Covid 19 Exposure Notification System from Apple & Google and Your Privacy

Apple recently released iOS 13.5, incorporating a new Exposure Notification API in response to the global COVID-19 pandemic. We’ve seen a few people freaking out about this, but seriously, calm down, folks. At best, the Exposure Notification API could lower contact tracing costs, reduce the spread of COVID-19, prevent life-changing health consequences, and save lives. At worst, it won’t prove particularly effective. In neither case does it pose any threat to personal privacy.

Why have Apple and Google—two companies that normally compete tooth and nail—formed this unprecedented partnership? Contact tracing is one of the key techniques employed by public health authorities in slowing the spread of COVID-19. It involves gathering information from an infected person about those they’ve been in contact with, enabling authorities to learn who might have been the source of the infection and who they may have infected. It’s a slow, laborious, and error-prone process—do you know or even remember all the people you’ve come in contact with over the past few weeks?—but it’s helpful nonetheless.

To speed up this process and make it more accurate, Apple and Google are building exposure notification capabilities into their respective smartphone operating systems. A large percentage of the population carries a smartphone running either iOS or Android, and since these phones have the capability to detect when other phones are in their vicinity via Bluetooth, Apple and Google realized they could use technology to alert people when they had been exposed to a person who later tests positive for COVID-19.

Their solution comes in two phases. In the first phase, Apple and Google are releasing the Exposure Notification API, and that’s what just happened with iOS 13.5. This API, or application programming interface, allows apps written by public health authorities to work across both iOS and Android devices, something that’s never been possible before. The first key fact to understand is that only public health authorities will be allowed to write apps that leverage the Exposure Notification API. It cannot be incorporated into sketchy social media apps.

Unfortunately, it seems likely that many people will never learn about or download those apps. So in the second phase, Apple and Google will build the exposure notification technology directly into iOS and Android, so it can work without a public health authority app being installed.

The second key fact to understand is the entire system is opt-in. You must explicitly consent to the terms and conditions of the program before it becomes active on your phone. That’s true whether you get an app in the first phase or rely on the integration in the second phase. And, of course, if you change your mind, you can always turn it off in the app or the operating system settings.

How does it work? Apple and Google have developed an ingenious approach that ensures that those who opt-in to the technology can use it without worrying about privacy violations.

Your phone creates a Bluetooth beacon with a unique ID derived from a randomly generated diagnosis encryption key. The system generates a fresh diagnosis key every 24 hours and stores it on your phone for 14 days, deleting all older keys. Plus, the unique Bluetooth beacon ID that your phone broadcasts to other phones in your vicinity changes every 15 minutes. Similarly, your phone reads the unique IDs from nearby phones and stores them locally. This approach ensures privacy in three important ways:

  • No personal information is shared. The ID is based on a random encryption key and changes constantly, so there’s no way it could be traced back to your phone, much less to you personally.
  • No location information is stored. The only data that’s generated and transferred between the phones are these unique IDs. The system does not record or share location information, and Apple and Google have said they won’t approve any public health authority app that uses this system and also records location separately.
  • No data is uploaded unless you test positive. As long as you remain uninfected by COVID-19, no data from your phone is uploaded to the Apple- and Google-controlled servers.

What happens if you test positive for COVID-19? (Sorry!) In that case, you would need to use a public health authority app to report your test results. You’ll likely have to enter a code or other piece of information to validate the diagnosis—a requirement necessary to prevent fake reporting.

When the app confirms your diagnosis, it triggers your phone to upload up to the last 14 days of diagnosis encryption keys—remember, these are just the keys from which the IDs are derived, not the IDs themselves—to the servers. Fewer days might be uploaded depending on when the exposure could have occurred.

All the phones enrolled in the system constantly download these diagnosis keys from devices of infected people. Then they perform cryptographic operations to see if those keys match any of the locally stored Bluetooth IDs captured during the period covered by the key. If there’s a match, that means you were in proximity to an infected person, and the system generates a notification with information about the day the exposure happened, how long it lasted, and the Bluetooth signal strength (which can indicate how close you were). A public health authority app will provide detailed instructions on how to proceed; if someone doesn’t have the app yet, the smartphone operating system will explain how to get it. Additional privacy protections are built into these steps:

  • No one is forced to report a positive diagnosis. Just as you have to opt-in to the proximity ID sharing, you must explicitly choose to share your positive diagnosis. Not sharing puts others, including your loved ones, at risk, but that’s your decision to make.
  • Shared diagnosis keys cannot identify you. The information that your phone uploads in the case of a positive diagnosis is limited to—at most—14 encryption keys. Those keys, which are then shared with others’ phones, contain no personal or location information.
  • The matching process takes place only on users’ phones. Since the diagnosis keys and the derived IDs only meet on individual phones, there’s no way Apple, Google, or any government agency could match them up to establish a relationship.
  • The notification information is too general to identify individuals. In most cases, there will be no way to connect an exposure notification back to an individual. Obviously, if you were in contact with only one or two people on a relevant day, that’s less true, but in such a situation, they’re likely known to you anyway.

Finally, Apple and Google have said they’ll disable the exposure notification system on a regional basis when it is no longer needed.

We apologize if that sounds complicated. It is, and necessarily so, because Apple and Google have put a tremendous amount of thought and technical and cryptographic experience into developing this exposure notification system. They are the preeminent technology companies on the planet, and their knowledge, skills, and expertise are as good as it gets. A simpler system—and, unfortunately, we’ll probably see plenty of other apps that won’t be as well designed—would likely have loopholes or could be exploited in unanticipated ways.

You can read more about the system from Apple and Google, including a FAQ and the technical specifications.

Our take? We’ll be installing the necessary app and participating in this exposure notification system. It’s the least we can do to help keep our loved ones and others in our communities safe. In a pandemic, we all have to work to help others.

(Featured image based on an original by Dennis Kummer on Unsplash)

Exercise (Some) Control over How Much Your Location Is Tracked

The New York Times recently published a bombshell article revealing just how completely our every movement is tracked by companies in the business of selling our locations to advertisers, marketers, and others. Anonymous sources provided the Times with a dataset from a single location-data company that contained 50 billion pings from the phones of more than 12 million Americans over several months in 2016 and 2017. 

This data enabled the Times reporters to track numerous people in positions of power, including military officials, law-enforcement officers, and high-powered lawyers. They were able to watch as people visited the Playboy Mansion, some overnight, and they could see visitors to celebrity estates. Once they identified any particular phone, they could track it wherever it went. Imagine what that data could be used for in the wrong hands.

No one intends to let unknown companies track their locations constantly. But code built into smartphone apps does just that, often without our knowledge. Many of the apps that request access to location services have an entirely legitimate reason for doing so—for example, Google Maps can’t provide navigation directions unless it knows where you are. But others want location access for less practical reasons—do you really want to let a coffeeshop app know your location at every moment in exchange for the occasional free latte? And some apps—notably weather apps—may have a legitimate need for location information but use that data for far more than users expect.

Even if you’re not too perturbed about companies you’ve never heard of knowing your exact whereabouts at all times (mostly to serve you more targeted advertising), there’s no guarantee this data couldn’t fall into the hands of foreign governments, organized crime, or hackers willing to sell your movement patterns to an aggrieved employee, corporate spy, or jealous ex-lover.

Steps You Can Take to Protect Your Location Privacy

Luckily, Apple provides controls in iOS that let you limit your exposure. For most people, going completely dark isn’t realistic. Too many iPhone capabilities require location services, ranging from turn-by-turn directions, to geotagging photos, to using Find My to see if your kid has left the soccer tournament yet. 

Nevertheless, going dark is a possibility: go to Settings > Privacy > Location Services and disable the Location Services switch at the top. That turns off location services for all apps, although iOS will turn them back on temporarily if you use Find My iPhone to enable Lost Mode.

Here’s what we recommend instead.

  1. Go to Settings > Privacy > Location Services and scroll down to see a list of every app on your iPhone that would like to know your location. (The same is true on the iPad, but fewer people use their iPads as much while out and about.)
  2. For each app in the list, tap the app’s name to bring up the Allow Location Access screen, which has up to four options:
    • Never: Prevent this app from ever determining your location.
    • Ask Next Time: The next time the app wants permission to track you, make it ask again.
    • While Using the App: Allow the app to track your location as long as you’re actually using it. 
    • Always: Let the app track your location at all times, even when you’re not using it.
  3. Tap one of the options to select it, and then tap Back to return to the list.

We can’t tell you exactly how to configure each app since everyone has a different set and different levels of privacy worry. However, here is some advice:

  • Apps and other entries from Apple are generally safe because Apple has an extremely strong privacy stance and excellent security against hacks. But, down in System Services at the bottom, we’d turn off Location-Based Apple Ads and Popular Near Me—even if Apple is collecting this data anonymously, it’s still being used to sell things to you, not to provide useful services to you.
  • For most apps, change the Allow Location Access setting to Ask Next Time to force each app to prompt you again. If it asks at a point where it’s reasonable that it would need to know your location, such as Yelp wanting to show you nearby restaurants, grant it. If you don’t understand why it’s asking, or if the request seems weak (“To show you which wines are available for purchase in your area.”), deny the request.
  • With apps that obviously need location services, such a parking app that needs to know which area you’re in, change the setting to While Using App and see if that meets your needs.
  • Only if you clearly need to allow a particular app to track your location in the background—turn-by-turn navigation apps are the most common—should you change that setting to Always. Almost no apps should be given such power, and many won’t even provide the option.

There’s one unusual item in the list: Safari Websites. It’s a master switch that lets Web sites loaded in Safari ask for your location. That’s probably not a major privacy concern, but few Web sites provide sufficiently useful location-based features (mostly for finding nearby chain store outlets) that it’s worth bothering.

In the end, go with your gut. If thinking about a particular app or company potentially recording your location constantly gives you the creeps, turn it off and either find an alternative or do without. Legislation may be the only solution in the end, but for now, we can take steps like these to protect ourselves.

(Featured image based on an original by Garik Barseghyan from Pixabay)

Use macOS’s Guest Account & Protect Your Privacy from Temporary Users

Guest-user-photo

We’ve all had it happen. “Can I use your Mac for a minute to check my email?” The answer can be “Yes,” but to keep people from poking around on your Mac, have your visitor log in as Guest. To enable the Guest account, go to System Preferences > Users & Groups. If the lock at the bottom left is closed, click it and enter your admin credentials. Then click Guest User in the list, and select “Allow guests to log in to this computer.” To switch to the Guest account, go to the Apple menu and choose Log Out YourAccountName to access the login screen. Your guest can then click the Guest User icon, at which point they’ll have a clean account to work in. When they log out, the account—including any files they created or downloaded—will be deleted, thus protecting their privacy as well.

(Featured image by Apple)

Privacy Request Dialogs in Mojave Explained

With macOS 10.14 Mojave, Apple has beefed up the Mac’s privacy so it more closely resembles privacy in iOS. You’ve noticed that when you launch a new app on your iPhone or iPad, it often prompts for access to your photos or contacts, the camera or microphone, and more. The idea behind those prompts is that you should always be aware of how a particular app can access your personal data or features of your device. You might not want to let some new game thumb through your photos or record your voice.

macOS has been heading in this direction, but Mojave makes apps play this “Mother, May I?” game in more ways. As a result, particularly after you first upgrade, you may be bombarded with dialogs asking for various permissions. For instance, when you first make a video call with Skype, it’s going to ask for access to the camera and the microphone. Grant permission and Skype won’t have to ask again.

Skype’s requests are entirely reasonable—it wouldn’t be able to do its job without such access. That applies more generally, too. In most cases, apps will ask for access for a good reason, and if you want the app to function properly, you should give it access.

However, be wary if a permission dialog appears when:

  • You haven’t just launched a new app
  • You aren’t doing anything related to the request
  • You don’t recognize the app making the request

There’s no harm in denying access; the worst that can happen is that the app won’t work. (And if it’s malicious, you don’t want it to work!) You can always grant permission later.

To see which permissions you’ve granted or denied, open System Preferences > Security & Privacy > Privacy. A list of categories appears on the left; click one to see which apps have requested access. If you’ve granted access, the checkbox next to the app will be selected; otherwise it will be empty.

You’ll notice that the lock in the lower-left corner is closed. To make changes, click it and sign in as an administrator when prompted.

Most of these categories are self-explanatory, but it might not always be obvious why an app wants permission. In the screenshot above, for instance, Google Chrome has been granted access to the Mac’s camera. Why? So Google Hangouts and other Web-based video-conferencing services can work.

There are five categories (including three not showing above) that could use additional explanation:

  • Accessibility:Apps that request accessibility access want to control your Mac. In essence, they want to be able to pretend to click the mouse, type on the keyboard, and generally act like a user. Utility and automation software often needs such access.
  • Full Disk Access:This category is a catch-all for access to areas on your drive that aren’t normally available to apps, such as data in Mail, Messages, Safari, Home, and more, including Time Machine backups and some admin settings. Backup and synchronization utilities may need full disk access, in particular. An app can’t request full disk access in the normal way; you must add it manually by clicking the + button under the list and navigating to the app in the Applications folder.

Automation:The Mac has long had a way for apps to communicate with and control one another: Apple events. An app could theoretically steal information from another via Apple events, so Mojave added the Automation category to give you control over which apps can control which other apps. You’ll see normal permission requests, but they’ll explain both sides of the communication.

Analytics:The Analytics privacy settings are completely different—they let you specify whether or not you want to share information about how you use apps with Apple and the developers of the apps you use. For most people, it’s fine to allow this sharing.

Advertising:Finally, the Advertising options give you some control over the ads that you may see in Apple apps. In general, we recommend selecting Limit Ad Tracking, and if you click Reset Advertising Identifier, any future connection between you and the ads you’ve seen will be severed from past data. There’s no harm in doing it. It’s worth clicking the View Ad Information and About Advertising and Privacy buttons to learn more about what Apple does with ads.

Being an Apple User Means You’re Not the Product

There’s an Internet saying: “If you’re not the customer, you’re the product.” The point is that, if you’re getting a service for free, the company providing it sees you not as a customer, but as a product to sell, generally to advertisers.

This is how Google, Facebook, and Twitter operate. They provide services for free, collect data about you, and make money by showing you ads. In theory, the more that advertisers know about you, the better they can target ads to you, and the more likely you’ll be to buy. Personalized advertising can seem creepy (or clueless, when it fails), but it isn’t inherently evil, and we’re not suggesting that you stop using ad-supported services.

This ad-driven approach stands in stark contrast to how Apple does business. Apple makes most of its money by selling hardware—iPhones, Macs, and iPads, primarily. Another big chunk of Apple’s revenue comes from App Store and iTunes Store sales, iCloud subscriptions, and Apple Pay fees. Knowing more about you, what Web pages you visit, what you buy, and who you’re friends with doesn’t help Apple’s business, and on its Privacy page, Apple says bluntly, “We believe privacy is a fundamental human right.”

Of course, once your data is out there, it can be lost or stolen—in June 2018, a security researcher discovered that the online data broker Exactis was exposing a database containing 340 million records of data on hundreds of millions of American adults. Ouch!

Let’s look at a few of the ways that Apple protects your privacy.

Siri and Dictation

The longer you use Siri and Dictation, the better they work, thanks to your devices transmitting data back to Apple for analysis. However, Apple creates a random identifier for your data rather than associating the information with your Apple ID, and if you reset Siri by turning it off and back on, you’ll get a new random identifier. Whenever possible, Apple keeps Siri functionality on your device, so if you search for a photo by location or get suggestions after a search, those results come from local data only.

Touch ID and Face ID

When you register your fingerprints with Touch ID or train Face ID to recognize your face, it’s reasonable to worry about that information being stored where attackers—or some government agency—could access it and use it for nefarious purposes. Apple was concerned about that too, so these systems don’t store images of your fingerprints or face, but instead mathematical signatures based on them. Those signatures are kept only locally, in the Secure Enclave security coprocessor that’s part of the CPU of the iPhone and iPad—and on Touch ID-equipped laptops—in such a way that the images can’t be reverse engineered from the signatures.

And, of course, a major goal of Touch ID and Face ID is to prevent someone from violating your privacy by accessing your device directly.

Health and Fitness

People with medical conditions can be concerned about health information impacting health insurance bills or a potential employer’s hiring decision. To assuage that worry, Apple lets you choose what information ends up in Health app, and once it’s there, encrypts it whenever your iPhone is locked. Plus, any Health data that’s backed up to iCloud is encrypted both in transit and when it’s stored on Apple’s servers.

App Store Guidelines

A linchpin in Apple’s approach to privacy is its control over the App Store. Since developers must submit apps to Apple for approval, Apple can enforce stringent guidelines that specify how apps can ask for access to your data (location, photos, contacts, etc.). This isn’t a blanket protection—for instance, if you allow a social media app Facebook to access your contacts and location, the company behind that app will get lots of data on your whereabouts and can even cross-reference that with the locations of everyone in your contact list who also uses the service.

In the end, only you can decide how much information you want to share with the likes of Google, Facebook, and Twitter, and only you can determine if or when their use of your details feels like an invasion of privacy. But by using Apple products and services, you can be certain that the company that could know more about you than any other is actively trying to protect your privacy.

iOS 11.3 Introduces New Battery Health Feature, Business Chat, & More

At the end of March, Apple released updates to all four of its operating systems, but iOS 11.3 was the most notable. It boasts a variety of new features and other changes—you can think of it as the midpoint update between iOS 11’s first release and iOS 12, probably coming next September. All remaining updates to iOS 11 are likely to be minor maintenance updates. Here’s what’s new.

iPhone Battery Health

The most anticipated change is the Battery Health feature that Apple promised to add in the wake of revelations that the company was quietly reducing the performance of older iPhone models (starting with the iPhone 6) to lessen the chance of unexpected shutdowns with weak batteries. You find the new Battery Health screen in Settings > Battery > Battery Health, and Apple explains it in detail here.

If your iPhone battery is aging, you may see a lower maximum capacity, and if your iPhone has shut down because of a weak battery, the screen will tell you that performance management has been applied. You can disable performance management, if you prefer the iPhone shutting down to degraded performance, but it will turn on again the next time your iPhone shuts down. Finally, if your battery is bad enough, the screen will recommend replacement.

Also note that iPads running iOS 11.3 can better maintain battery health when they’re plugged into power for long periods of time. Be sure to upgrade if you have an iPad that stays plugged in all the time.

Business Chat

New in both iOS 11.3 and macOS 10.13.4 High Sierra is Business Chat, an Apple service that lets you chat with participating companies directly within Messages. If you look up one of these companies in Maps, Safari, or Search/Spotlight and see a Messages button, just use it to start a conversation. Only you can start conversations, and Business Chat can be a fast way to ask questions, get support, schedule appointments, and even make purchases using Apple Pay.

Apple’s launch partners are 1-800-Flowers, Ameritrade, Discover, Hilton, Home Depot, Lowe’s, Marriott, Newegg, and Wells Fargo, although not all of them seemed to be active out of the gate. And, of course, you can use Business Chat with Apple itself.

Health Records

Most people won’t be able to take advantage of iOS 11.3’s next new feature—medical records in the Health app—right away, but we have high hopes for it. Apple has partnered with over 40 healthcare systems to bring your medical records into the Health app, centralizing them and making them easier for both you and healthcare professionals to access. The records include lab results, medications, conditions, and more. Health Records data is encrypted and protected with a passcode so it remains private.

Data & Privacy

We haven’t yet seen this, but Apple says that iOS 11.3 (and macOS 10.13.4) will display a new privacy icon whenever Apple asks for access to personal information, as it might do to “enable features, secure Apple services or personalize an iOS experience.” The icon should be accompanied by detailed privacy information explaining the situation. In an era when every company seems hell-bent on collecting and exploiting our personal data, it’s nice to see Apple increasing the transparency of its data collection practices.

Safari

iOS 11.3 tweaks Safari in several small ways that make it easier to use and more secure:

  • Autofill now inserts usernames and passwords only after you select them on Web pages.
  • Autofill now works in Web views within other iOS apps.
  • Safari warns you when you interact with password or credit card forms on non-encrypted pages.
  • Safari now formats shared articles sent via Mail as though they were in Reader mode.
  • Favorites folders now show icons for the contained bookmarks.

Other Improvements

Apple made lots of other minor improvements in iOS 11.3. You can see a full list in the release notes, but those that we find most noteworthy include:

  • iPhone X users get access to four new animoji: a lion, dragon, skull, and bear.
  • iOS 11.3 adds support for the Advanced Mobile Location (AML) standard, which provides more accurate location data to emergency responders when Emergency SOS is triggered.
  • Podcasts now plays episodes with a single tap, and you can tap Details to learn more about episodes.
  • Apple Music now streams music videos uninterrupted by ads.
  • Apple News has improved its Top Stories feature and includes a new Video group in the For You collection.

iOS 11.3’s improvements may not change the way you use your iPhone or iPad, but they’re welcome nonetheless, and Business Chat and Health Records should become more interesting as additional institutions sign on. And, of course, anyone with an older iPhone should check the Battery Health screen right away.