Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
59,312
23,294


Apple and Google have been asked by New York's Attorney General to do more to prevent sensitive health data from being collected by third-party contact tracing apps.

Exposure-Notifications-W-People-and-Text.jpg

According to Business Insider, AG Letitia James sent letters to both companies and urged them to impose tighter restrictions on the apps if they are to be available in their app stores, following concerns that some of the apps have not been properly vetted.
"As businesses open back up and Americans venture outdoors, technology can be an invaluable tool in helping us battle the coronavirus," said Attorney General James. "But some companies may seek to take advantage of consumers and use personal information to advertise, mine data, and unethically profit off this pandemic. Both Apple and Google can be invaluable partners in weeding out these bad actors and ensuring consumers are not taken advantage of by those seeking to capitalize on the fear around this public health crisis."
James noted that the privacy-centric exposure notification technology that Apple and Google developed isn't being used by all contact tracing apps. As such, she is urging the two companies to commit to greater oversight by only allowing apps affiliated with federal or state public health agencies to collect personal health data.

The hope is that by prohibiting third-party contact tracing apps from collecting personal data, it won't be used for targeted advertising or for identifying anonymous users.

James wrote that third-party apps should be required to delete personal health information on a rolling 14-day basis, and that the companies' respective app stores should disclose which apps were launched by governments and which are made by private developers.

"Consumers should always check with the Apple App Store or Android Play Store for information on what entity operates the app and whether the app collects geolocation information or other data," cautioned James.

According to the report, Apple and Google have until June 19 to acknowledge the Attorney General's letter.

Article Link: New York Attorney General Asks Apple and Google to Vet Third-Party Contact Tracing Apps
 

orthorim

Suspended
Feb 27, 2008
733
349
Apple should have never gotten into this absolute BS.

Now they have to live with it.

Actually what Apple needs to do is to allow alternative app stores. Remove stupid tracking hooks from iOS - idiots who want to contact trace everyone can then install apps that do it, and normal people can then ignore it.

Since when was Apple a company that tracks and traces its customers anyway? They spent decades building up a reputation for privacy just to throw it all away over the flu? ?‍♂️
 

SteveJUAE

macrumors 601
Aug 14, 2015
4,009
4,096
Land of Smiles
I do not think Apple have changed their stance just consumers assumed their umbrella of protection covered all aspects, which it never did or will

Clever marketing along with many other slogans for the less well informed
 

Ritsuka

Cancelled
Sep 3, 2006
1,464
967
Apple should have never gotten into this absolute BS.

Now they have to live with it.

Actually what Apple needs to do is to allow alternative app stores. Remove stupid tracking hooks from iOS - idiots who want to contact trace everyone can then install apps that do it, and normal people can then ignore it.

Since when was Apple a company that tracks and traces its customers anyway? They spent decades building up a reputation for privacy just to throw it all away over the flu? ?‍♂️

Did you even spend two seconds to check how Apple and Google contact tracing works? First, it's totally local, nothing is sent to a server, and an app developer can't change the way it works. Second, an app needs a special entitlement to use it, and Apple gives it to only one per country, so there is no way for a third-party developer to use it (and use it for what, to store the contacts locally in a way they can't even be read back?). Third, it needs an actual app installed to work, so if you don't install anything it won't magically start to locally track contacts in a way no one will be able to read.

Plus on iOS Apple contact tracing API is the only way to track bluetooth contacts in background.

I would worry more about your cellphone carrier selling your phone location to everyone that asks in the USA, or people posting photos with GPS info…
 

phenste

macrumors 6502
Sep 16, 2012
280
888
Yeah Apple totally cares about your privacy: this after opening just 3 Apps in one minute:
1592306251158.jpeg
Forgive me, but—what is the point you mean to make here? I’m guessing (big guess) that these are ad trackers/analytics from third party apps. Those are not things Apple would be within their bounds to restrict; those are the exact ways some third-party companies make money outside the 30% ecosystem. (If I’m not mistaken. I’m asking these questions precisely because I am super ignorant to what the meaning of this message is.)
 

I7guy

macrumors Nehalem
Nov 30, 2013
31,638
20,584
Gotta be in it to win it
Forgive me, but—what is the point you mean to make here? I’m guessing (big guess) that these are ad trackers/analytics from third party apps. Those are not things Apple would be within their bounds to restrict; those are the exact ways some third-party companies make money outside the 30% ecosystem. (If I’m not mistaken. I’m asking these questions precisely because I am super ignorant to what the meaning of this message is.)
For a wild guess you hit the nail on the head, on all counts.
 
  • Like
Reactions: Websnapx2

Tekguy0

macrumors 6502
Jan 19, 2020
301
358
Forgive me, but—what is the point you mean to make here? I’m guessing (big guess) that these are ad trackers/analytics from third party apps. Those are not things Apple would be within their bounds to restrict; those are the exact ways some third-party companies make money outside the 30% ecosystem. (If I’m not mistaken. I’m asking these questions precisely because I am super ignorant to what the meaning of this message is.)
I think Apple is within their bounds to restrict this, but they chose not to. A rule for apps for iOS 14 could be that you must use a new, built-in analytics kit, and that all third-party analytics and tracking networks (including for ads) are no longer allowed. Seeing scorecard research in that screenshot is especially scary, since it collects browsing data.
 

now i see it

macrumors G4
Jan 2, 2002
10,018
20,607
I can see that iOS tracing apps might be relatively safe— but Android?
There's pretty much a 100% certainty that unscrupulous characters are busy coding bogus tracing apps as I post this.
Google's play (ground) is infamous for hosting bogus tracking apps. Hiding (a tracking app) behind a CoV tracing app is just too enticing.
 

calzon65

macrumors 6502a
Jul 16, 2008
942
3,560
The EU is raising hell about apple charging 30% for apps in the Apple store then we have states attorneys general expecting Apple, at Apple's expense, to spend its resources to ensure apps are not collecting personal information.

I can see the law suites already ... if Apple allows just one of these personal information gathering apps to accidently slip through the cracks, the states attorneys general will slap Apple with civil and/or criminal penalties.
 

calzon65

macrumors 6502a
Jul 16, 2008
942
3,560
Except, Apple built this right into iOS 13.5 and beyond. So if a customer want to choose not to have the tracing, their option would be stay on iOS 13.4.1, unfortunately.

Except that Apple relentlessly pushes new versions on everyone. Every few days my iPad harasses me to upgrade to the latest IOS (13.5.1). Apple is very sneaky in their harassing pop-up upgrade messages that requiring multiple responses to make the pop-up message go away ... but only temporarily go away, then the whole harassing upgrade process starts again until a person accidently hits the wrong response then BAM the upgrade starts and you can't stop it.

If Apple wants to inform users about an upgrade one time, fine, that is reasonable, but they harasses users over and over, upgrade harassment never stops.
 

Ritsuka

Cancelled
Sep 3, 2006
1,464
967
Except, Apple built this right into iOS 13.5 and beyond. So if a customer want to choose not to have the tracing, their option would be stay on iOS 13.4.1, unfortunately.

That's not it works. For the bluetooth contact tracing to work you have to manually install one of the few apps (one per country) available, and manually enable it. And even when enabled, the contact list is stored locally on your iPhone, and no one will be able to access it, and the contacts are stored as alphanumeric identifier, and each phone identifier changes after 15 minutes or so, so it's completely useless for everything else.
 

Dainin

macrumors regular
Sep 4, 2009
203
151
I just wish the US Federal Government would release a contact tracing app using the Apple/Google API. My current state app does not use the API, and requires you to register with your phone number and other personal information to participate in tracking.
 
  • Like
Reactions: JuBe and Tagbert

Stromos

macrumors 6502a
Jul 1, 2016
576
1,433
Woodstock, GA
Except, Apple built this right into iOS 13.5 and beyond. So if a customer want to choose not to have the tracing, their option would be stay on iOS 13.4.1, unfortunately.
Maybe educate yourself how APIs work. The tinfoil is strong in this country lately. Apple is allowed to force updates you are the same people that would blame Apple/Microsoft for getting hacked running an unpatched OS.

Guess what you get hacked and lose data question one is are you up to date? No? Then it's on you bud.
 

Websnapx2

macrumors 6502a
Apr 24, 2003
511
510
I can see that iOS tracing apps might be relatively safe— but Android?
There's pretty much a 100% certainty that unscrupulous characters are busy coding bogus tracing apps as I post this.
Google's play (ground) is infamous for hosting bogus tracking apps. Hiding (a tracking app) behind a CoV tracing app is just too enticing.
It's the same API — they worked on it together, so they will work the same way. The third-party app per region will be the same as well so this is essentially the most cross-platform experience API we know. It's not enough to make an app aimed at using this API — it needs to be authorized to be enrolled and receive data exchange. Third parties aren't going to be an issue as only one per region will be able to gain access.

This argument from the AG is exploratory and unfounded, regardless of what app store the third party app was acquired from.
 
  • Like
Reactions: Tagbert

Websnapx2

macrumors 6502a
Apr 24, 2003
511
510
Except, Apple built this right into iOS 13.5 and beyond. So if a customer want to choose not to have the tracing, their option would be stay on iOS 13.4.1, unfortunately.
No, you can turn it off. That prevents the system from working altogether. People are getting hung up on the terminology of "notification", but in this context that just means if you want the system to be looking for others using the system or not. Further to that point, the system still requires you to have a third party app made by your regional health authority to act on that information (specifically including getting information from the local database of people who have registered and tested positive, and allowing you to in turn volunteer you positive COVID result — if you choose too). Failing all of that, it cannot track you in the way you assume it is.

In layman's terms think of the Contract Tracing Notification system as electricity. It gives you the ability to power things but is not the end product on its own, and does nothing if ignored. The third-party app is a lightbulb, utilizing a dormant infrastructure — but in this case, only specific and approved lightbulbs can use this electrical grid.

Except that Apple relentlessly pushes new versions on everyone. Every few days my iPad harasses me to upgrade to the latest IOS (13.5.1). Apple is very sneaky in their harassing pop-up upgrade messages that requiring multiple responses to make the pop-up message go away ... but only temporarily go away, then the whole harassing upgrade process starts again until a person accidently hits the wrong response then BAM the upgrade starts and you can't stop it.

If Apple wants to inform users about an upgrade one time, fine, that is reasonable, but they harasses users over and over, upgrade harassment never stops.
That's ridiculous — those updates include system fixes and security updates. if you don't do them you will complain about how buggy and insecure the OS is... what a horrible complaint to lob out there they are too on top of fixes.
[automerge]1592324240[/automerge]
I just wish the US Federal Government would release a contact tracing app using the Apple/Google API. My current state app does not use the API, and requires you to register with your phone number and other personal information to participate in tracking.
I don't think the answer is going federal — keeping it local/state has many benefits and allows the opportunity to phase out per region. The issue is using a proper back end and one with a high level of data security and most important (I feel) I trust Apple/Google more than I do the government at the moment that this centralized hashed data will be dumped and not leveraged at a later date.
 
Last edited:
  • Like
Reactions: I7guy

I7guy

macrumors Nehalem
Nov 30, 2013
31,638
20,584
Gotta be in it to win it
I think Apple is within their bounds to restrict this, but they chose not to. A rule for apps for iOS 14 could be that you must use a new, built-in analytics kit, and that all third-party analytics and tracking networks (including for ads) are no longer allowed. Seeing scorecard research in that screenshot is especially scary, since it collects browsing data.
How is apple supposed to know. Let's say all this naughty stuff is done on the hosting web server instead? I believe the way Apple views this, is you and the developer have an agreement. However, the app the developer puts into the store has to meet Apples guidelines...but once your data leaves the iphone, you have to trust the app developer is adhering to their privacy policy.
 

B4U

macrumors 68040
Oct 11, 2012
3,348
3,601
Undisclosed location
That's not it works. For the bluetooth contact tracing to work you have to manually install one of the few apps (one per country) available, and manually enable it. And even when enabled, the contact list is stored locally on your iPhone, and no one will be able to access it, and the contacts are stored as alphanumeric identifier, and each phone identifier changes after 15 minutes or so, so it's completely useless for everything else.
It is a trust issue. Hence the recent study shows we have less than 50% of Americans willing to get these tracing.
[automerge]1592327277[/automerge]
No, you can turn it off. That prevents the system from working altogether. People are getting hung up on the terminology of "notification", but in this context that just means if you want the system to be looking for others using the system or not. Further to that point, the system still requires you to have a third party app made by your regional health authority to act on that information (specifically including getting information from the local database of people who have registered and tested positive, and allowing you to in turn volunteer you positive COVID result — if you choose too). Failing all of that, it cannot track you in the way you assume it is.

In layman's terms think of the Contract Tracing Notification system as electricity. It gives you the ability to power things but is not the end product on its own, and does nothing if ignored. The third-party app is a lightbulb, utilizing a dormant infrastructure — but in this case, only specific and approved lightbulbs can use this electrical grid.


That's ridiculous — those updates include system fixes and security updates. if you don't do them you will complain about how buggy and insecure the OS is... what a horrible complaint to lob out there they are too on top of fixes.
[automerge]1592324240[/automerge]

I don't think the answer is going federal — keeping it local/state has many benefits and allows the opportunity to phase out per region. The issue is using a proper back end and one with a high level of data security and most important (I feel) I trust Apple/Google more than I do the government at the moment that this centralized hashed data will be dumped and not leveraged at a later date.
The thing is, once that door is opened, there is nothing stopping it. It is simply a trust issue. Don't get me wrong, I am all for supporting to reduce the infections.
Remember how AccuWeather was caught doing something in the background? And until it is caught, they were running wild and free.
It is basically up to how the 3rd party uses the data and we would have to trust them not to be evil. Again, a trust issue.
[automerge]1592327671[/automerge]
Except that Apple relentlessly pushes new versions on everyone. Every few days my iPad harasses me to upgrade to the latest IOS (13.5.1). Apple is very sneaky in their harassing pop-up upgrade messages that requiring multiple responses to make the pop-up message go away ... but only temporarily go away, then the whole harassing upgrade process starts again until a person accidently hits the wrong response then BAM the upgrade starts and you can't stop it.

If Apple wants to inform users about an upgrade one time, fine, that is reasonable, but they harasses users over and over, upgrade harassment never stops.
To make matter worse, I tried to prove the concept that the update shall not be downloaded unless charging with WiFi connected. I used a burn phone to try that and guess what? It still downloaded 13.5.1 either on WiFi when not connected to a charger, or on my data plan when charging.
 
Last edited:
  • Disagree
Reactions: konqerror

Dainin

macrumors regular
Sep 4, 2009
203
151
I don't think the answer is going federal — keeping it local/state has many benefits and allows the opportunity to phase out per region. The issue is using a proper back end and one with a high level of data security and most important (I feel) I trust Apple/Google more than I do the government at the moment that this centralized hashed data will be dumped and not leveraged at a later date.

That is the great thing about the API, the hashes are completely worthless to keep and stored only on your phone. I do not support a centralized app that does not use the Apple/Google API.

The problem is only a few states are actually using the API, most are using draconian tracking and identity information. On top of that, even if I did use my states app (which I will not unless they use the API) it is worthless if I travel. I will get no notification if I drive across State lines or someone else drives through using a contact tracing app.
 
  • Like
Reactions: JuBe and Websnapx2

Websnapx2

macrumors 6502a
Apr 24, 2003
511
510
The thing is, once that door is opened, there is nothing stopping it. It is simply a trust issue. Don't get me wrong, I am all for supporting to reduce the infections.
Remember how AccuWeather was caught doing something in the background? And until it is caught, they were running wild and free.
It is basically up to how the 3rd party uses the data and we would have to trust them not to be evil. Again, a trust issue.
What door are you talking about? You are conflating a ton of different scenarios that have no basis on what we are talking about. None of this has personal information and is leagues more secure than the options not using Apple/Google's API that is actually taking and compiling your personal data — which this is absolutely not — even when using the third-party apps. This isn't a trust issue, it is a knowledge issue... we now live in a society that bases their opinion on the least amount of research (or even basic reading) and fossilizes their opinion against new information, lest they seem weak in their fortitude.

There is no reason to have trust issues at all in this context as they have spelt out the process and are even working with their direct competitor to implement a locked-down, hashed, and on-device solution that only someone who didn't bother to read the specifics could poke wholes in. AccuWeather was not using Apple's API and for all we know when their app was submitted, it was pointing to different server and data resources, then switched to the bad ones once it went live (that wouldn't be part of the actual app code so it could be modified after the fact). Using the actions of a third party app using third party resources as a way to discredit a secure API from the hardware developer is like saying trucks can't be trusted because sports cars get into a lot of accidents and they both the same roads.

It's only untrustworthy because you choose to see it that way, not because facts and data support it.

To make matter worse, I tried to prove the concept that the update shall not be downloaded unless charging with WiFi connected. I used a burn phone to try that and guess what? It still downloaded 13.5.1 either on WiFi when not connected to a charger, or on my data plan when charging.
As I said before it is in Apple's best interests to have their hardware secure, bug free and up to date so their customers experience the least amount of issues and the best possible experience.
[automerge]1592331101[/automerge]
That is the great thing about the API, the hashes are completely worthless to keep and stored only on your phone. I do not support a centralized app that does not use the Apple/Google API.

The problem is only a few states are actually using the API, most are using draconian tracking and identity information. On top of that, even if I did use my states app (which I will not unless they use the API) it is worthless if I travel. I will get no notification if I drive across State lines or someone else drives through using a contact tracing app.
I get what you are saying and I generally agree. The crossing of state lines is an example of why more should adopt but not that there should be a federal app. I'd much more support that the use of the approved API (either Apple/Google's, or one vetted to be superior if that exists) be mandated to support crossing state lines, just because if an issue arises with the functionality of the app, the whole country is pooched, not just one state. Beyond that, I absolutely agree.
 
Last edited:
  • Like
  • Disagree
Reactions: B4U and Tagbert

phenste

macrumors 6502
Sep 16, 2012
280
888
Oh, I never actually made the comment I wanted to make on this. I’m so happy to see this! The US, as the home country for the two companies that made this API, *NEEDS* to set a precedent for using it. We’ve done awfully in literally every other aspect in terms of setting a precedent, being an example—I hope this can push the idea forward of individual states having proper exposure notifications app.
 
  • Like
Reactions: Websnapx2

B4U

macrumors 68040
Oct 11, 2012
3,348
3,601
Undisclosed location
What door are you talking about? You are conflating a ton of different scenarios that have no basis on what we are talking about. None of this has personal information and is leagues more secure than the options not using Apple/Google's API that is actually taking and compiling your personal data — which this is absolutely not — even when using the third-party apps. This isn't a trust issue, it is a knowledge issue... we now live in a society that bases their opinion on the least amount of research (or even basic reading) and fossilizes their opinion against new information, lest they seem weak in their fortitude.

There is no reason to have trust issues at all in this context as they have spelt out the process and are even working with their direct competitor to implement a locked-down, hashed, and on-device solution that only someone who didn't bother to read the specifics could poke wholes in. AccuWeather was not using Apple's API and for all we know when their app was submitted, it was pointing to different server and data resources, then switched to the bad ones once it went live (that wouldn't be part of the actual app code so it could be modified after the fact). Using the actions of a third party app using third party resources as a way to discredit a secure API from the hardware developer is like saying trucks can't be trusted because sports cars get into a lot of accidents and they both the same roads.

It's only untrustworthy because you choose to see it that way, not because facts and data support it.


As I said before it is in Apple's best interests to have their hardware secure, bug free and up to date so their customers experience the least amount of issues and the best possible experience.
[automerge]1592331101[/automerge]

I get what you are saying and I generally agree. The crossing of state lines is an example of why more should adopt but not that there should be a federal app. I'd much more support that the use of the approved API (either Apple/Google's, or one vetted to be superior if that exists) be mandated to support crossing state lines, just because if an issue arises with the functionality of the app, the whole country is pooched, not just one state. Beyond that, I absolutely agree.
There is no trust issue? Which world are you living in? The negativity shown to the public is one of the contributor. How many security breach we hear last year alone? Not every one are technically inclined to go ahead and read through pages and pages of the release notes.
And you are so right about the truck and sports car example. Because they are sharing the same road.
Tell me why my insurance rate is sky high when I have no claims, no tickets and no points when I live in a state with bad drivers that does all of the above. Again, it is trust issue at the insurance company. They wouldn't just pinpoint a single driver and say, oh this person is a very responsible citizen, let's give a very nice rate to him/her.

In regards to forcing the update, that is like someone coming into your home to change the inside of it even though you own the home. I own the damn HW and I paid for the network usage, Apple should not be allowed to force the data through something I have to pay for. Yes, I know the SW agreement says they can do that, but that is beyond ethical and unreasonable.
What is next? Every one have to read through a 20 pager just to go buy an orange at the grocery store?
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.