On May 27, 2020, in the French National Assembly, Cédric O, the French Secretary of State for Digital Economy, forcibly expressed his government's frustration with Apple and Google in terms more appropriate to a cold war confrontation between superpowers. He noted that France and the U.K. were the two European countries building COVID-19 contact-tracing apps without these tech giants' assistance. These countries were also the only two European countries with nuclear weapons, the "acme of national sovereignty."a
The frustration of a modern state, unable to respond to the most severe public health crisis in a century because of two private companies' decisions, should give us all pause. Apple and Google have complete and unquestionable control over the computer in your pocket and are not shy about exercising it. It is time to do something about it.
In the midst of the COVID-19 epidemic, Apple and Google jointly introduced the Exposure Notification framework4,6 to facilitate the construction of interoperable COVID-19 contact tracing applications for iOS and Android smartphones. This framework uses Bluetooth Low Energy (BLE) advertising beacons to discover nearby smartphones running the contact-tracing app, determine the distance between the phones, and estimate potential COVID-19 exposure between phones' users.
The DP3T group at the Swiss Federal Technical Universities EPFL and ETH developed the privacy-preserving protocol used in this framework1 and built one of the first apps. Along with everyone else, we needed Apple's cooperation to make these apps run satisfactorily on Apple iPhones, which intentionally do not expose the functionality necessary to send and receive BLE beacons from apps running in the background. Some countries, such as Singapore and the U.K., tried to work around this limitation. The resulting apps required a phone to remain unlocked and rapidly drained its battery. Not surprisingly, user acceptance was low.
Under public and private pressure, Apple and Google jointly proposed an Exposure Notification protocol enabling the construction of COVID-19 tracing apps. The companies selected a decentralized, privacy-preserving protocol, similar to the one DP3T had developed and published.3 The DP3T team worked closely with the two companies on the implementation and on the SwissCOVID app, which was the first COVID-19 tracing app in widespread testing.
Other countries, such as Germany, France, and the U.K., and U.S. states, such as North Dakota and Wyoming, wanted to build their COVID-19 tracing apps along different lines. Some preferred a centralized approach, in which a server processes all exposures. Others wanted to collect additional information, for example, when and where a contact occurred.
Apple and Google refused to allow any variance in the design of a contact-tracing app. Their expose-notification API did not reveal the received exposure keys to an app, which would be necessary to implement a centralized solution. Also, the API's license terms prevented apps from collecting physical location information. Moreover, the companies decreed that each country or state would be allowed only one COVID-19 tracing app and that the national or state health authority must produce it.
These decisions can be justified as measures to protect user privacy. Still, in the end, the technical stranglehold of these two companies, rather than the merits of the arguments, carried the day. In the U.S. and most other countries, COVID-19 tracing apps—but not France's—use the Apple and Google framework. Appeals, pressure, and threats from sovereign governments did not carry sufficient weight to change Apple and Google's decision.
The key issue here is the unprecedented degree of control that both Apple and Google exercise over the software that runs on mobile phones, today's dominant computing platform. Half of the world's people own a smartphone, with a far higher percentage in developed countries such as the U.S., China, and Europe. For many, their phones are the primary computer they use to access information, play games, or communicate with other people. In 2019, in the U.S., an average person spent 51 minutes connected to the Internet from a desktop computer but over four times as much on a smartphone.7 Control of smartphones is control of peoples' interactions with the world.
Since the early days of Apple's iPhone, and subsequently, Google's Android phones, these two companies have exercised near-total control over the functionality of software written for and distributed on "their" smartphones. Turing's work in the 1930s showed the computers are universal computing devices, capable of executing any computable function. Apple and Google are using their control of the smartphone platforms to subvert this fundamental principle, with a foreseeable cost in innovation and competitiveness.
Apple and Google exercise control at two levels. Smartphones, from the beginning, never permitted apps to access the underlying physical devices or coprocessors in a phone but instead provided application programming interfaces (APIs) that tightly constrain how a phone can be used. Beyond this, Apple limits apps' distribution to its App Store, which imposed stringent rules and a strict gatekeeping process to control which apps are acceptable.b Google allows alternative app stores, but its dominant Play Store follows a model similar to Apple. Not only are some apps difficult or impossible to build with the APIs, but even if a creative software developer finds a way to work around the limitations, they may find it difficult or impossible to distribute their app to consumers.
Apple and Google refused to allow any variance in the design of a contact-tracing app.
Both companies argue that their practices and restrictions benefit smartphone users. The companies claim to have improved software security by taking on the challenging task of scrutinizing apps in their stores for malware. Moreover, the stores offered convenient, well-known places to find any app.
At the same time, control of both the computing platform and the distribution of applications give Apple and Google unprecedented control over what software can and will be written, and hence what you can do with your smartphone.
Their control became clear in the context of the COVID-19 proximity tracing apps developed last spring. It is, however, hardly the only such incident. At the same time, Apple engaged in a public battle with Basecamp about their HEY mail reading app to force them to route payments through Apple's App Purchase, where it could take a 30% commission.2 Similarly, Apple rejected game apps from tech giants Microsoft and Facebook that violated its rule against "arcade" games in its App Store.5
The COVID-19 incident, however, should worry us all. COVID-19 apps were not the subject of a commercial dispute. Many experts agreed that these apps could help reduce the spread of an epidemic. Despite this, Apple and Google told all of the world's governments and public health agencies: we know more than you about how to control a pandemic, and we will not allow you to bring your expertise to bear, to collect different information, or even to experiment with alternative approaches.
Although I would be happy to argue that Apple and Google made a wise choice in implementing DP3T's privacy-preserving protocol, their monopolistic and arbitrary control over which software can run on smartphones will deaden innovation. Consumers already have an impoverished selection of apps. Moreover, the tech giant's arbitrary power furthers the competitive advantage of China's vibrant smartphone ecosystem, which is flourishing and innovating beyond these American companies' control—however, under the heavy thumb of the Chinese government.
Technical innovation alone will not resolve this problem—though improvements in security and privacy engineering might help iOS and Android achieve the goal (providing a safe smartphone user experience) that is the rationale for Apple and Google's close control. At the same time, Apple and Google employ advanced security techniques such as cryptography and secure enclaves to control which software will run on their phones. To them, malware is any software that has not gained their stamp of approval. In the end, however, it is a political and legal question whether two companies, no matter what their intent, should have the power to decide which software runs on a person's smartphone.
Fortunately, antitrust regulators in Europe and the U.S. are starting to consider the consequences of allowing two private companies complete and unquestioned control over the world's smartphones. Hopefully, these inquiries will lead to the realization that concentrated control over the computing platform in the 21st century is as dangerous to innovation and commerce as were the railroad and oil monopolies of the 19th and 20th centuries.
1. Apple and Google update joint coronavirus tracing tech to improve user privacy and developer flexibility. TechCrunch (Apr. 24, 2020); https://tcrn.ch/3r60AhK
2. Apple vs. HEY; https://hey.com/apple/
3. Decentralized Privacy-Preserving Proximity Tracing. (May 25, 2020); https://bit.ly/3r68WGl
4. Exposure Notification API launches to support public health agencies. (May 20, 2020); https://bit.ly/3B0UT9t
5. Facebook. Microsoft gripes with Apple's App Store on EU's antitrust radar. Reuters (Aug. 10, 2020); https://reut.rs/3ra85El
6. Privacy-Preserving Contact Tracing. (May 20, 2020); https://www.apple.com/covid19/contacttracing
7. Tech companies tried to help us spend less time on our phones. It didn't work. Vox Recode, (Jan. 6, 2020); https://bit.ly/3wG92FL
a. "To date, 22 countries have chosen to develop a contact protection solution based on the interface developed by Apple and Google—the 22 countries do not include France or the U.K., which, is it a coincidence, are also the only two European countries to have their own nuclear deterrent, which is ultimately the acme of national sovereignty"; https://bit.ly/3B0gBKY
b. Brad Smith, President of Microsoft, commented that the App Store presents a higher barrier to competition than what Microsoft was accused in its antitrust prosecution 20 years ago. See "Microsoft Says Antitrust Bodies Need to Review Apple App Store" Bloomberg (June 18, 2020); https://bloom.bg/3iaEPcu
The Digital Library is published by the Association for Computing Machinery. Copyright © 2021 ACM, Inc.
The basic question the article does not come close to is whom the general public may possibly trust more on an ongoing basis - governments or companies. "Trust" as a word does not even come up in the text. If the public trusts companies then there is a chance that governments will do the job and keep companies in check. Maybe. Yet if the trust is in governments, then there is no, or much less available, recourse. And it would be an insanity to allow a stew of governments to extend and adjust a privacy-sensitive protocol. So COVID applications and commerce vs govt control is a poor example of a real problem.
That is the question raised about the control. Governments may indeed facilitate wider competition and dictate the level of support and spec sharing required from companies. Right to repair, AppStore limitations, and similar issues come to mind. And yes, privacy regulations. Governments are failing to address the populace's needs in most of those issues. Companies do what they are good at and created for. Governments do not.
COVID-19 protocol is just a poor example of it.
Displaying 1 comment