Singapore’s new contact tracing app, TraceTogether, which is being used as a preventive measure against the Covid-19 coronavirus in the city-state.
Catherine Lai | AFP via Getty Images
One of the most ambitious projects in Apple history launched in less than a month, and was driven by just a handful of employees.
In mid-March, with Covid-19 spreading to almost every country in the world, a small team at Apple started brainstorming how they could help. They knew that smartphones would be key to the global coronavirus response, particularly as countries started relaxing their shelter-in-place orders. To prepare for that, governments and private companies were building so-called “contact tracing” apps to monitor citizens’ movements and determine whether they might have come into contact with someone infected with the virus.
Within a few weeks, the Apple project — code-named “Bubble” — had dozens of employees working on it with executive-level support from two sponsors: Craig Federighi, a senior vice president of software engineering, and Jeff Williams, the company’s chief operating officer and de-facto head of healthcare. By the end of the month, Google had officially come on board, and about a week later, the companies’ two CEOs Tim Cook and Sundar Pichai met virtually to give their final vote of approval to the project.
That speed of development was highly unusual for Apple, a company obsessed with making its products perfect before releasing them to the world. Project Bubble also required that Apple join forces with its historic rival, Google, to co-develop technology that could be used by health authorities in countries around the world.
The software, which Apple and Google now refer to by the softer-sounding term “exposure notification” instead of “contact tracing,” is due to be released on May 1. In recent weeks, the employees have been working nights and weekends to incorporate external feedback. The companies still have their critics, but the transparency has helped them win over some unlikely supporters, including in countries like Germany where officials were initially reluctant to work with Big Tech.
CNBC spoke with five people familiar with the project to find out how it happened, from the earliest incarnations to the present day. The insiders declined to be named because they were not authorized by their companies to speak openly about the project.
Two approaches: Bluetooth vs GPS
Edouard Bugnion, a Swiss computer architect
Edouard Bugnion
Traditional contact tracing has been used to slow the spread of pandemics for years. It begins when a public health hears about an infected person and checks in with them to find out where they’ve been, and whom they might have come into contact with. A health official will then track down those people and suggest they get tested or socially isolate themselves.
Personal technology like cellphones can be used to facilitate digital contact tracing. A phone has various technologies that can be used to pinpoint where a user has been, and which other phones have come nearby, without requiring them to remember exactly where they were and who was nearby.
As the coronavirus pandemic took off, authorities turned to digital contact tracing as a possible way to help track and slow the spread of the disease without having to hire a large number of human tracers.
Some early contact tracing apps like Trace Together in Singapore used a phone’s Bluetooth signal, which has a range of about 30 feet, to figure out when two phones were near each other. Strong signals suggest that two people are very close, while weak ones suggest that they’re too far apart for there to be potential exposure (although experts like Ashkan Soltani, the former CTO for the Federal Trade Commission have warned it’s by no means a perfect system).
If a person was identified with coronavirus, they could let Singapore’s Ministry of Health look at the app data and notify other people who had been near them recently.
But there was a big usability problem.
On an iPhone, the app had to be running all the time in the foreground, or it stopped working. That meant that phones needed to remain unlocked — a nightmare scenario if they got stolen — and burned through battery life quickly. Apple App Store reviews for Trace Together included complaints from users that the app was preventing them from receiving notifications while they were out and about.
The alternative was to use GPS, which countries like China and South Korea had already leveraged to track exposure. But apps that tracked location draw immediate concern from privacy advocates. One human rights group went as far as to refer to the location-tracking apps in China as “automated tyranny.”
Involving Apple
On March 21, a Swiss engineering professor Edouard Bugnion reached out to Apple’s developer relations team to voice some of these concerns. Bugnion, the founding CTO of VMWare, recognized then that digital contact tracing apps would need Apple’s help to work well and preserve user privacy.
He wasn’t the only one. Within a day or two, these issues came to the attention of Apple’s Myoung Cha, who’s responsible for the business side of the company’s growing health team. Cha, a senior strategist for the company’s health care division, reports to the company’s COO, Jeff Williams.
Cha and a small team at Apple were already exploring methods of using smartphones for contact tracing. The early team included Ron Huang, who runs Apple’s location services group, and Dr. Guy “Bud” Tribble, a veteran Apple software vice president who is referred to internally as the “privacy czar.” Tribble, who is also a medical doctor, is known outside of Apple for speaking out in favor of federal privacy legislation, noting at a Senate hearing that in 2018 that privacy should be a human right.
Huang agreed to loop in a group of engineers who were willing to volunteer their time to the project. They included some of the company’s in-house cryptography experts, Yannick Sierra and Frederic Jacobs (Jacobs has been credited for helping create the secure messaging app Signal). The team began researching some of the protocols for electronic contact tracing already underway at the Massachusetts Institute of Techology and EPFL, a similarly well-regarded research university in Switzerland.
Their idea would be to use Bluetooth to track phones’ proximity without detailed location data, like the Singapore app — but in a way that wouldn’t require apps to be running all the time.
The Apple employees also favored decentralized approaches. The idea was that a phone belonging to a user who had tested positive would send anonymous alerts directly to other phones that it had been nearby, instead of uploading all this information to a government or other central authority. This would prevent governments from building a database with detailed location or proximity information.
The Apple team also believed any system would need to be “opt-in,” where the individual gives consent to share information with other phones.
Cha shared this thinking on a call with Bugnion on April 6. “It was very clear to me from day one that Apple wanted to ensure the highest level of privacy,” Bugnion recalled.
The team knew they needed to execute quickly. By then, public health officials in many countries were taking contact tracing seriously as a way to help end lockdowns quickly and safely.
A group of researchers from Oxford University had already seen promising results in an early study: “Our models show we can stop the epidemic if approximately 60% of the population use the app, and even with lower numbers of app users, we still estimate a reduction in the number of coronavirus cases and deaths,” noted Christophe Fraser, senior author of the latest report from Oxford University’s Nuffield Department of Medicine.
Bringing in Google
Dave Burke, vice president of engineering at Google, speaks about the new Google Nexus 6P during an event on Tuesday, Sept. 29, 2015, in San Francisco.
Tony Avelar | AP
Employees at Google were thinking through similar ideas.
The key employees taking the lead on the Google side included Yul Kwon, a senior director for the company and a former deputy chief privacy officer at Facebook (incidentally, Kwon is well known outside of Google as the winner of the 2006 show “Survivor: Cook Islands.”) Senior product manager Ronald Ho, who works on Bluetooth and connectivity efforts, was also heavily involved from the outset. Google had its own codename for the project, separate from Apple’s: “Apollo.”
Eventually, the team presented their ideas to Google’s vice president of Android, Dave Burke, who talked it through Apple’s Cha.
It wasn’t a foregone conclusion that the two companies, which have a long history of bitter competition in smartphones, would cooperate. Apple co-founder Steve Jobs was convinced that Android had been built to mimic Apple’s iOS, and the two companies had a bitter legal fight before settling their differences in 2014. Although they coexist more peacefully now, they’re still tough rivals, with the two dominant smartphone platforms in the world.
But in this case, they knew they had to come together. A system for exposure notification needed to be interoperable, otherwise there would be huge gaps in coverage.
The two companies couldn’t formally announce plans to work together until they got a green-light from their CEOs. So Apple CEO Tim Cook and Alphabet CEO Sundar Pichai hashed it out on a virtual meeting several days ahead of the official announcement on April 10th.
“Contact tracing can help slow the spread of COVID-19 and can be done without compromising user privacy,” Apple CEO Tim Cook tweeted triumphantly to announce the initiative.
The privacy stance
Getty Images
The joint solution is not an app. Rather, the companies have published an application programming interface — API — which is a set of specifications that public health organizations can tap into to build their own contact tracing apps.
Here’s how it works. Once Bluetooth is turned on and the user opts in, the phone sends anonymous little chirps that other phones can listen into. Critically, Apple’s API means the app can continue to send these chirps out even if it’s not running in the foreground at the time.
To ensure user privacy, the companies have lifted ideas from various open-source efforts like MIT’s PACT and Europe’s DP-3T. Google’s Burke has acknowledged that his team was specifically inspired by the work of DP-3T, nothing that he thought it “gives the best privacy preserving aspects of the contacts tracing service.”
One specific example inspired by DP-3T is the idea of using rotating codes, which involves the apps broadcasting a cryptographic key that changes randomly, while they monitor other nearby phones. Once the reports a Covid-19 diagnosis, the app will upload the cryptographic keys that were used to generate the codes from the past few weeks onto a server. Everyone else’s app downloads those keys, and looks for a match with one of the stored codes. If it finds one, the app will notify the users that they might have been exposed.
This allows the app to notify people who may have been exposed, without having to know their identities — or allowing those identities to be stored and tracked by any central authority.
“We are developing an app and system that could be deployed in Europe, and the world,” said Carmela Truncoso, a privacy researcher at EPFL and one of the key developers behind DP-3T. “That’s a lot of people. And we owe it to them to be transparent.”
The companies are increasingly making clear to the outside world is that their API isn’t a form of automated contact tracing that should be relied upon completely. Instead, it’s intended to support humans working at public health departments. Some countries are already on board with that, including Germany, Estonia, Singapore, and Switzerland. Others, like the U.K. and France, are still considering a more centralized approach. In the U.S., states are still largely taking their own approaches.
Going forward, there are still some major question marks about the potential for fraud and abuse. And the companies will need to address how they plan to vet the apps built on top of these APIs to ensure that these developers will not exploit any privacy vulnerabilities.
But Marcel Salathé, a prominent Swiss researcher and epidemiologist, noted on Twitter last week that he is surprised to see two tech companies take privacy so seriously, while some governments advocate for more intrusive approaches.
“I’ve made a few correct predictions about Covid,” he tweeted. “But I would not in a 100 years have predicted this: U.S. tech companies provide a privacy-preserving framework to do digital contact tracing, and some European countries are lobbying them to lower the standards.”
The federal government is ordering the dissolution of TikTok’s Canadian business after a national security review of the Chinese company behind the social media platform, but stopped short of ordering people to stay off the app.
Industry Minister François-Philippe Champagne announced the government’s “wind up” demand Wednesday, saying it is meant to address “risks” related to ByteDance Ltd.’s establishment of TikTok Technology Canada Inc.
“The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners,” he said in a statement.
The announcement added that the government is not blocking Canadians’ access to the TikTok application or their ability to create content.
However, it urged people to “adopt good cybersecurity practices and assess the possible risks of using social media platforms and applications, including how their information is likely to be protected, managed, used and shared by foreign actors, as well as to be aware of which country’s laws apply.”
Champagne’s office did not immediately respond to a request for comment seeking details about what evidence led to the government’s dissolution demand, how long ByteDance has to comply and why the app is not being banned.
A TikTok spokesperson said in a statement that the shutdown of its Canadian offices will mean the loss of hundreds of well-paying local jobs.
“We will challenge this order in court,” the spokesperson said.
“The TikTok platform will remain available for creators to find an audience, explore new interests and for businesses to thrive.”
The federal Liberals ordered a national security review of TikTok in September 2023, but it was not public knowledge until The Canadian Press reported in March that it was investigating the company.
At the time, it said the review was based on the expansion of a business, which it said constituted the establishment of a new Canadian entity. It declined to provide any further details about what expansion it was reviewing.
A government database showed a notification of new business from TikTok in June 2023. It said Network Sense Ventures Ltd. in Toronto and Vancouver would engage in “marketing, advertising, and content/creator development activities in relation to the use of the TikTok app in Canada.”
Even before the review, ByteDance and TikTok were lightning rod for privacy and safety concerns because Chinese national security laws compel organizations in the country to assist with intelligence gathering.
Such concerns led the U.S. House of Representatives to pass a bill in March designed to ban TikTok unless its China-based owner sells its stake in the business.
Champagne’s office has maintained Canada’s review was not related to the U.S. bill, which has yet to pass.
Canada’s review was carried out through the Investment Canada Act, which allows the government to investigate any foreign investment with potential to might harm national security.
While cabinet can make investors sell parts of the business or shares, Champagne has said the act doesn’t allow him to disclose details of the review.
Wednesday’s dissolution order was made in accordance with the act.
The federal government banned TikTok from its mobile devices in February 2023 following the launch of an investigation into the company by federal and provincial privacy commissioners.
— With files from Anja Karadeglija in Ottawa
This report by The Canadian Press was first published Nov. 6, 2024.
LONDON (AP) — Most people have accumulated a pile of data — selfies, emails, videos and more — on their social media and digital accounts over their lifetimes. What happens to it when we die?
It’s wise to draft a will spelling out who inherits your physical assets after you’re gone, but don’t forget to take care of your digital estate too. Friends and family might treasure files and posts you’ve left behind, but they could get lost in digital purgatory after you pass away unless you take some simple steps.
Here’s how you can prepare your digital life for your survivors:
Apple
The iPhone maker lets you nominate a “ legacy contact ” who can access your Apple account’s data after you die. The company says it’s a secure way to give trusted people access to photos, files and messages. To set it up you’ll need an Apple device with a fairly recent operating system — iPhones and iPads need iOS or iPadOS 15.2 and MacBooks needs macOS Monterey 12.1.
For iPhones, go to settings, tap Sign-in & Security and then Legacy Contact. You can name one or more people, and they don’t need an Apple ID or device.
You’ll have to share an access key with your contact. It can be a digital version sent electronically, or you can print a copy or save it as a screenshot or PDF.
Take note that there are some types of files you won’t be able to pass on — including digital rights-protected music, movies and passwords stored in Apple’s password manager. Legacy contacts can only access a deceased user’s account for three years before Apple deletes the account.
Google
Google takes a different approach with its Inactive Account Manager, which allows you to share your data with someone if it notices that you’ve stopped using your account.
When setting it up, you need to decide how long Google should wait — from three to 18 months — before considering your account inactive. Once that time is up, Google can notify up to 10 people.
You can write a message informing them you’ve stopped using the account, and, optionally, include a link to download your data. You can choose what types of data they can access — including emails, photos, calendar entries and YouTube videos.
There’s also an option to automatically delete your account after three months of inactivity, so your contacts will have to download any data before that deadline.
Facebook and Instagram
Some social media platforms can preserve accounts for people who have died so that friends and family can honor their memories.
When users of Facebook or Instagram die, parent company Meta says it can memorialize the account if it gets a “valid request” from a friend or family member. Requests can be submitted through an online form.
The social media company strongly recommends Facebook users add a legacy contact to look after their memorial accounts. Legacy contacts can do things like respond to new friend requests and update pinned posts, but they can’t read private messages or remove or alter previous posts. You can only choose one person, who also has to have a Facebook account.
You can also ask Facebook or Instagram to delete a deceased user’s account if you’re a close family member or an executor. You’ll need to send in documents like a death certificate.
TikTok
The video-sharing platform says that if a user has died, people can submit a request to memorialize the account through the settings menu. Go to the Report a Problem section, then Account and profile, then Manage account, where you can report a deceased user.
Once an account has been memorialized, it will be labeled “Remembering.” No one will be able to log into the account, which prevents anyone from editing the profile or using the account to post new content or send messages.
X
It’s not possible to nominate a legacy contact on Elon Musk’s social media site. But family members or an authorized person can submit a request to deactivate a deceased user’s account.
Passwords
Besides the major online services, you’ll probably have dozens if not hundreds of other digital accounts that your survivors might need to access. You could just write all your login credentials down in a notebook and put it somewhere safe. But making a physical copy presents its own vulnerabilities. What if you lose track of it? What if someone finds it?
Instead, consider a password manager that has an emergency access feature. Password managers are digital vaults that you can use to store all your credentials. Some, like Keeper,Bitwarden and NordPass, allow users to nominate one or more trusted contacts who can access their keys in case of an emergency such as a death.
But there are a few catches: Those contacts also need to use the same password manager and you might have to pay for the service.
___
Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.
LONDON (AP) — Britain’s competition watchdog said Thursday it’s opening a formal investigation into Google’s partnership with artificial intelligence startup Anthropic.
The Competition and Markets Authority said it has “sufficient information” to launch an initial probe after it sought input earlier this year on whether the deal would stifle competition.
The CMA has until Dec. 19 to decide whether to approve the deal or escalate its investigation.
“Google is committed to building the most open and innovative AI ecosystem in the world,” the company said. “Anthropic is free to use multiple cloud providers and does, and we don’t demand exclusive tech rights.”
San Francisco-based Anthropic was founded in 2021 by siblings Dario and Daniela Amodei, who previously worked at ChatGPT maker OpenAI. The company has focused on increasing the safety and reliability of AI models. Google reportedly agreed last year to make a multibillion-dollar investment in Anthropic, which has a popular chatbot named Claude.
Anthropic said it’s cooperating with the regulator and will provide “the complete picture about Google’s investment and our commercial collaboration.”
“We are an independent company and none of our strategic partnerships or investor relationships diminish the independence of our corporate governance or our freedom to partner with others,” it said in a statement.
The U.K. regulator has been scrutinizing a raft of AI deals as investment money floods into the industry to capitalize on the artificial intelligence boom. Last month it cleared Anthropic’s $4 billion deal with Amazon and it has also signed off on Microsoft’s deals with two other AI startups, Inflection and Mistral.