How Google and Apple outflanked governments in
the race to build coronavirus apps
The tech giants played hardball in forcing
policymakers to fall in line with their approach to building digital tracking
tools.
By MARK
SCOTT, ELISA BRAUN, JANOSCH DELCKER AND VINCENT MANANCOURT 5/15/20, 5:25 AM CET
Updated 5/15/20, 5:29 AM CET
In the
digital fight against COVID-19, Big Tech squared off against governments — and
won.
As
policymakers around Europe pushed to develop smartphone apps to track the
spread of the coronavirus, Apple and Google flexed their muscles by laying out
conditions for building the tools, which are now set to be rolled out across
the bloc and beyond by early June.
In
conversations with more than 30 policymakers, data-protection experts,
independent computer scientists and tech engineers from across the EU and
United States, POLITICO pieced together how Google and Apple got their way,
often playing hardball with politicians who have used their opposition to U.S.
tech players to earn political capital with local voters. The companies also
teamed up with longtime privacy campaigners — often those who have balked at
Silicon Valley's collection of reams of people's personal data — to push back
against concerns about potential government surveillance.
In often
fraught discussions, officials weighed the need to protect privacy against the
public health imperative of tackling a virus that, so far, has left almost
300,000 people dead worldwide. Tech officials and privacy groups set aside
longstanding feuds to figure out how to build COVID-19 apps, often condensing
months of work into a few weeks. Politicians were left to decide whether to go
it alone, often with tech offerings that left much to be desired — or team up
with some of Silicon Valley's biggest names whose take-it-or-leave-it approach
rubbed some the wrong way.
A German-led group pushed ahead with a toolkit,
developed alongside 130 tech experts across eight countries, to build apps that
could detect potential infections.
"I'm
not taking a stand against Apple and Google," Cedric O, France's digital
minister, told POLITICO after publicly criticizing the companies for refusing
to work with Paris' independent coronavirus app. "I'm saying that I don't
want to be constrained by the internal policy choices of any company on a
matter of public health."
As
governments grapple to bring the coronavirus to heel, the unlikely alliance
between some of the world's largest tech companies and global privacy groups is
starting to bear fruit.
"We
hope to harness the power of technology to help countries around the world slow
the spread of COVID-19," the companies said when announcing their
initiative last month. Both declined to comment on their relationships with
governments on creating smartphone apps, though senior engineers involved in
the project stressed it was down to governments, not the companies, to
determine which approach to use.
By June,
national capitals from Berlin and Rome to Paris and London will roll out
smartphone apps that use mobile technology to trace people's interactions,
informing local populations if they have been in contact with others infected
with the coronavirus. Most of these programs, which may be in place well into
2021, rely on the approach championed by Google and Apple — often against
initial proposals tabled by policymakers worldwide.
The ability
of these tech companies to get their way, often with the support of local
privacy and security advocates, has raised questions about the role of Big Tech
in determining how governments respond to the global public health crisis. With
apps soon becoming available that both rely on Google and Apple's procedures,
and those that don't, the confusion will hobble Europe's strategy to coordinate
its response across the 27-country bloc and elsewhere because the different
digital tools cannot interact with each other.
"The
interoperability of these apps has been a major blind spot," said Michel
Beaudouin-Lafon, a computer science professor at the Université Paris-Saclay,
who co-authored a recent report on how these tools should operate. "From a
technical perspective, it will be difficult to get these apps to talk to one
another."
Germany
switches sides
Nowhere are
these tensions more apparent than in Germany, home to some of the world's
longest-standing privacy protections.
Early last
month, a German-led group pushed ahead with a toolkit, developed alongside 130
tech experts across eight countries, to build apps that could detect potential
infections. Critically, the plan allowed for placing everyone's data on a
central server and giving epidemiologists and policymakers access to some of
the information, to analyze how the virus spread nationwide.
Within
days, the initiative hit a brick wall. With little, if any, communication with
local experts and EU policymakers, Google and Apple announced on April 10 they
had partnered on software which would allow government-backed apps to trace
potential infections even while running in the background of people's
smartphones. The approach relied on data remaining, for the most part, on
people's devices. Both companies refused to open their technology to
governments pushing for centralized data storage, a strategy they considered
vulnerable to state snooping.
German
privacy and security experts quickly jumped into action. Within often-heated
WhatsApp conversations, some debated whether to throw their support behind
Apple and Google. Others questioned if the companies' efforts would cement
their already dominant position in the smartphone market. But by late April,
following similar warnings by international researchers from more than 25
countries, six influential civil liberties organizations sent an open letter to
the German government, criticizing the storage of people's data in one place
and warning that it could lead to mass government surveillance.
Two days
later, Chancellor Angela Merkel’s government intervened to ditch the initial
German-led proposals in favor of those promoted by Google and Apple.
“The
discussion among tech experts killed the credibility and trustworthiness of the
technology," a high-ranking German official told POLITICO. "That’s
why we decided to go with the different approach." Berlin's decision was
quickly followed by similar moves in Ireland, Italy and other countries as
officials shifted to adopt a decentralized approach, realizing it would be
better to partner with the tech giants, and the Germans, if these coronavirus
apps were to take off across the EU. The European Commission stressed it is up
to national governments to determine which app to use, but urged officials to find
ways for the tools to communicate across borders.
The choice
in Germany was made out of pragmatism rather than conviction — as well as a
growing awareness that Berlin needed to work closely with Apple and Google to
develop the app if engineers wanted to avoid serious glitches in their eventual
digital tool, according to conversations with almost half a dozen German
government and industry officials who spoke to POLITICO on condition of
anonymity because the deliberations are private.
“We need to
have a discussion on how Silicon Valley is increasingly taking over the job of
a nation state,” said a government official. “But we don’t need to have it amid
a pandemic.”
Germany now
plans to unveil its app, built by industry giants Deutsche Telekom and SAP, by
mid-June, several weeks later than originally planned, in part because the tech
giants will not release a key software component until mid-May, the same
officials said.
France digs
in its heels
While
Germany ultimately sided with Apple and Google, France went the opposite way
and ended up in an open confrontation with the tech giants.
Paris' work
started in mid-March just as Singapore was unveiling its own tracking tool.
While the country's interior minister said at the time that coronavirus apps
were "not part of French culture," O, the country's digital minister,
was already making plans with close advisers.
Experts at
France's National Institute for Research in Computer Science and Automation in
March initially reached out to Apple — without the backing of the French
government — with technical questions about how such a tracing tool could work,
according to a person involved in those discussions.
By early
April, officials had confirmed they were working on an app that would work by
centralizing users' data — an approach that had also been embraced by Germany,
until Google and Apple unveiled their plans in mid-April. French experts close
to those discussions told POLITICO that many involved in the project saw the
centralized approach as being more privacy-friendly compared to storing data
only on people's phones.
Not
everyone agreed. Amid an intense debate about potential government
surveillance, several government coders who favored Apple and Google's plans
were excluded from the so-called StopCovid app project, according to three
sources with direct knowledge of the project.
France moved ahead with its app that, by the
government's own admission, would not fully function on Apple and Google
devices because it would switch off when smartphones were in sleep mode.
"We
chose the centralized system because of data protection concerns and issues
regarding interconnection with [our] epidemiological system," O told
POLITICO. Both the country's privacy regulator and National Digital Council
said that France's plans complied with EU privacy rules, as long as appropriate
oversight was in place.
Several
people involved in the project said they were caught off-guard by Google and
Apple's announcement about the joint coronavirus app project. When they found
out, many through the companies' public statements, officials tried to convince
them to lift technical restrictions on the French approach that would prevent
the StopCovid app from working properly on almost all smartphones.
Aymeril
Hoang, who sits on the scientific council advising the government on digital
tracking, told POLITICO that he spoke repeatedly with Sébastian Gros, a
government relations manager for Apple, after the April 10 announcement to
persuade the firm to lift the constraints. His efforts were not successful.
Despite
that roadblock, France moved ahead with its app that, by the government's own
admission, would not fully function on Apple and Google devices because it
would switch off when smartphones were in sleep mode. That would be a major
stumbling block to the app's primary goal of tracing all potential encounters
with infected persons.
On April
20, O again urged the companies to work with officials to find a workaround.
But his pleas were rebuffed when the tech giants reaffirmed they would only
work on projects relying on decentralized data.
The digital
minister, who was previously an adviser to President Emmanuel Macron, dug in
his heels, refusing to bend to the decentralized approach. In particular, he
told POLITICO that it should be up to governments, not companies, to determine
what's best to protect citizens from the global pandemic.
With the
country starting to come out of its nationwide lockdown, France now plans to
roll out its app by June 2. But the standoff between Paris and Silicon Valley
firms continues to divide privacy advocates and government regulators.
"We
have a sort of statement of principle that Apple is putting forward that says
this or that solution is more or less protective for users without there being
any contradictory discussion on the issue," Sébastien Soriano, head of the
French telecoms regulator, told POLITICO. "Perhaps Apple is right and
would be able to demonstrate that accepting certain protocols poses risks to
its users. But there is no process for independent judges or authorities to
decide."
United
Kingdom stuck in the middle
After an
initial stalled response to the global public health crisis, London was eager
to show it was on top of tackling COVID-19 — and quickly turned, in early
March, to a potential smartphone tracking app that had proved successful in
parts of Asia.
Within
NHSX, the U.K. health service's newly created tech innovation unit, the debate
quickly focused on centralizing people's data — a strategy then being followed
by other countries in Europe — in part because it would allow nationwide
modeling on how the virus was evolving, something that could not be done
through a decentralized approach.
Ahead of
Google and Apple's decision to go down a different path, informal discussions
were held between the companies' government affairs executives and some in
Westminster to brief policymakers on the upcoming plans. But no formal heads-up
was given to the British government, according to three people briefed on the
discussions.
The
announcement divided opinion. Some within NHSX discussed changing the U.K.
strategy as questions began to be raised about how the app could access
smartphone technology needed to keep the tracing tool running when devices were
in sleep mode. Outsiders, including Michael Veale, a British digital rights
professor who helped to build a privacy-focused digital tracing tool that was
copied by the tech companies' separate efforts, also warned London their
efforts could be wasted if they didn't shift gears.
"On
the day of the Apple release, I sent them an email to explain their system
would not work properly in the background," he said.
London still plans to roll out its app nationwide by
late May and more than 65,000 people have downloaded it during the test phase.
Discussions
between the tech companies and U.K. officials remained mostly amicable, often
focused on how to get the the U.K.'s app quickly approved for both firms' app
stores. But frustrations have also boiled over because of Apple and Google's
refusal to work more directly with the U.K.'s centralized approach to its
tracing tool, according to two outside consultants briefed on the discussions.
On the
technical front, the NHSX app was also beset with problems, several times
failing basic security and privacy checks required for approval in the health
service's procurement process, according to another outside consultant with
knowledge of the matter. The Health Service Journal first reported these
failures.
Privacy
groups involved in the initial testing of the U.K. app said their communication
with NHSX was patchy, at best. Emails would go days without receiving a
response. Basic requirements, like filing a Data Protection Impact Assessment,
a mandatory part of any app development, were done after the digital tool began
to be tested on the Isle of Wight earlier this month, according to a review of
government documents.
"To
say the app is limited would be an understatement," said Christopher
Weatherhead, tech lead at advocacy group Privacy International, who was
involved in the tool's early testing. “As soon as the phone screen is off, the
app doesn't scan."
London
still plans to roll out its app nationwide by late May (more than 65,000 people
have downloaded it during the test phase). But officials also have approved
plans for another tracing tool — this time based on Google and Apple's approach
— in case the technical limitations of the current app cannot be overcome,
according to two people with direct knowledge of the project and government
procurement records. The Financial Times first reported the potential U-turn.
Nothing has
yet to be decided, with officials saying they want to keep every avenue open.
But as the
U.K. considers jumping ship to join the tech companies, privacy advocates
stress the irony that after years of berating Google and Apple for not
protecting people's privacy, these tech giants are fast becoming gatekeepers to
stop potential government surveillance — a position that may further cement
their position in people's digital lives.
"The
most efficient privacy regulators in the world right now are Apple and
Google," said Daragh O'Brien, a privacy consultant in Dublin who pushed
back publicly with other local experts at Ireland's initial efforts to create a
centralized app. The government eventually shifted to Google and Apple's
approach. "We are reliant on a duopoly of tech companies that control the
operating system market."
Cristina
Gallardo contributed reporting from London, Jacopo Barigazzi and Giorgio Leali
contributed reporting from Brussels.
Want more
analysis from POLITICO? POLITICO Pro is our premium intelligence service for
professionals. From financial services to trade, technology, cybersecurity and
more, Pro delivers real time intelligence, deep insight and breaking scoops you
need to keep one step ahead. Email pro@politico.eu to request a
complimentary trial.
Sem comentários:
Enviar um comentário