Apple last week sent a letter to a group of U.S. senators who had questioned the privacy and security of the COVID-19 app and website that Apple designed in partnership with the CDC, the White House Coronavirus Task Force, and FEMA.
In the letter [PDF], published on Friday and highlighted today by Bloomberg, Apple provided specific answers to each of the questions the senators had asked, and clarified that the app and website were built with privacy as a priority.
Consistent with Apple's strong dedication to user privacy, the COVID-19 app and website were built to protect the privacy and security of users' data. As you note, use of the tools do not require a sign-in or association with a user's Apple ID, and users' individual responses are not sent to Apple or any government organization. Access to important information and guidance regarding individual health or the health of a loved one should not require individuals to compromise their privacy rights. Rather, it is in times like these, that our commitment to protecting those rights is most important. Our COVID-19 app and website were designed with that in mind.
The senators asked for specific details on Apple's agreements with the federal government and/or state governments, with Apple clarifying that Apple entered into an agreement with HHS through the Office of the Assistant Secretary of Health and the CDC for the development of the website.
Strong privacy terms were included, such as express consent required for any data transfer, the aggregation and de-identification of any information received by the CDC, and an agreement that any information obtained by the app is strictly to be used for improving the COVID-19 Triage Tools that are included.
The letter clarifies that the app and the screening site are not covered or subject to HIPAA laws in the United States as no health insurance companies or health care providers are privy to the information.
Apple says it does not collect any information entered into the website or the app, and applies the same data minimization principles to the COVID-19 tool as it does to other products. The only data that is stored is data necessary to support the operation of the app, which includes non-personally identifiable analytics information regarding the use of the website and app, such as total number of visits, whether crashes have occurred, and whether the screener tool has been started, canceled, or completed.
Apple confirmed that it commits to refrain from using data collected on the website and app for commercial purposes, and will never sell information to third-parties. Apple's full letter to the U.S. senators can be read on the web for those interested.
The COVID-19 app and website have been available since late March, and Apple recently improved both tools with links to state guidelines and self-care information. Apple late last week also announced a new partnership with Google that will see the two tech companies developing a privacy-focused opt-in contact tracing tool that will be added to iPhone and Android smartphones.
