services, shops and restaurants.
Those who manually manage their expenses can consolidate the information into a single place, while the app removes any duplicates from the list. From there, it will create a historical balance and utilization rate for the Apple Card.
Hey Apple Card users Copilot can now import your statements directly from the Wallet app!
This feature comes with improved categorization, automatic detection of duplicates (very useful if you're also logging expenses by hand), and historical balanceshttps://t.co/CkgtU8rdaP pic.twitter.com/4PAq2u5guP
— Copilot (@copilotmoney) May 21, 2020
Removing as much friction as possible from a daunting subject like expenses is the bread and butter of apps like Copilot, and the Apple integration looks to be a stupidly easy way to keep charges organized in one convenient spot. Copilot’s chief competitor Mint already accepts spreadsheet imports, as do other apps, including Clarity Money, YNAB and Lunch Money.
Unfortunately, there’s no automated way to import the sheets at the moment, meaning you’ll have do it manually for each. Copilot founder Andres Ugarte says the company is working on a fully automated process.
Per Ugarte, “Apple Card support has been a top request from our users since we launched. This integration required extensive backend development to ensure that upon import, Copilot could seamlessly integrate Apple Card data with the rest of a user’s financial life. We wanted to ensure we weren’t cutting any corners, and that Apple Card transactions could take advantage of the same algorithmic categorization and analysis that Copilot uses for other financial institutions.”
Apple has released iOS 13.5, which includes support for the Exposure Notification API that it co-created with Google to support public health authorities in their contact-tracing efforts to combat COVID-19. The API requires third-party apps developed by public health authorities for use, and none have yet been released, but iOS device users already have access to COVID-19 Exposure Logging global settings.
As previewed in the beta release, you can access the Exposure Logging settings under the Settings app, then navigate to the Privacy subsection. From there, you can select the Health submenu and find the COVID-19 Exposure Logging setting, which will be off be default. It can’t be turned on at all until you actually get an authorized app to enable them, at which point you’ll receive a pop-up asking you to authorize Exposure Notifications access. Once you do, you can return here to toggle notifications off, and also manually delete your device’s exposure log should you choose to opt out.
Apple and Google both have emphasized that they want as much user control and visibility into the Exposure Notification API as possible. They’re using randomized, temporary identifiers that are not centrally stored to do the exposure notification, and are also forbidding the simultaneous use of geolocation services and the Exposure Notification API within the same app. This manual control is another step to ensure that users have full control over what info they share to participate in the system, and when.
Contact tracing is a time-tested strategy for combating the spread of infectious disease, and has traditionally worked by attempting to trace potential exposure by interviewing infected individuals and learning as much as possible about their movements during their infectious period. Modern connected devices mean that we can potentially make this far more efficient and accurate, but Google and Apple have worked with privacy experts to try to determine a way to make this happen without exposing users to privacy risks. Matching also happens locally on a user’s device, not in any centralized database.
Apple and Google are currently working with public health authorities who are building apps based on this API, and the companies also have noted that this is a temporary measure that has been designed from the beginning to be disabled once the threat of COVID-19 has passed.
Apple and Google today made available the first public version of their exposure notification API, which was originally debuted as a joint-contact tracing software tool. The partners later renamed it the Exposure Notification system to more accurately reflect its functionality, which is designed to notify individuals of potential exposure to others who have confirmed cases of COVID-19, while preserving privacy around identifying info and location data.
The launch today means that public health agencies can now use the API in apps released to the general public. To date, Apple and Google have only released beta versions of the API to help developed with the development process.
To be clear, this launch means that developers working on behalf of public health agencies can now issue apps that make use of it – Apple and Google themselves are not creating an exposure notification or contact tracing app. The companies say that many U.S. states and 22 countries across five continents have already asked for, and been provided access to the API to support their development efforts, and they anticipate more being added going forward. So far, Apple and Google say they have conducted over 24 briefings and tech talks for public health officials, epidemiologists, and app developers working on their behalf.
The exposure notification API works using a decentralized identifier system that uses randomly generated temporary keys created on a user’s device (but not tied to their specific identify or info). Apple and Google’s API allows public health agencies to define what constitutes potential exposure in terms of exposed time and distance, and they can tweak transmission risk and other factors according to their own standards.
Further, Apple and Google will allow apps to make use of a combination of the API and voluntarily submitted user data that they provide through individual apps to enable public health authorities to contact exposure users directly to make them aware of what steps they should take.
During the course of the API’s development, Apple and Google have made various improvements to ensure that privacy is an utmost consideration, including encrypting all Bluetooth metadata (like signal strength and specific transmitting power) since that could potentially be used to determine what type of device was used, which offers a slim possibility of associating an individual with a specific device and using that as one vector for identification.
The companies have also explicitly barred use of the API in any apps that also seek geolocation information permission from users – which means some apps being developed by public health authorities for contact tracing that use geolocation data won’t be able to access the exposure notification API. That has prompted some to reconsider their existing approach.
Apple and Google provided the following joint statement about the API and how it will support contact tracing efforts undertaken by public health officials and agencies:
One of the most effective techniques that public health officials have used during outbreaks is called contact tracing. Through this approach, public health officials contact, test, treat and advise people who may have been exposed to an affected person. One new element of contact tracing is Exposure Notifications: using privacy-preserving digital technology to tell someone they may have been exposed to the virus. Exposure Notification has the specific goal of rapid notification, which is especially important to slowing the spread of the disease with a virus that can be spread asymptomatically.
To help, Apple and Google cooperated to build Exposure Notifications technology that will enable apps created by public health agencies to work more accurately, reliably and effectively across both Android phones and iPhones. Over the last several weeks, our two companies have worked together, reaching out to public health officials scientists, privacy groups and government leaders all over the world to get their input and guidance.
Starting today, our Exposure Notifications technology is available to public health agencies on both iOS and Android. What we’ve built is not an app — rather public health agencies will incorporate the API into their own apps that people install. Our technology is designed to make these apps work better. Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps.
Today, this technology is in the hands of public health agencies across the world who will take the lead and we will continue to support their efforts.
The companies previously announced plans to make Exposure Notification a system-level feature in a later update to both their respective mobile operating systems, to be released sometime later this year. That ‘Phase two’ portion of the strategy might be under revision, however, as Google and Apple said they continue to be in conversation with public health authorities about what system-level features will be useful to them in development of their COVID-19 mitigation strategies.
If you follow me on Twitter you may have seen me waxing poetic about The Midnight, an LA-based synthwave band that has been putting out modern nostalgia for the 80s set since 2012. Yeah yeah, why is this on TechCrunch? Because I love it and I know a good chunk of our audience will too, simple as that. Also I’m the boss, so no one can tell me what not to post. Deal.
The Midnight is Tyler Lyle and Tim McEwan and their latest album, Monsters, hits in July of 2020 — but you can check out their discography on Spotify or Apple Music. There is also a dope visual scene on YouTube cutting together their songs with movie montages from the synth era — as well as new bit heavy compositions from video artists.
I’ve been a fan for a few years now, and have listened to all of their releases many times on loop. Especially when I’m in full flow state writing or working on projects. It’s seriously nostalgia rich but also crisp and tight and not at all indulgent beyond the degree it needs to be.
I’m stoked to be able to drop in the world premiere of their new video with Gustavo Torres AKA Kidmograph — a visual artist working in motion design and music videos. “We’ve been fans of Kidmograph for a very long time and we’re so thankful that we get to partner with him on this lyric video,” said the band. “The ethos of this record about connection uses inspiration from the early PC culture of the late 80s and early 90s. Kidmograph totally nailed it.”
“The idea was to recreate some sort of retro video game where the character goes on an adventure into the depths of the sea (which in fact is the depths of its own mind) looking for an adventure (his love),” says Kidmograph. “At the end, we realize it was all an illusion, built in a small corner of a teenager’s room. The excuse of the lyric video as a video game representation was really fun and a different take to work with. Emulating an old operating system designed for the band, we dive through both the lyrics and visuals as an adventure into the unknown.”
Check out the lyric video premiere for Deep Blue here:
Apple outlines new safety measures as it reopens stores, Huawei responds to new U.S. chip curbs and Jack Ma departs SoftBank’s board of directors.
Here’s your Daily Crunch for May 18, 2020.
In mid-March, Apple closed all of its stores outside of China “until further notice.” In a statement issued today under the title, “To our Customers,” Retail SVP Deirdre O’Brien offered insight into the company’s plans to reopen locations.
Nearly 100 stores have already resumed services, according to O’Brien. Face covers will be required for both employees and customers alike. In addition, temperature checks are now conducted at the store’s entrance, coupled with posted health questions. Apple has also instituted deeper cleaning on all surfaces, including display products.
Following the U.S. government’s announcement that it would further thwart Huawei’s chip-making capability, the Chinese telecoms equipment giant condemned the new ruling for being “arbitrary and pernicious.” Adding to its woes, the Nikkei Asian Review reported that Taiwanese Semiconductor Manufacturing Co. has stopped taking new orders from the company. (Huawei declined to comment, while TSMC said the report was “purely market rumor.”)
The company did not give a reason for the resignation, but over the past year, Ma has been pulling back from business roles to focus on philanthropy. Last September, he resigned as Alibaba’s chairman, and is also expected to step down from its board at its annual general shareholder’s meeting this year.
Facebook-owned Oculus released a new sales figure as the company reaches the one-year anniversary of the release of the Quest headset. We didn’t get unit sales, but the company did share that it has sold $100 million worth of Quest content in the device’s first year — a number that indicates that although the platform is still nascent, a handful of developers are definitely making it work for them.
Devin Coldewey talks about what’s going to change with coffee shops and co-working spaces, Alex Wilhelm discusses the future of the home office setup and Danny Crichton talks about the revitalization of urban and semi-urban neighborhoods. (Extra Crunch membership required.)
In an internal email, which the Bangalore-headquartered food delivery startup published on its blog, Swiggy co-founder and chief executive Sriharsha Majety said the company’s core food business had been “severely impacted.”
The latest full episode of Equity looks at a funding round for pizza delivery company Slice and the possibility of Uber acquiring Grubhub, while the Monday news roundup takes a deeper look at the financials of the food delivery business. Meanwhile, Original Content is back on a weekly schedule, and we review the new Netflix series “Never Have I Ever.”
In mid-March, Apple closed all of its stores outside of China “until further notice.” It was a sweeping — but necessary — move for a world facing down a growing pandemic. In a statement issued today until the title, “To our Customers,” Retail SVP Deirdre O’Brien offered insight into the company’s plans to reopen locations.
Nearly 100 stores have already resumed services, according to O’Brien — though the famously open retail spaces are taking on a new look in the face of the highly contagious novel coronavirus. “In every store, we’re focused on limiting occupancy and giving everybody lots of room, and renewing our focus on one‑on‑one, personalized service at the Genius Bar and throughout the store,” she writes.
A spokesperson for the company adds, “Next week we’ll continue our very gradual and thoughtful reopening of US stores, adding more than 25 locations in seven states. While we know many customers are eager for their local store to reopen, our commitment is to reopen our stores when we are confident the environment is safe. We miss our customers and look forward to seeing them again soon.”
As seen in the above image, face covers will be required for both employees and customers alike — already a legal requirement in many locales. More unusual for many retail establishments is the addition of temperature checks now conducted at the store’s entrance, coupled with posted health questions. Apple has also instituted deeper cleaning on all surfaces, including display products.
That last point is an important one, given how much of the company’s store layout revolves around hands-on products. Curb-side pick and drop off have been added, as well, for those who understandably would like to avoid the in-person experience.
As for when each location reopens, Apple says it’s monitoring health trends and local/national guidance to determine the timeframe. And as the conversation of secondary waves begin to become a reality in many areas, O’Brien says the company will close stores down again, if necessary. “These are not decisions we rush into,” she writes, “and a store opening in no way means that we won’t take the preventative step of closing it again should local conditions warrant.”
A major question mark attached to national coronavirus contact-tracing apps is whether they will function when citizens of one country travel to another. Or will people be asked to download and use multiple apps if they’re traveling across borders?
Having to use multiple apps when travelling would further complicate an unproven technology which seeks to repurpose standard smartphone components for estimating viral exposure — a task for which our mobile devices were never intended.
In Europe, where a number of countries are working on smartphone apps that use Bluetooth radios to try to automate some contact tracing by detecting device proximity, the interoperability challenge is particularly pressing, given the region is criss-crossed with borders. Although, in normal times, European Union citizens can all but forget they exist thanks to agreements intended to facilitate the free movement of EU people in the Schengen Area.
Currently, with many EU countries still in degrees of lockdown, there’s relatively little cross-border travel going on. But the European Commission has been focusing attention on supporting the tourism sector during the coronavirus crisis — proposing a tourism and transport package this week which sets out recommendations for a gradual and phased lifting of restrictions.
Once Europeans start traveling again, the effectiveness of any national contact-tracing apps could be undermined if systems aren’t able to talk to each other. In the EU, this could mean, for example, a French citizen who travels to Germany for a business trip — where they spend time with a person who subsequently tests positive for COVID — may not be warned of the exposure risk. Or indeed, vice versa.
In the U.K., which remains an EU member until the end of this year (during the Brexit transition period), the issue is even more pressing — given Ireland’s decision to opt for a decentralized app architecture for its national app. Over the land border in Northern Ireland, which is part of the U.K., the national app would presumably be the centralized system that’s being devised by the U.K.’s NHSX. And the NHSX’s CEO has admitted this technical division presents a specific challenge for the NHS COVID-19 app.
There are much broader questions over how useful (or useless) digital contact tracing will prove to be in the fight against the coronavirus. But it’s clear that if such apps don’t interoperate smoothly in a multi-country region such as Europe, there will be additional, unhelpful gaps opening up in the data.
Any lack of cross-border interoperability will, inexorably, undermine functionality — unless people give up travelling outside their own countries for good.
EU Member States recognize this, and this week agreed to a set of interoperability guidelines for national apps — writing that: “Users should be able to rely on a single app independently of the region or Member State they are in at a certain moment.”
The full technical detail of interoperability is yet to be figured out — “to ensure the operationalisation of interoperability as soon as possible,” as they put it.
But the intent is to work together so that different apps can share a minimum of data to enable exposure notifications to keep flowing as Europeans travel around the region, as (or once) restrictions are lifted.
“Whatever the approach taken with approved apps, all Member States and the Commission consider that interoperability between these apps and between backend systems is essential for these tools to enable the tracing of cross-border infection chains,” they write. “This is particularly important for cross-border workers and neighbouring countries. Ultimately, this effort will support the gradual lifting of border controls within the EU and the restoration of freedom of movement. These tools should be integrated with other tools contemplated in the COVID-19 contact-tracing strategy of each Member State.”
European users should be able to expect interoperability. But whether smooth cross-border working will happen in practice remains a major question mark. Getting multiple different health systems and apps that might be calculating risk exposure in slightly different ways to interface and share the relevant bits of data in a secure way is itself a major operational and technical challenge.
However, this is made even more of a headache given ongoing differences between countries over the core choice of app architecture for their national coronavirus contact tracing.
This boils down to a choice of either a decentralized or centralized approach — with decentralized protocols storing and processing data locally on smartphones (i.e. the matching is done on-device); and centralized protocols that upload exposure data and perform matching on a central server which is controlled by a national authority, such as a health service.
While there looks to be clear paths for interoperability between different decentralized protocols — here, for example, is a detailed discussion document written by backers of different decentralized protocols on how proximity tracing systems might interoperate across regions — interoperability between decentralized and centralized protocols, which are really polar opposite approaches, looks difficult and messy to say the least.
And that’s a big problem if we want digital contact tracing to smoothly take place across borders.
(Additionally, some might say that if Europe can’t agree on a common way forward vis-à-vis a threat that affects all the region’s citizens, it does not reflect well on the wider “European project”; aka the Union to which many of the region’s countries belong. But health is a Member State competence, meaning the Commission has limited powers in this area.)
In the eHealth Network “Interoperability guidelines” document, Member States agree that interoperability should happen regardless of which app architecture a European country has chosen.
But a section on cross-border transmission chains can’t see a way forward on how exactly to do that yet [emphasis ours] — i.e. beyond general talk of the need for “trusted and secure” mechanisms:
Solutions should allow Member States’ servers to communicate and receive relevant keys between themselves using a trusted and secure mechanism.
Roaming users should upload their relevant proximity encounter information to the home country backend. The other Member State(s) should be informed about possible infected or exposed users*.
*For roaming users, the question of to which servers the relevant proximity contacts details should be sent will be further explored during technical discussions. Interoperability questions will also be explored in relation to how a users’ app should behave after confirmed as COVID-19 positive and the possible need for a confirmation of infection free.
Conversely, the 19 academics behind the proposal for interoperability of different decentralized contact-tracing protocols do include a section at the end of the document discussing how, in theory, such systems could plug into “alternatives”: aka centralized systems.
But it’s thick with privacy caveats.
The academics warn that while interoperability between decentralized and centralized systems “is possible in principle, it introduces substantial privacy concerns” — writing that, on the one hand, decentralized systems have been designed specifically to avoid the ability of an central authority being able to recover the identity of users; and “consequently, centralized risk calculation cannot be used without severely weakening the privacy of users of the decentralized system.”
While, on the other, if decentralized risk calculation is used as the “bridge” to achieve interoperability between the two philosophically opposed approaches — by having centralized systems “publish a list of all decentralized ephemeral identifiers it believes to be at risk of infection due to close proximity with positive-tested users of the centralized system” — then it would make it easier for attackers to target centralized systems with reidentification attacks of any positive-tested users. So, again, you get additional privacy risks.
“In particular, each user of the decentralized system would be able to recover the exact time and place they were exposed to the positive-tested individual by comparing their list of recorded ephemeral identifiers which they emitted with the list of ephemeral identifiers published by the server,” they write, specifying that the attack would reveal in which “15-minute” period an app user was exposed to a COVID-positive person.
And while they concede there’s a similar risk of reidentification attacks against all forms of decentralized systems, they contend this is more limited — given that decentralized protocol design is being used to mitigate this risk “by only recording coarse timing information,” such as six-hour intervals.
So, basically, the argument is there’s a greater chance that you might only encounter one other person in a 15-minute interval (and therefore could easily guess who might have given you COVID) versus a six-hour window. Albeit, with populations likely to continue to be encouraged to stay at home as much as possible for the foreseeable future, there is still a chance a user of a decentralized system might only pass one other person over a larger time interval too.
As trade-offs go, the argument made by backers of decentralized systems is they’re inherently focused on the risks of reidentification — and actively working on ways to mitigate and limit those risks by system design — whereas centralized systems gloss over that risk entirely by assuming trust in a central authority to properly handle and process device-linked personal data. Which is of course a very big assumption.
While such fine-grained details may seem incredibly technical for the average user to need to digest, the core associated concern for coronavirus apps generally — and interoperability specifically — is that users need to be able to trust apps to use them.
So even if a person trusts their own government to handle their sensitive health data, they may be less inclined to trust another country’s government. Which means there could be some risk that centralized systems operating within a multi-country region such as Europe might end up polluting the “trust well” for these apps more generally — depending on exactly how they’re made to interoperate with decentralized systems.
The latter are designed so users don’t have to trust an authority to oversee their personal data. The former are absolutely not. So it’s really chalk and cheese.
At this point, momentum among EU nations has largely shifted behind decentralized protocols for coronavirus contact-tracing apps. As previously reported, there has been a major battle between different EU groups supporting opposing approaches. And — in a key shift — privacy concerns over centralized systems being associated with governmental “mission creep” and/or a lack of citizen trust appear to have encouraged Germany to flip to a decentralized model.
Apple and Google’s decision to support decentralized systems for the contact-tracing API they’re jointly developing, and due to release later this month (sample code is out already), has also undoubtedly weighted the debate in favor of decentralized protocols.
Not all EU countries are aligned at this stage, though. Most notably France remains determined to pursue a centralized system for coronavirus contact tracing.
As noted above, the U.K. has also been building an app that’s designed to upload data to a central server. Although it’s reportedly investigating switching to a decentralized model in order to be able to plug into the Apple and Google API — given technical challenges on iOS associated with background Bluetooth access.
Another outlier is Norway — which has already launched a centralized app (which also collects GPS data — against Commission and Member States’ own recommendations that tracing apps should not harvest location data).
High-level pressure is clearly being applied, behind the scenes and in public, for EU Member States to agree on a common approach for coronavirus contact-tracing apps. The Commission has been urging this for weeks. Even as French government ministers have preferred to talk in public about the issue as a matter of technological sovereignty — arguing national governments should not have their health policy decisions dictated to them by U.S. tech giants.
“It is for States to chose their architecture and requests were made to Apple to enable both [centralized and decentralized systems],” a French government spokesperson told us late last month.
While there may well be considerable sympathy with that point of view in Europe, there’s also plenty of pragmatism on display. And, sure, some irony — given the region markets itself regionally and globally as a champion of privacy standards. (No shortage of op-eds have been penned in recent weeks on the strange sight of tech giants seemingly schooling EU governments over privacy; while veteran EU privacy advocates have laughed nervously to find themselves fighting in the same camp as data-mining giant Google.)
Commission EVP Margrethe Vestager could also be heard on BBC radio this week suggesting she wouldn’t personally use a coronavirus contact-tracing app that wasn’t built atop a decentralized app architecture. Though the Brexit-focused U.K. government is unlikely to have an open ear for the views of Commission officials, even piped through establishment radio news channels.
The U.K. may be forced to listen to technological reality though, if its workaround for iOS Bluetooth background access proves as flakey as analysis suggests. And it’s telling that the NHSX is funding parallel work on an app that could plug into the Apple-Google API, per reports in the FT, which would mean abandoning the centralized architecture.
Which leaves France as the highest-profile hold-out.
In recent weeks a team at Inria, the government research agency that’s been working on its centralized ROBERT coronavirus contacts-tracing protocol, proposed a third way for exposure notifications — called DESIRE — which was billed as an evolution of the approach “leveraging the best of centralized and decentralized systems.”
The new idea is to add a new secret cryptographically generated key to the protocol, called Private Encounter Tokens (PETs), which would encode encounters between users — as a way to provide users with more control over which identifiers they disclose to a central server, and thereby avoid the system harvesting social graph data.
“The role of the server is merely to match PETs generated by diagnosed users with the PETs provided by requesting users. It stores minimal pseudonymous data. Finally, all data that are stored on the server are encrypted using keys that are stored on the mobile devices, protecting against data breach on the server. All these modifications improve the privacy of the scheme against malicious users and authority. However, as in the first version of ROBERT, risk scores and notifications are still managed and controlled by the server of the health authority, which provides high robustness, flexibility, and efficacy,” the Inria team wrote in the proposal.
The DP-3T consortium, backers of an eponymous decentralized protocol that’s gained widespread backing from governments in Europe — including Germany’s, followed up with a “practical assessment” of Inria’s proposal — in which they suggest the concept makes for “a very interesting academic proposal, but not a practical solution”; given limitations in current mobile phone Bluetooth radios and, more generally, questions around scalability and feasibility. (tl;dr this sort of idea could take years to properly implement and the coronavirus crisis hardly involves the luxury of time.)
The DP-3T analysis is also heavily skeptical that DESIRE could be made to interoperate with either existing centralized or decentralized proposals — suggesting a sort of “worst of both worlds” scenario on the cross-border functionality front. So, er…
One person familiar with EU Member States’ discussions about coronavirus-tracing apps and interoperability, who briefed TechCrunch on condition of anonymity, also suggested the DESIRE proposal would not fly given its relative complexity (versus the pressing need to get apps launched soon if they are to be of any use in the current pandemic). This person also pointed to question marks over required bandwidth and impact on device battery life. For DESIRE to work they suggested it would need universal uptake by all Europe’s governments — and every EU nation agreeing to adopt a French proposal would hardly carry the torch for nation state sovereignty.
What France does with its tracing app remains a key unanswered question. (An earlier planned debate on the issue in its parliament was shelved.) It is a major EU economy and, where interoperability is concerned, simple geography makes it a vital piece of the Western European digital puzzle, given it has land borders (and train links into) a large number of other countries.
We reached out to the French government with questions about how it proposes to make its national coronavirus contact-tracing app interoperable with decentralized apps that are being developed elsewhere across the EU — but at the time of writing it had not responded to our email.
This week in a video interview with BFM Business, the president of Inria, Bruno Sportisse, was reported to have expressed hope that the app will be able to interoperate by June — but also said in an interview that if the project is unsuccessful “we will stop it.”
“We’re working on making those protocols interoperable. So it’s not something that is going to be done in a week or two,” Sportisse also told BFM (translated from French by TechCrunch’s Romain Dillet). “First, every country has to develop its own application. That’s what every country is doing with its own set of challenges to solve. But at the same time we’re working on it, and in particular as part of an initiative coordinated by the European Commission to make those protocols interoperable or to define new ones.”
One thing looks clear: Adding more complexity further raises the bar for interoperability. And development time frames are necessarily tight.
The pressing imperatives of a pandemic crisis also makes talk of technological sovereignty sound a bit of, well, a bourgeois indulgence. So France’s ambition to single-handedly define a whole new protocol for every nation in Europe comes across as simultaneously tone-deaf and flat-footed — perhaps especially in light if Germany’s swift U-turn the other way.
In a pinch and a poke, European governments agreeing to coalesce around a common approach — and accepting a quick, universal API fix which is being made available at the smartphone platform level — would also offer a far clearer message to citizens. Which would likely help engender citizen trust in and adoption of national apps — that would, in turn, give the apps a greater chance of utility. A pan-EU common approach might also feed tracing apps’ utility by yielding fewer gaps in the data. The benefits could be big.
However, for now, Europe’s digital response to the coronavirus crisis looks messier than that — with ongoing wrinkles and questions over how smoothly different nationals apps will be able to work together as countries opt to go their own way.