Skip to Content
Pandemic Technology Project

The US’s draft law on contact tracing apps is a step behind Apple and Google

States have been left to develop their own covid-19 apps. Now attempts to introduce greater privacy protections face being ‘dictated by’ Silicon Valley.

American legislators have outlined a plan to regulate digital contact tracing apps to protect people’s privacy. But the bill, unveiled on June 1 with bipartisan support, largely recommends measures already built in to a technology provided by Silicon Valley giants Apple and Google.

The Exposure Notification Privacy Act is a proposal to prevent potential abuses by the apps, which aim to alert users who might have been exposed to covid-19. Among other things, it would require anyone who operates an exposure notification service to “collaborate” with public health authorities; make usage of the app voluntary; and block the commercial use of any data it might collect.

The bill is being led by senators Maria Cantwell of Washington, Bill Cassidy of Louisiana, and Amy Klobuchar of Minnesota. It is the first visible attempt at national leadership around digital contact tracing, despite the fact that America has been the center of the pandemic for weeks. The Centers for Disease Control has been offering limited guidance to states producing their own apps, but the White House has remained largely silent as the death toll has risen to more than 100,000 people.

While America’s rollout of contact tracing has lagged behind many other countries, MIT Technology Review’s Covid Tracing Tracker—a global database of contact tracing apps—has now started tracking activity within the US. Early apps have been documented in Alabama, South Carolina, Utah, South Dakota, and North Dakota, with more expected to arrive in the coming weeks.

‘Dictating terms’

However, while the bill steps into a void left by federal agencies, many of the proposed rules are actually already part of the policies enacted by Apple and Google.

The two Silicon Valley companies joined forces in April to develop and deploy an exposure notification system, which most states are planning to use as the underlying framework for their apps. Their rules mean that many of the legislative suggestions in the Senate bill are, in fact, already de facto standards. For example, only apps with support from national or state-level health authorities are currently granted access to Apple and Google’s technology, and they cannot use it if they make the download of such a program mandatory. 

Jeffrey Kahn, director of the Johns Hopkins Berman Institute of Bioethics, says that Apple and Google have already been effectively setting national policy through their decisions.

“There’s a vacuum, and they do control access through the technology,” he says. “I guess it’s not surprising, but they’re definitely dictating terms.”

Kahn and a group of colleagues recently published a book of proposals and commentaries on the ethics of digital contact tracing services. In that book they highlighted Apple and Google’s outsized role in the process—and the lack of legislative control over a vital public health function.

This is partly because the speed and scale of the pandemic has taken everybody by surprise, including politicians and experts. But it has also been complicated by the confusing political messages and misinformation around covid-19. And while Kahn says privacy concerns are very important, and an obvious focus for the likes of Apple and Google, he adds that there are also other factors that must be balanced against each other.

“The public has values, too, which includes privacy, but not only privacy,” he says. “This needs to be driven by public health, which may or may not be the same as what Apple and Google have decided are the terms of contact.”

For example, says Kahn, the technology companies have placed a premium on minimizing the app’s battery usage. This may make it more palatable to users—and therefore better for Google and Apple—but also means it may be harder to detect people nearby: a product decision that may reduce, rather than improve, the public health impact.

“We’re pushing back pretty hard on that,” he says. “I can't think of another time when we've been under such pressure to figure out solutions where we have to figure this stuff out on the fly. And they are very complicated, and in a very politically charged context.”

Outside the US

America’s patchwork approach to rolling out official tracing apps—leaving each state to make its own decisions and build its own systems—makes the deployment of such services uniquely complicated. Elsewhere around the world, governments and technologists have been working in close cooperation for several months to develop and roll out digital contact tracing systems. While the Covid Tracing Tracker details the different approaches taken in various places—including India’s partly mandatory system and Iceland’s popular but largely uninfluential app—most countries have adopted the same process nationwide.

In Europe, existing consumer privacy legislation such as the GDPR, or General Data Protection Regulation, has meant that governments have largely developed and adopted these apps—including the Apple-Google protocols—without needing to write new laws to protect citizens.

Danny Weitzner, director of the MIT Internet Policy Research Initiative and former digital privacy czar in the Obama administration, said in an interview on Technology Review’s Radio Corona that European law has allowed for a range of approaches under a single umbrella.

“Different countries have chosen different approaches. Some—like the UK, France, Belgium and a few others—have taken a centralized approach: they've decided to take a lot of the information directly. “Different countries have chosen different approaches. Some—like the UK, France, Belgium, and a few others—have taken a centralized approach: they've decided to take a lot of the information directly into government systems and then disperse out what they think people need,” he says. “That’s acceptable under the GDPR, providing the governments follow appropriate safeguards and limit the usage of the information to just public health purposes. Other countries—Germany, Italy, Switzerland, Austria—have taken a more decentralized approach. But neither one has any claim to being better in any respect under the GDPR yet.”

Keep Reading

Most Popular

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

Europe's AI Act concept
Europe's AI Act concept

A quick guide to the most important AI law you’ve never heard of

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

Uber Autonomous Vehicles parked in a lot
Uber Autonomous Vehicles parked in a lot

It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.

If they ever hit our roads for real, other drivers need to know exactly what they are.

crypto winter concept
crypto winter concept

Crypto is weathering a bitter storm. Some still hold on for dear life.

When a cryptocurrency’s value is theoretical, what happens if people quit believing?

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.