Who governs? Platform privilege, contact tracing and APIs.

29 April 2020

Apple and Google have, through the design of their contact tracing APIs, removed choices from democratic governments seeking to respond to the COVID-19 crisis. If (if) a centralised model will lead to better public health outcomes (and some people are a making the case that it is) then their design choices have made this harder. As Peter Wells points out, in creating an arbitrary limit of one-app-per-country, they have also removed the ability to meet different types of need (for example, an app for NHS workers where they can use check-in type design pattern to register that they are on a non-COVID ward, or record the PPE that they are wearing).

This is policymaking by API design. It also represents a new type of technology exceptionalism: not that technology must be the answer, but that the most pressing problem to solve is one of data privacy, rather than efficacy. Efficacy gets to play in the space demarcated by the APIs.

It’s easy to see why they have taken this approach. Government’s abuse their power. iOS and Android are global platforms, and their APIs will be used in a range of political circumstances. Google and Apple are also both American companies, so if they were not, unconsciously, calibrating their response to the risks of their own country’s political and healthcare systems, I’d be surprised.

The UK has a centralised, publicly owned, democratically accountable healthcare system. There are precedents for centrally held healthcare systems, and Public Health England has shown it can be very vocal when there are attempts to use health-related data for immigration purposes. There are also technologists working in government who can help shape policy.

That’s not for a second to say there is no risk of unethical use of data the UK. There is also more that can be done to increase the transparency of the UK app in addition to the welcome open-sourcing of part of the system (something that as far as I can tell, Apple and Google have not done). But it seems like a statement of the obvious that different countries will have different risk profiles and circumstances. So why shouldn’t we, as a country, get to choose?


For the record, I’d much prefer a decentralised model if it can be shown to meet the needs of the public, both directly as users, and indirectly through public health officials. But that is not the point of this blog post.