Over the past few months, millions received the option to receive "Exposure Notifications " through Apple or Google. The technology took off: millions of individuals downloaded applications or opted-in to exposure notifications. The Bluetooth Low Energy technology that powers the system, the privacy-by-design of the system and the increase in privacy-centric marketing demonstrate how the COVID-19 pandemic has increased awareness of potential privacy harms while providing a roadmap for the rollout of future technologies.
What are exposure notification alerts?
The Google/Apple Exposure Notifications system is a joint venture to help track and trace the spread of COVID-19 while preserving individual privacy. The tech giants began working together on the GAEN project in May 2020. Formerly called “Privacy-Preserving Contact Tracing,” it has been pitched to “governments and health authorities” to help speed up the manual contact tracing process and provide more accurate information about close contacts than an individual may remember.
How do exposure notifications work?
Bluetooth Low Energy powers the Exposure Notifications. Unlike traditional Bluetooth, BLE does not use as much power and does not drain a phone battery as quickly due to its less frequent broadcasts. The Exposure Notification alerts work when a phone is both opted in and Bluetooth is activated. A BLE signal from one phone pings against nearby phones that are also opted into the Exposure Notifications system.
Privacy is preserved because the identifier in the broadcasted Bluetooth signal is temporary and changes every 15 minutes to avoid wireless tracking. A temporary exposure key also changes every 24 hours to preserve privacy.
Privacy considerations
The GAEN system appears to be quite secure. The system is voluntary, anonymous, and turned on through an opt-in consent mechanism. The applications can be uninstalled or users can opt-out easily by toggling over a button in a phone’s settings. Furthermore, the system only stores information on the phone itself, and location data is not shared with Apple, Google, or the public health authority.
Regarding alerts of positive COVID-19 cases, an anonymous notification will be triggered on a user’s phone if it has been within six feet of the infected individual’s phone for more than 15 minutes.
Even though Apple and Google have created the system with privacy-by-design in mind, there are still some privacy issues of which users should be aware.
For example, applications that use the GAEN system can create metadata and, as the Brennan Center for Justice points out, “[t]he default setting is generally that users consent to share metadata, such as information about app installation, deletion, and crashing, with state servers, presumably to assist with technical support.” Thus, even where the system is built with privacy in mind, the metadata revealed by default is potentially problematic in that it can expose IP addresses or connect a real person with the anonymous rotating BLE signal. Metadata may also potentially reveal a phone’s location.
Additionally, there is always the chance that individuals can figure out which person has exposed them to COVID-19 if the alerted individual only saw a handful of others in the prior week or two.
Still, Apple and Google have focused on “privacy, transparency, and consent.” The emphasis on important privacy concepts like transparency and consent in their marketing campaigns appears designed to both assure users that privacy is important in exposure notification efforts while also highlighting how it has become a concept used as a marketing tactic.
Marketing privacy
It is possible that part of the comparative popularity behind the BLE-powered Exposure Notifications system is the fact that so much of the marketing for the applications focused on privacy.
The marketing of the Exposure Notification Alerts was likely privacy-heavy to gain the trust of potential users. A robust user base is necessary for exposure apps and tracking apps to function properly; without many users, the app is not effective. One study showed that contract tracing can slow the pandemic if between 60% and 70% of a given population uses contact tracing. However, getting to the 60% to 70% threshold has been a difficult task as many people have expressed reservations about using a contact tracing app. Many reservations stem from potential privacy pitfalls of the systems. As the ACLU’s surveillance and cybersecurity counsel, Jennifer Granick, said, “[p]eople will only trust these systems if they protect privacy, remain voluntary, and store data on an individual’s device, not a centralized repository.”
Overall, the popularity and consumer willingness to use the GAEN system after privacy-heavy marketing demonstrates that consumers do care about privacy harms and may be more willing to use a product or service if privacy is addressed upfront. The lessons privacy professionals may glean from the marketing of the GAEN system is that transparency about privacy practices attract consumers and foster trust in a system if the system is privacy-preserving. Future technologies can follow the GAEN roadmap by considering using “privacy” in the name of the tool or service (GAEN was originally called Privacy-Preserving Contact Tracing), utilizing publicly facing transparent privacy practices, and touting privacy protections as a key feature.
Additional research has shown that individuals hesitate to trust how both the government and unknown tech companies will use or share data. Individuals are more likely to use tracing products from a larger, well-known company over an unknown company. In particular, well-known tech companies like Google and Apple already make apps that exist on users’ phones, which, in turn, likely makes the user feel safer about Google and Apple’s ability to make a functional app and one that protects a user.
To gain trust to get more individuals to opt-in to the GAEN system, the marketing for Exposure Notification Alerts was two-fold: from the government and from Apple/Google. States specifically highlighted how the usage of Apple and Google’s system was privacy-protecting. California, for example, included graphics on its website to show what is not collected by the system. Similarly, in Maryland, the first section of the state’s COVID Alerts website is information about privacy, before the website even describes how the system works.
Privacy has become the core of Exposure Notification Alerts branding because many consumers have become more mindful of their privacy online and the privacy practices of the companies they use; some believe that how a company treats their data is “indicative of the way they will be treated as a customer.” Consumers are clearly concerned about what type of data will be collected, stored, and used, and both governments and tech companies supplying COVID tracing systems want to make sure the privacy concerns are alleviated to get more users, who will make the system robust enough to work.
The popularity of the GAEN system, with millions of users opted-in, suggests that the strategy of highlighting privacy protections worked to attract users to opt-in. Businesses could use the same privacy-heavy marketing campaign used in marketing the GAEN system to market other privacy-by-design products. The GAEN system’s use of privacy as the core of the marketing strategy may provide a blueprint for marketers aiming to yield large future campaigns
The American Marketing Association has suggested that marketers “be open about… privacy and security measures.” The American Marketing Association suggested making privacy and security stances public and explain data handling measures to “buil[d] trust with customers.” Consumers may expect increased information about exactly where and how data is being used. They also foresee the pandemic as a catalyst that pushes marketers to build a “privacy culture” that uses an emphasis on privacy as a “differentiating factor” from other competitors.
Conclusion
Ultimately, Apple and Google’s joint effort, the GAEN system, was designed with privacy in mind and is a privacy-preserving, decentralized, and anonymous way to notify others of potential COVID-19 exposures. Although BLE technology has been around, it continues to be used in new and innovative ways. Unexpected events, like the COVID-19 pandemic, may also push new applications for BLE technology. While there are potential shortcomings with the technology, including the potential for not recognizing the actual distance between two phones, future applications of this technology may be of interest to privacy professionals, who may want to investigate how BLE could be used in marketing and internet-connected smart devices.
Privacy-centric marketing may also continue to take center stage. Privacy has become a true consideration for many who may download an exposure notification app or opt-in to the system. It has also become a competitive advantage for companies who create products and services with privacy by design. Ultimately, privacy may continue to experience a higher profile in marketing as consumers become more aware of data collection and tracking. Transparency and trust may still see time in the spotlight, and even grow, as issues highlighted by marketers as an advantage for consumers continue to be at the forefront, especially in marketing targeting COVID-19 apps.
Photo by Sigmund on Unsplash