Much has been said about using technology to combat the coronavirus outbreak, but France has done exactly what many critics feared by cutting corners to compromise security and privacy.
France is one of the hardest hit countries during this pandemic, with more than 114,000 confirmed cases at the time of writing, therefore it is understandable the Government wants to accelerate the deployment of any projects. However, this latest debacle will have data security and privacy advocates tearing their hair out.
Having developed an application to track the spread of COVID-19 using Bluetooth contact tracing, though some functionality of the app is being prevented by Apple’s security features. Designed to protect user data, the iOS feature prevents data being moved off Apple devices via Bluetooth.
Instead of attempting to adapt the application, to ensure privacy and security is maintained for the users, according to Bloomberg French authorities have made the almost laughable decision to request Apple turn off the features in France.
Almost everyone in the digital community recognises the importance of maintaining security and privacy principles despite the severity of the situation, but it appears France missed this memo.
“We’re asking Apple to lift the technical hurdle to allow us to develop a sovereign European health solution that will be tied our health system,” French Digital Minister Cedric O said.
The French Government has stated the data would only be stored on its own servers, with the healthcare authority acting as the data controller, but this seems to be missing the point. O is effectively asking Apple to lift a security protocol and introduce a vulnerability to French Apple devices. And wherever there is a slightly weakness in cyber-defences, the nefarious characters of the dark web are waiting to pounce.
Over the last few weeks, European Data Protection Supervisor Wojciech Wiewiórowski has been quite active. In one letter, responding to concerns over user privacy, Wiewiórowski said the transfer of data would be fine under GDPR assuming the relevant protections have been put in place. It is questionable whether asking Apple to remove a security feature is consistent with this message from Wiewiórowski.
The collection of data is a reasonable approach by any authority, though it does not have to be done in a way which compromises user security and privacy. There are thousands of applications on the App Store which makes use of location or device proximity data without compromising iOS guidelines, so it clearly can be done.
What is also worth noting is that Apple is currently working in partnership with Google to create a framework for COVID-19 applications.
Although bringing the smarts of Google and Apple into the equation will certainly help, the framework which is being proposed would rely on short-range Bluetooth signals, secure local databases and anonymized device identifiers, but would ultimately store data locally on user devices. This is a point of contention with Governments who would like to collect data on centralised servers.
The application of new technologies is certainly the best way to tackle this on-going pandemic, however what appears to be the case here is a fragmented ecosystem.
Silicon Valley is taking one approach, dozens of governments are putting together their own ideas, while privacy advice is being given by centralised regulators but not being adhered to by localised authorities. The mishmash of policies and ideas is not the most efficient way to tackle the problem, or to ensure data protection and security principles are being respected.
Three weeks ago, the European Data Protection Supervisor called for a consolidated, co-ordinated approach, creating a pan-European effort which would be significantly more beneficial. More data, more scientists and more money being thrown at the problem, but this logical idea has fallen on deaf ears as the French ignore advice, cut corners and endanger the digital lives of users.