Privacy is in the same position as security was five years ago

It has taken years for the technology and telecoms industry to take security seriously, and now we are at the beginning of the same story arc with privacy.

The purpose of a story arc in popular culture is to take the character on a journey, agonising through challenges and failures, and up to success and lessons, ultimately concluding with some sort of resolution. There are seven different types, for example, a Cinderella story arc where the protagonist experiences a rise, then a fall, before a final rise, or an Icarus arc where there is simply a rise before an ultimate failure.

The security segment of the technology and telecoms world has gone through somewhat of a Rags to Riches story arc, with adequate protections being ignored for years before becoming a critical component of the technology landscape. That said, some would argue the arc has not been completed as there is still not enough investment.

Perhaps privacy is treading the same path as security, and it will have to battle moral dilemmas, successes and failures over numerous series before it is finally appreciated. The principles of privacy are certainly being ignored, massaged and bent sideways by private and public organisations today.

One question which might be raised is whether we need to reconsider the definitions of privacy for the new world; are we inappropriately judging digital privacy by the standards of the analogue era?

“In my view, there is currently no case for relaxing the privacy rules. There is a need to embed privacy considerations in design of technology,” said Joann O’Brien, VP of Digital Ecosystems at the TM Forum.

“In many cases architectural design/best practice and the embedding of the citizen at the centre of the design still needs to happen. When this happens, meeting privacy requirements becomes exponentially easier to achieve. In many cases relaxing any privacy policy due to impacts on innovation is really playing into the hands of lazy architectures and exploitative technologies.”

This sounds remarkably similar to the same rhetoric which was positioned around security technologies for years. Experts said security needs to be built into the products foundations, not simply an add-on. It does appear the same mistakes are being made with privacy.

One country which does seem to be taking the right approach to building contact tracing applications to combat COVID-19 is Switzerland. Using the decentralised approach, the app was built around the privacy foundations, with all sensitive operations taking place on the user’s device. Other countries should take note of this example championing privacy rights.

“TM Forum advocates for continuing and upholding the privacy rules as the long-term consequences of not doing so will have a negative impact on society and potentially run the risk of citizens losing trust in technology.”

While any reasonable person should not advocate the dilution of privacy rules, perhaps there is a case for reimagining them.

Should governments be able to ensure the same levels of protections and privacy are maintained, there is a case for rewriting rules to ensure they are fit for the digital society. After all, privacy rules as we know them today were written for a bygone era. It is like trying to fit a square peg through a round hole, it might fit if you try hard enough, but it is more suitable for another hole.

“The problem with the current system is it insists that every company asks for consent at a very granular level, which makes it impossible for people to read and understand what they are agreeing to,” said Ross Fobian, CEO of ResponseTap, a provider of intelligent call tracking software.

“It is also annoying because you are presented with messages on every website, but don’t have the time to really understand each one. This results in the user simply trying to get the box out of the way as quickly as possible. This means that generally people default to simply clicking the ‘I agree’ button, without understanding what they are agreeing to.”

The transfer of data to corporations can benefit both sides, however. Companies more intelligently and appropriately are able to target potential customers, while experience of products and services can be enhanced for the consumer.

“The problem is that some companies or even government entities don’t necessarily use your data just to help you,” said Fobian. “They use your data to manipulate you. Cambridge Analytica is a perfect example of this. Also, companies can get hacked and hackers can use that data in ways it was never intended. For this reason, at ResponseTap we don’t store personal data by default, which minimises the risk. However, this is not always possible.”

There are new privacy rules being created for this era, which are heading in the right direction according to Fobian. Telecoms.com readers generally agree with this statement also, with 32% believing privacy rules should be re-imagined for the digital era and 48% suggesting the user should be given more choice to create own privacy rights.

Privacy is a challenge today for several reasons, most of which can be directly linked back to corporations and governments ignoring its importance. In years gone, security was an add-on, despite what anyone told you, and the exact same position has been created for privacy today.

All these companies are telling us that they are pro-privacy, but eventually they will have to start showing us with actions which back up the rhetoric.

Switzerland claims to be first to trial Apple and Google COVID-19 APIs

Two universities, the army and several hospitals in Switzerland have launched what is claimed to be the worlds’ first major trial for Google and Apple’s decentralised contact tracing APIs.

While many governments have opted against the advice of privacy and security experts, universities ETH Zurich and Ecole polytechnique fédérale de Lausanne (EPFL) will work with the army and several hospitals to trial Silicon Valley’s version of the contact tracing app.

“This is the first time that the operating system updates from Google and Apple enable its deployment and testing on such a large scale,” said Professor Edouard Bugnion, Vice-President for Information Systems at EPFL.

Should the app work as desired it would certainly be a cause for celebration for the many societies under strict lockdown protocols. It could also prove quite embarrassing for the government who elected for a centralised data model, contrary to expert advice, some of which are facing teething problems.

Several thousand Swiss citizens are now free to download the application, with the pilot set to last for a few weeks. The team is effectively waiting for legislation amendments before launching to the general public, though depending on the timeliness of politicians is similar to guessing the length of string.

This application is based on the Decentralized Privacy-Preserving Proximity Tracing (DP3T) design, geared towards protecting privacy. As it should be with every application, the Swiss app is built on and around the concept of maintaining and protecting privacy, not with privacy as an add-on when other criteria have been satisfied, like the UK-version has.

“Our goal is to offer a solution that can be adopted in Europe and around the world,” said Professor Carmela Troncoso, head of the Security & Privacy Engineering Laboratory at EPFL and the brain behind the DP3T protocol.

Operations for the application which are deemed essential but also sensitive from a privacy perspective will all be performed on the device. The application will log the unique identifier of any other device which has been in close proximity (less than two metres) for a sustained period (15 minutes). Should the individual test positive for the coronavirus, as GP will issue a single-use code to be entered into the app, which will alert any individuals who have been logged as a contact.

Although calls for a unified approach to creating contact tracing applications have largely been ignored by attention seeking politicians, the world should be watching this Swiss experiment very closely. The decentralised approach is one which is built with privacy in the foundations, and while it might not offer the flexibility some government data scientists are after, there is no need to make any compromises to privacy or security.

This should be taken as a lesson by politicians around the world; privacy and security should not be forgotten in the battle against COVID-19.

UK Cabinet Office, as well as DCMS and DoH, clueless about COVID app

Some might assume the strategy to combat COVID-19 is being devised on the hoof while patchy delivery suggests there is little communication between departments, and the cynics would be right!

After a week of bouncing from department to department and representatives being unable to offer any clear guidance or in-depth knowledge of the contact tracing application, Telecoms.com is becoming increasingly concerned about the Government strategy, as well as potential implications for privacy and security.

With the information which has been offered from Government representatives to date, it is clear few have any idea what is actually going on.

Last week, the Cabinet Office released new documents which detailed the UK Government strategy to exit the current societal lockdown. Featured in this broad document were 14 projects needed to ensure the country can exit the lockdown effectively, including the creation of a contact-tracing application to monitor the impact and potential spread of the virus.

The following extract is from the bottom of page 39, the section dealing with testing and tracing:

“Information collected through the Test and Trace programme, together with wider data from sources such as 111 online, will form part of a core national COVID-19 dataset. The creators of a number of independent apps and websites which have already launched to collect similar data have agreed to work openly with the NHS and have aligned their products and data as part of this central, national effort.”

Despite this document being published and distributed by the Cabinet Department, and featuring a foreword from Prime Minister Boris Johnson, it was unknown who the ‘independent apps and websites’ are, when the trials of the COVID-19 tracing app on the Isle of Wight would be concluded or how many downloads were being targeted upon release.

Considering the importance of this document and the material in it, one would assume this information would be available, though we were referred to other Government departments, who have not been able to provide insight either.

This is not the first time we have been referred from a department which should have knowledge of the situation and to another. In recent weeks, prior to the beginning of the Isle of Wight trials, the Department of Digital, Culture, Media and Sport (DCMS) stated it was not involved at all with the development of the application, referring us to the Department of Health and Social Care (DHSC), before being directed by representatives of DHSC to the NHS technology unit where communication went unanswered.

Despite the Cabinet Office, DCMS and DHSC presumably being critical Government departments in the development of a contact tracing app to combat COVID-19, there does not seem to be anyone in the know as to what is actually going on.

Unfortunately for everyone involved, the questions posed were not overly complex and should be simple to answer if the information is available, instead one department pointed us to another. Perhaps no-one wanted to muddy their hands with what is quickly turning into a debacle, or maybe no-one could actually answer these simple questions.

If there is little contribution from these departments on the development of the app, how can one ensure there are effective safeguards for cybersecurity or data privacy? The Government has gone against industry advice in pursing a centralised data model, but confidence in its ability to manage this process is increasingly thinning.

The NHS has somewhat of a checkered past when it comes to digital and data projects, and that is putting it politely. Some of these previous attempts to do digital in the NHS has been completely and utterly disastrous, accomplishing nothing, yet the NHS is seemingly blindly trusted as Government departments plead ignorance. The NHS flying solo will have some critics shifting in their seats very uncomfortably.

For the app to work as desired, 60% adoption is a number which has been floated by academia. This is going to be a big ask, therefore delivery will have to be close to perfection. One might hope that the relevant Government departments are a bit more informed moving forward considering the importance of this technology in aiding the UK’s recovery.

51% of IT pros disagree with Gov approach to COVID-19 app

With the UK’s COVID-19 tracing application being test on the Isle of Wight, only 24% of IT professionals believe the initiative will be successful.

Research from BCS, an association for IT professionals, suggests the Government is struggling to source support from the IT community. This is not to say the efforts will not be a success, but it is hardly a confidence boost.

“BCS is clear that if done ethically and competently a tracing app can make a huge contribution to stopping the spread of COVID-19; but a majority of our members don’t believe the current model will work and are worried about the reliance on a centralised database,” said Bill Mitchell, Director of Policy at BCS.

“Yet despite their doubts 42% would still install the app and 21% are undecided. It feels like there is a lot of goodwill out there to give a tracing app a chance – if it can be shown to work. That means if these concerns are fully addressed then maybe over 60% of the population will install a high-quality app. That’s the magic adoption figure we need for the app to have real impact on stopping COVID-19.”

According to the research, only 24% believe the application will succeed. 32% explicitly believe it will fail and the remainder are still undecided. Interestingly enough, 51% believe the Google/Apple approach, the decentralised model where data is stored on user devices, should have been taken forward by the Government.

This is an argument which will persist as long as the coronavirus does. Some countries have opted for the decentralised model, which is being championed by Silicon Valley, and others have gone for centralised. What is worth noting is there is a very valid argument for the centralised data approach.

“If you don’t have the data at the starting point of the tunnel, you are facing a challenge,” said Sebastien Ourselin, a professor from Kings College London, during an industry conference. “When you want to react quickly, access to the data is key.”

Ourselin’s argument is that a centralised data model means you have access to the data all the time and whenever you want. It means you can run different models and apply different conditions to forecasting models, which is a lot more difficult when you only have access to the insight not the raw data.

The issue with the Government decision for centralised data is one of credentials.

When asked what the IT pros were concerned about, and why they would not download the app, 69% said data security, 67% pointed to privacy, 59% worried it was a pointless exercise and 49% lacked trust in the Government.

The final concern is why some might suggest opting for the Google/Apple route would have been more successful. People don’t trust Governments, but the majority have already handed personal information over to Silicon Valley. There is a respect for the smarts and capabilities of these companies. The Government could have weaponised Silicon Valley’s credibility to drive user adoption of the application.

If the Government fails to convince the general public to adopt this app, it will not succeed as imagined. There will be a valid contribution, but for a material success 60% of the population will have to download the application. This is a tough ask, though the lessons learned from the Isle of Wight trials should provide some valuable insight.


Telecoms.com Daily Poll:

Who would you consider the King of Innovation in the telco industry currently?

Loading ... Loading ...

After 107 million downloads in April, TikTok faces a European privacy probe

Questions over the privacy of popular video-sharing application TikTok have been raised by Dutch authorities, but scepticism can’t slow the rapid expansion.

Although other investigations around the world are far more damning, suggesting some very nefarious activities, let’s not forget giants can be taken down by unsuspecting means. After all, Goliath was conquered by a pebble and Al Capone was felled by tax evasion charges.

“A huge number of Dutch children clearly love using TikTok,’ said Monique Verdier, Deputy Chairman of the Dutch DPA.

“We will investigate whether the app has a privacy-friendly design. We’ll also check whether the information TikTok provides when children install and use the app is easy to understand and adequately explains how their personal data is collected, processed and used. Lastly, we’ll look at whether parental consent is required for TikTok to collect, store and use children’s personal data.”

The investigation will focus on whether TikTok effectively protects the privacy of Dutch children, and whether there would need to be any changes enforced on the team through regulation. As with every other investigation, this probe from the Dutch could shed light on certain aspect of operations which could have a domino effect.

While TikTok was thrust on the world to much consumer enthusiasm last year, the momentum has certainly continued through 2020 and has perhaps been compounded by lockdown protocols currently in place around the world.

Most downloaded Apps (non-gaming) during April 2020 – Global
Overall App Store Google Play
1. Zoom Zoom Zoom
2. TikTok TikTok TikTok
3. Facebook Google Meet Facebook
4. WhatsApp Microsoft Teams WhatsApp
5. Instagram Netflix Aarogya Setu

Source: Sensor Tower

With more entertainment needed by those taking part in enforced lockdown, there has been a surge in interest in numerous categories, but social media and content streaming applications are close to the top of the list. TikTok has benefitted from these tendencies, but also endorsements from numerous celebrities around the world.

Over the weekend, Anthony Hopkins challenged Sylvester Stallone and Arnold Schwarzenegger to a dance-off on the platform with Drake’s Toosie Slide.

@anthonyhopkins##Drake I’m late to the party… but better late than never. @oficialstallone @arnoldschnitzel ##toosieslidechallenge♬ original sound – officialanthonyhopkins

With more and more celebrities embracing the platform, everyday consumers will be encouraged, especially during a period of boredom. This might be seen as a worrying trend to US politicians who are attempting to dilute the influence China and its companies have on global societies and economies.

Last October, Republican Senator Tom Cotton and Senate Minority Leader Chuck Schumer wrote to the Acting Director of National Intelligence, Joseph Maguire, to formally request an investigation into TikTok, questioning whether it is a threat to national security as the applications developer ByteDance could be coerced to collaborate with the Chinese Government.

A few days later, Senator Josh Hawley also introduced a new bill, known as the National Security and Personal Data Protection Act (S.2889), which would force foreign technology companies to store data locally.

This would provide some protections to US consumers but would also open up the political class to a barrage of complications as the US has been attempting to punish countries who enforce data localisation rules on US companies. India is one of these nations at loggerheads with the US, and while many would attempt to avoid such complications, hypocrisy and irony seem to be completely lost on the current political administration.

TikTok has escaped much scrutiny over the last few months, though this is perhaps due to other areas demanding more attention. The application might be enjoying success for the moment, but we suspect it is not clear of privacy investigations just yet.

UK’s COVID-19 contact tracing app – will it work?

The UK has officially launched its NHS contact tracing app, but there remain many questions about how effective it can be.

The app is called ‘NHS COVID-19’ and is currently being trialled in the Isle of White, presumably to limit its spread, should it turn out to be rubbish. You can read the details of it as explained by the National Cyber Security Centre here. In short, it’s designed to do pretty much the same as all other contact tracing apps – to notify anyone who has been in close physical contact with anyone who is suspected of having COVID-19.

Also in common with other such initiatives around the world, the key point of contention around NHS COVID-19 is whether it uses a centralised or decentralised approach to collecting data. The decentralised method is favoured by Google and Apple, who own the platforms on which nearly all smartphones run and thus have ultimate control over what apps on them can or can’t do.

Under the decentralised system no significant data ever leaves the individual’s phone. All that happens that, when someone tells their version of the app they think they might have the ‘rona, it notifies the apps installed in phones of anyone who has been near them recently. This is all done by Bluetooth LE running in the background and no identity or location data is involved.

NHS COVID-19, however, uses the centralised model. In this case, when someone notifies the app of their possible blight, it passes that bulletin on to an NHS server, which then performs the function of notifying other at-risk punters. The advantage of this approach is that it will also enable a bunch of other clinical and epidemiological activities such as inviting the person to be tested and mapping disease hot-spots.

The centralised model obviously comes with a lot more data privacy and even civil liberty concerns, which is why the UK government has gone to considerable lengths to demonstrate security, transparency and accountability. Ian Levy, the Technical Director at the NCSC has blogged extensively on the matter and you can even read the technical paper. The Information Commissioner’s Office has also blogged and published a formal opinion.

As you would expect, Parliament is having a good look at this app too. Matthew Gould, CEO of NHSX, which is the digital transformation bit of the NHS, got a socially-distanced grilling from the Joint Committee on Human Rights yesterday and the matter of data protection was very much as the forefront.

“The app doesn’t at this stage know who you are, it doesn’t know who the people are you’ve been near, it doesn’t know where you’ve been,” said Gould, with the ‘at this stage’ bit somewhat undermining his attempt to reassure. “We’ve said we will open-source the code, we will publish the privacy assessment and security models.”

That was around 15:05 of the recording of the briefing. At 15:19 Gould is asked about the longer-term use of data shared with the NHS. “If data has been shared by choice with the NHS then it can be retained for research in the public interest,” he said. It remains to be seen how compliant with GDPR and general data best-practice that will be. Furthermore his answer serves as a great illustration of why people may be reluctant to allow their data to leave the confines of their phone.

Which brings us to a major flaw in the decision to go for the centralised approach – trust. The majority of the population will need to download and use the app for it to be effective, so anything that makes them think twice about doing so is surely a major setback. It seems clear the NHS is doing everything by the book and subjecting itself to maximum public scrutiny, but by going down this path is has built an unnecessary element of doubt into the whole project.

The biggest problem of all, however, is likely to stem from the fact that Google and Apple don’t support NHS COVID-19. That doesn’t mean they’re going to block it from their app stores, but it does mean it presumably won’t have access to the Google/Apple Exposure Notification API. The single biggest challenge that presents is how to keep the Bluetooth LE functionality active when the app isn’t on or in the foreground of the phone.

Coincidentally the two tech giants released more details of their API today, with Tech Crunch doing a good job of summarising the rules determining its use. By adopting the strategy it has, it seems the NHS has ensured we won’t get a COVID-19 contact tracing app that uses the Google/Apple API, which is a shame.

NHSX and the government are keen to stress that NHS COVID-19 is not, by itself, a silver bullet, and will form part of a broader set of measures designed to keep a lid on the pandemic once we’re allowed out of the house again. While we should stress that we’re not in any way advising against people doing their bit by downloading and using this app – we certainly will – its usefulness seems very likely to be seriously diminished by the decision to adopt the centralised approach.

Why is Google so interested in Fitbit?

In early November, Google announced it was acquiring Fitbit for $2.1 billion, a transaction which has polarised opinion. But why is Google interested in a faltering wearables brand?

Acquisitions in the technology world are not unsurprising, especially when it comes to search engine giant Google. This is a company which is constantly pushing the boundaries of normality, testing ideas outside its core competencies and exploring for the next multi-billion-dollar business.

The question which remains in the minds of some is whether Fitbit could be the catalyst for profits, or if this is an unjustified expansion of Google’s ability to pry into the personal lives of users around the world.

$2.1 billion for a failing wearables business

When talking about wearables, it used to be impossible to avoid Fitbit. This appeared to be one of the very few companies who could turn a profit in a segment which flattered to deceive. Until recently that is.

Looking at the financials of Fitbit, the business was heading south very quickly.

Full-year financial results for Fitbit 2015-19 (USD ($), millions)
Year Total revenue Net Income (Loss)
2019 1,434 (320)
2018 1,512 (185)
2017 1,615 (277)
2016 2,169 (102)
2015 1,858 175

Source: Fitbit Investor Relations

In 2015, Fitbit was a rapidly growing wearables brand turning a tidy profit. What made this even more impressive is the failures of almost everyone else to crack the market; wearables was a segment which no-one else seemed to be able to make work, not even Apple.

The trick with Fitbit was simplicity. It didn’t try to take on traditional timepieces with a clunky digital alternative which still had to be tethered to a smartphone, it produced a simple fitness device. It identified a need and fulfilled a purpose, without trying to be too clever.

The issue which it has faced in recent years is two-fold. Firstly, wearables become more mainstream and demanded more functionality. And secondly, mainstream brands were allocating big marketing budgets.

Fitbit attempted to evolve its offering, creating more devices which were more in-line with the smartwatch image of today, but it struggled to compete with the likes of Apple and Samsung when it came to functionality, design, marketing and acquiring new customers who had not previously been interested in wearables. It failed to evolve, adapt and expand.

That said, the barebones of a successful business are still there.

The resurgence of Fitbit as a competitive force

Fitbit is an interesting acquisition for Google. It has a solid and reputable fitness brand, a loyal customer base as well as existing products and IP. The fundamentals of a good business are in place, the reason Fitbit failed is it was not able to advance its business model to the next level of development.

Aside from good products, consumers nowadays are insisting on experiences and an ecosystem of supporting applications. One explanation as to why Fitbit is a failing business is that it was unable to develop the supporting applications, experiences and services to bundle behind the hardware.

This is where Google can help.

With the Fitbit team concentrating on developing new products, the software and services element can be delegated to the Google engineers. With an army of software experts and existing products, Fitbit could certainly emerge as a fighting force on the wearable scene once again.

Aside from the Android operating system which has Google has created for the wearable ecosystem, Wear OS, there are numerous other services which could be more closely linked to the Fitbit products such as Google Maps and YouTube Music. The products could also benefit from the work Google is doing into new areas such as the voice user interface and gesture control.

Bringing together the Fitbit hardware experience, IP and brand, with Google’s OS expertise and software engineering smarts is a very attractive mix.

Why would Google care about the wearable segment?

Firstly, Google is interested in any idea which can make money, and with the right care and attention, as well as patience, you can make money out of just about anything.

Secondly, the wearable ecosystem allows Google to operate in an area where it currently doesn’t.

And finally, wearable products allow it to buildout other investments in areas such as healthcare and smart cities.

Global smartphone market share – 2019
Brand Market share
Apple 31.7%
Xiaomi 12.4%
Samsung 9.2%
Huawei 8.3%
Fitbit 4.7%

Source: Statista

Just like the smart speaker products Google launched in recent years, the greater opportunity is not to profit from product sales, but to build a services ecosystem behind the hardware. Fitbit products with Wear OS allow Google to interact with customers in a new setting, in a new way, while collecting new data.

This data can of course be used to supplement existing advertising models, hyper-targeted messaging is where the money is after all, but it can also offer Google the opportunity to build new services. With a portfolio of fitness related products, Google can collect new data to create new applications as well as buildout the development of existing ideas.

For example, Verily is a research organization devoted to the study of life sciences. Verily works with academia, hospitals and health systems and life sciences companies to improve healthcare. The work is of course technology focused, making best use of data to augment the healthcare industry, and the addition of a portfolio of health and fitness wearable products would improve this proposition.

Another example is Sidewalk Labs, an ‘urban innovation’ investment from Google. The concept of smart cities is quickly gathering steam, and should the right investments be made, software companies could make billions. Wearable devices will be an important element of the smart cities for identification and authentication with public services, payments and interaction with other applications which could emerge.

These are two ideas which already exist in the Alphabet family, but Google does not currently have a venture into fitness and lifestyle. Fitbit it an entry point.

Owning the OS is critical to owning the ecosystem

Google is one of the most successful companies in the world because it manages to position its products and brands in front of people. And perhaps the most important acquisition it made in its history was Android.

The operating system, founded in 2003 by Andy Rubin, ensured Google powered the majority of smartphones across the world. It is free for smartphone manufacturers to use, but this comes with conditions; certain applications have to be installed as default. Aside from these products being very good, accessibility is one of the reasons they are so popular.

Wear OS, the operating system for wearable devices, offers Google the same opportunity. If users are tied into the Wear OS ecosystem, Google can build services and monetize the audience.

However, success for Wear OS has been wayward to date.

Apple devices use WatchOS, Xiaomi have their own as well, Garmin has developed one internally, Tizen is a Linux-based primarily by Samsung, while Fitbit also had their own. No-one was really that interested in Google’s OS when they have proprietary software, as this would mean handing data and the controlling stake in the software ecosystem to Google.

Purchasing Fitbit offers Google the opportunity to get Wear OS into the wild, collecting data to improve its capabilities. Without the Fitbit acquisition, Wear OS would most likely have dwindled and died, but if the Fitbit brand can be reinvigorated, there is every chance Google could be very influential in this segment. Especially as Fitbit already have a health-orientated brand perception.

Data, data, data…

The Google business is built on data. The algorithm powering search engines only works well because it is constantly trained to improve accuracy of results. Google advertising is only successful because it is hyper-targeted. The Maps products constantly need to be fed data to ensure route-planning is most efficient, local businesses are listed and preferences are honed to the user.

Fitbit offers some extraordinary data, which would be very useful for companies like Google.

To make best use of fitness-based products and applications, additional information on the user is often needed. Weight, height, fitness and lifestyle objectives, eating habits are some examples which can be plugged into the application. These devices also track user location, how and when they exercise, heart rate, and sleep patterns. Analysing this information is very useful for fitness-orientated users, but it is also incredibly valuable to advertisers.

It is always worth pointing out that the more people making use of Wear OS, the more data Google is collecting to fuel the advertising machine. Thanks to Deepmind, Google’s AI powerhouse, all of Google’s service make use of user insight to improve the accuracy and profitability.

This is where some of the objections to the Fitbit acquisition have been directed.

How much is too much insight?

There are many in society who are uncomfortable with the amount of information the internet giants, not Google alone, have already and how much additional access they are gaining through acquisitions. There are some who like the idea of Google purchasing Fitbit, but there are also others who question whether this is handing too much power and influence to the search giant.

Some might question how much of a window Google should be given into the personal lives of people around the world.

“The most critical issue is Google’s acquisition of Fitbit’s trove of health and biometric data,” the Electronic Frontier Foundation, an opponent of the acquisition, said. “Obtaining that data will help Google both improve its advertising business and significantly expand its data empire.

“Google’s acquisition of Fitbit will also deprive users of one simple, meaningful choice they could have made: to track their health and fitness without putting that data into Google’s ecosystem.

“And where users have already made this choice—by buying and using Fitbit devices prior to the acquisition—an acquisition destroys those user choices, retrospectively opting them into Google data collection despite their revealed preference to use a Google competitor.”

The Electronic Frontier Foundation has two objections to Google’s acquisition of Fitbit. Firstly, Google is getting too much personal information. A single, private organisation should not have such power. And secondly, such an acquisition would restrict competition in an already restrictive segment.

On the competition side of things, there is a valid point.

Not only is the smartwatch and wearable segment pretty small already, competition is the digital advertising space is also limited. Should Google expand further it would become more powerful in the advertising game, potentially killing off rivals.

The Electronic Frontier Foundation is not alone with its objections to the deal, and the concerns are not going unheard.

In the US, the Department of Justice is considering the impact of the acquisition in terms of data collection and privacy as well as market competition. Down in Australia, the Australian Competition and Consumer Commission (ACCC) has launched a similar investigation which is due to conclude on May 21.

The big question of whether Google should be allowed to acquire Fitbit

By acquiring Fitbit, Google gives itself a leapfrog in the wearable OS segment, it builds out investments in healthcare and smart cities, creates additional revenue streams, allows it to drive forward another ecosystem in its own vision and adds more valuable data into the advertising machine.

For Google, this is an incredibly intelligent acquisition, $2.1 billion well spent.

However, if it is to be successful it has to develop this business intelligently. The Wear OS team should focus on the development of the operating system and supporting ecosystem, while the Fitbit engineers should be empowered to create excellent devices, whether they are simplistic fitness trackers or complex smartwatches.

Enough money has to be thrown at the development teams, but Google has to let Fitbit be Fitbit; it is a successful brand and must be allowed to continue its own path. Let Google engineers concentrate on software, and Fitbit engineers concentrate on hardware.

But the question is not whether Google is smart in acquiring Fitbit, more whether it should be allowed to. The acquisition would enable Google access to a treasure trove of very personal information, as well as posing a potential risk to competition. The internet giants have already demonstrated a sluggish attitude to data privacy, and this transaction offers access to some very personal information.

Authorities will have to assess whether Fitbit would have survived on its own, which looking at the financials is unlikely, and whether Google should be allowed to expand its influence and power through the acquisition of more data.

UK snubs Google and Apple privacy warning for contact tracing app

Reports have suggested the UK will pursue a centralised data collection approach for its COVID-19 contact tracing app, despite the well-publicised security and privacy risks.

Last week, the National Health Service (NHS) published a blog entry which pointed towards some element of centralised data collection, though the choice was seemingly been offered to the consumer. It now appears this is not the case.

“This anonymous log of how close you are to others will be stored securely on your phone,” Matthew Gould and Geraint Lewis of NHSX, the technology unit of the NHS, wrote in the blog post.

“If you become unwell with symptoms of COVID-19, you can choose to allow the app to inform the NHS which, subject to sophisticated risk analysis, will trigger an anonymous alert to those other app users with whom you came into significant contact over the previous few days.”

Details are of course still thin on the ground, but the BBC is now reporting the NHS will pursue a centralised approach, collating data on NHS servers for analysis and to send out notifications. There are of course advantages to this approach, models can be adapted quicker and additional analysis can be performed, but the question which remains is whether this outweighs the risk to security and privacy; Google and Apple clearly do not think so.

While a centralised approach proposes the collection and storage of all relevant data on NHS servers, an API created between Google and Apple would do the analysis on devices.

Using Bluetooth once again, the decentralised API would store the interaction between device on the user’s device, only sending a key indicating whether that specific user is infected or not to the cloud. Devices would reference the cloud database regularly and should the on-device logs match an infected key, alerts would be sent to other devices which have been logged as contact traces.

The decentralised approach has been embraced by Germany, though this was a surprise, however French authorities has gone the same direction as the UK is seemingly heading. The one which flies in the face of expert advice.

An open letter from cybersecurity specialists and other data scientists has slammed the centralised approach employed by France and, allegedly, the UK.

“All these applications in fact involve very significant risks with regard to respect for privacy and individual freedoms,” the letter states. “One of them is mass surveillance by private or public actors, against which the International Association for Research in Cryptology (IACR) committed itself through the Copenhagen resolution.

“This mass surveillance can be carried out by collecting the graph of interactions between individuals, the social graph. It can intervene at the level of operating systems (OS) of mobile phones. Not only OS producers could reconstruct the social graph, but also the State, more or less easily depending on the solutions proposed.”

The letter has been signed by hundreds of French cybersecurity experts from a range of academic institutions and private research organisations. Support to this position has also been pledged by hundreds of non-cybersecurity technologists also. It is a very comprehensive list of academic experts all condemning the centralised approach as an unneeded risk and an action which undermines privacy principles.

Although the details of the NHS application have yet to be revealed, it does appear the team is heading down the same route as the French. The pursuit of simplicity and flexibility has been deemed more important that the grave warnings to security and privacy offered by experts in the field.

Hopefully the collection of data on centralised servers does not act as too much of a red flag to the hacker community, most of which do not too many invitations to have a crack at stealing information which can be used for nefarious means. Aside from the risk to privacy, collecting millions of datasets of personal information in a single place could be viewed as somewhat of a treasure trove.

Unlike France, Germany decides to do smartphone contact tracing the Apple/Google way

Contact tracing via smartphone is a powerful way to tackle the spread of coronavirus, but it mustn’t be done at the expense of individual civil rights.

This is the dilemma at the core of all attempts to use mobile technology for epidemiological good around the world. Thankfully there is increasing consensus that a decentralized approach, which doesn’t involve tracking the location and movements of individuals, is the best way of balancing those interests.

Leadership on this matter has been shown by the two companies that own the platforms on which nearly all phones run: Google and Apple. A couple of weeks ago they got together to announce a joint effort in this regard and make it available to national governments. Not all of them liked the idea, however, with France demanding Apple loosen its privacy rules for some kind of EU spy app.

France probably hoped its senior partner at the top of The EU, Germany, would have backed its call. But the Germans have always a more pragmatic bunch and, over the weekend, the German government announced it was abandoning the cunning plan unveiled by a bunch of Euro techies at the start of this month, in favour of a decentralised approach, effectively endorsing the Apple/Google method.

To what extent the German decision also contradicts recently-released EU guidelines on this sort of thing will be interesting, but it certainly seems to offer less state access and control over user data than the continental bureaucracy would have liked. In contrast it seems to buy into the concept put forward by UK’s Oxford University, that maintains you don’t need to track location in order to do effective contact tracing.

That might seem counter-intuitive, but only if you think the purpose of such technology is to control the movements of people suspected if being infectious, the sort of thing repressive states like China would have no problem doing in order to lock people in their homes or whatever. The more democratic way is to make a voluntary app available for download, that uses Bluetooth to track other phones that have come near that one. Users of the app can then voluntarily announce their suspected infection in order for those they have been in contact with to be notified.

For example, that seems to be the sort of thing the Australian government has come up with in the form of an app called COVIDSafe. It was only made available yesterday and already has over a million downloads, showing you don’t need to force people to muck in to the collective effort. There have been concerns, however, about the fact that the source code for the app hasn’t been made available, but apparently it will in due course and experts, on the whole, don’t seem worried.

In the absence of widespread testing, using technology to let people know when they have been in contact with anyone who has announced they are showing symptoms seems like one of the best ways to limit the spread of coronavirus in free countries. It’s great to see tech companies, governments and various experts arrive at a best-practice consensus so quickly and we look forward to a UK version of this kind of app being released ASAP.

Israel halts mobile-tracking quarantine measures on privacy grounds

The Israeli Government is suspending police powers to requisition mobile roaming data from telcos to monitor quarantines, with politicians citing privacy concerns.

Last month, Prime Minister Benjamin Netanyahu offered new powers to police authorities to force telcos to hand over location-tracking data for mobile phones. This data was subsequently used to monitor citizens ordered to self-isolate as suspected or confirmed coronavirus cases. The Government has now been forced to backtrack on this move after it was challenged in the Supreme Court by civil liberties groups.

“We have decided on a foreign committee and the security to freeze the legislation enabling cellular retention to enforce the isolation,” Ayelet Shaked tweeted (below), a member of right-wing political party Yamina. Shaked also serves on the Foreign Affairs and Defense Committee.

Although the police have argued the technology is an effective tool to ensure quarantine rules are being followed, 203 arrests have been attributed to the data, the threat to privacy has been deemed to great. This is not an end to the use of the technology, authorities will still use the contact tracing elements to map the spread and identify potential infected individuals, but the all-encompassing, location-tracking concept is closed for the moment.

The original move to offer this data to police authorities was authorised under emergency coronavirus regulations, although it had a month-long time limit attached. A further extension of these powers was subject to Parliamentary approval and legislation, however the Foreign Affairs and Defense Committee have blocked the extension. The Government had slated a bill to extend the powers, as the initial month period is due to expire Wednesday.

Although the use of technology in combatting the on-going coronavirus outbreak should be applauded, it has to be done in a responsible and respectable manner; privacy and security rights should not be forgotten in tackling COVID-19.

Interestingly enough, this is not the only Government which is attracting attention for the creation of a coronavirus app. In France, Ministers have foolishly asked Apple to suspect certain privacy and security features to enable its own contact tracing and tracking app to work as designed.

The approach from the French is almost laughable as it demonstrates just how hypocritical it can be. For years, French authorities have been criticising, sanctioning and fining internet companies for privacy and security concerns, but now it is asking Apple to turn a blind eye to an application which has an in-built and highly publicised vulnerability. It is quite remarkable how ignorant some politicians are to the rule of unintended consequences.